4 Replies Latest reply: May 10, 2012 12:22 AM by 868980 RSS

    How reverse proxy HTTPS configure( iplanet6.1sp10)

    868980
      below configure was not workr.
      case 1: clinet - [ https ] - L4 - iplanet6.1sp10 - [https] - L4 - WebLogic

      below configure was work.
      case 2 : clinet - [ https ] - L4 - iplanet6.1sp1 - [http] - L4 - WebLogic
      case 3 : clinet - [https] - L4 - WebLogic(ssl enable)

      This not work configure.
      magnus.conf
      Init fn="load-modules" shlib="/user2/webone/plugins/passthrough/libpassthrough.so" funcs="init-passthrough,service-passthrough,check-passthrough,auth-passthrough" NativeThread="no"

      obj.conf
      <Object name="default">
      ...
      NameTrans fn="assign-name" from="(/|/*)" name="passthrough"
      ..
      </Object >
      ...
      <Object name="passthrough">
      ObjectType fn="force-type" type="magnus-internal/passthrough"
      Service type="magnus-internal/passthrough" fn="service-passthrough" servers="https://xxx.xxx.xxx.xxx:443"
      ##Service type="magnus-internal/passthrough" fn="service-passthrough" servers="http://xxx.xxx.xxx.xxx:80" ==> good work !!
      </Object>

      server.xml
      <LS id="ls1" port="4434" servername="www4" defaultvs="https-ssl" ip="any" security="on" acceptorthreads="1" blocking="false">
      <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3
      ="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+
      ;rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sh
      a,-fips_des_sha" tlsrollback="on" clientauth="off"/>
      </LS>

      <VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="false">
      <VS id="https-eais_ssl" connections="ls1" mime="mime1" aclids="acl1" urlhosts="admin.jack.com" state="on">
      <PROPERTY name="docroot" value="/user2/webone/docs"/>
      <USERDB id="default"/>
      <SEARCH>
      <WEBAPP uri="/search" path="/user2/webone/bin/https/webapps/search" enabled="true"/>
      </SEARCH>
      </VS>
      </VSCLASS>

      How to configure?

      글 수정: 865977
        • 1. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
          handat
          So you got reverse proxy to non-SSL weblogic listener working but cannot get reverse proxy to SSL weblogic listener working. Is the weblogic instance using a self-signed or CA signed SSL certificate with a custom intermediate CA certificate? You will need to import the weblogic certificate into the web server's trust store so it trusts the weblogic certificate and can successfully do the SSL handshake.
          • 2. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
            868980
            thanks reply.

            Web Server and WAS Using same certificate issued by the Verisign.

            WAS server certificate must be installed in the web server instance?


            In the Web Server error log was "SSL_ERROR_HANDSHAKE_FAILURE_ALERT: SSL peer was unable to negotiate an acceptable set of security parameters"

            connect to WAS using the openssl command the following message appears.
            # openssl s_client -state -debug -verify 0 -connect xxx.xxx.xxx.xxx:443 > x
            verify depth is 0
            SSL_connect:before/connect initialization
            SSL_connect:SSLv2/v3 write client hello A
            SSL_connect:SSLv3 read server hello A
            depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
            verify error:num=19:self signed certificate in certificate chain
            verify return:0
            SSL3 alert write:fatal:unknown CA
            SSL_connect:error in SSLv3 read server certificate B
            SSL_connect:error in SSLv3 read server certificate B
            4278466004:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1059:
            #
            • 3. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
              handat
              865977 wrote:
              thanks reply.

              Web Server and WAS Using same certificate issued by the Verisign.

              WAS server certificate must be installed in the web server instance?


              In the Web Server error log was "SSL_ERROR_HANDSHAKE_FAILURE_ALERT: SSL peer was unable to negotiate an acceptable set of security parameters"

              connect to WAS using the openssl command the following message appears.
              # openssl s_client -state -debug -verify 0 -connect xxx.xxx.xxx.xxx:443 > x
              verify depth is 0
              SSL_connect:before/connect initialization
              SSL_connect:SSLv2/v3 write client hello A
              SSL_connect:SSLv3 read server hello A
              depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
              This means there are 3 certificates in the chain,most likely: the Root VeriSign Certificate, an Intermediate Verisign, and your server certificate.

              verify error:num=19:self signed certificate in certificate chain
              verify return:0
              SSL3 alert write:fatal:unknown CA
              This indicates that the CA is not known and needs to be imported into the trust database.

              The most likely subject is the Intermediate Verisign CA certificate which needs to be imported.
              • 4. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
                868980
                thanks Reply...