This discussion is archived
4 Replies Latest reply: May 9, 2012 10:22 PM by 868980 RSS

How reverse proxy HTTPS configure( iplanet6.1sp10)

868980 Newbie
Currently Being Moderated
below configure was not workr.
case 1: clinet - [ https ] - L4 - iplanet6.1sp10 - [https] - L4 - WebLogic

below configure was work.
case 2 : clinet - [ https ] - L4 - iplanet6.1sp1 - [http] - L4 - WebLogic
case 3 : clinet - [https] - L4 - WebLogic(ssl enable)

This not work configure.
magnus.conf
Init fn="load-modules" shlib="/user2/webone/plugins/passthrough/libpassthrough.so" funcs="init-passthrough,service-passthrough,check-passthrough,auth-passthrough" NativeThread="no"

obj.conf
<Object name="default">
...
NameTrans fn="assign-name" from="(/|/*)" name="passthrough"
..
</Object >
...
<Object name="passthrough">
ObjectType fn="force-type" type="magnus-internal/passthrough"
Service type="magnus-internal/passthrough" fn="service-passthrough" servers="https://xxx.xxx.xxx.xxx:443"
##Service type="magnus-internal/passthrough" fn="service-passthrough" servers="http://xxx.xxx.xxx.xxx:80" ==> good work !!
</Object>

server.xml
<LS id="ls1" port="4434" servername="www4" defaultvs="https-ssl" ip="any" security="on" acceptorthreads="1" blocking="false">
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3
="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+
;rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sh
a,-fips_des_sha" tlsrollback="on" clientauth="off"/>
</LS>

<VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="false">
<VS id="https-eais_ssl" connections="ls1" mime="mime1" aclids="acl1" urlhosts="admin.jack.com" state="on">
<PROPERTY name="docroot" value="/user2/webone/docs"/>
<USERDB id="default"/>
<SEARCH>
<WEBAPP uri="/search" path="/user2/webone/bin/https/webapps/search" enabled="true"/>
</SEARCH>
</VS>
</VSCLASS>

How to configure?

글 수정: 865977
  • 1. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
    handat Expert
    Currently Being Moderated
    So you got reverse proxy to non-SSL weblogic listener working but cannot get reverse proxy to SSL weblogic listener working. Is the weblogic instance using a self-signed or CA signed SSL certificate with a custom intermediate CA certificate? You will need to import the weblogic certificate into the web server's trust store so it trusts the weblogic certificate and can successfully do the SSL handshake.
  • 2. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
    868980 Newbie
    Currently Being Moderated
    thanks reply.

    Web Server and WAS Using same certificate issued by the Verisign.

    WAS server certificate must be installed in the web server instance?


    In the Web Server error log was "SSL_ERROR_HANDSHAKE_FAILURE_ALERT: SSL peer was unable to negotiate an acceptable set of security parameters"

    connect to WAS using the openssl command the following message appears.
    # openssl s_client -state -debug -verify 0 -connect xxx.xxx.xxx.xxx:443 > x
    verify depth is 0
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:SSLv3 read server hello A
    depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    SSL3 alert write:fatal:unknown CA
    SSL_connect:error in SSLv3 read server certificate B
    SSL_connect:error in SSLv3 read server certificate B
    4278466004:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1059:
    #
  • 3. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
    handat Expert
    Currently Being Moderated
    865977 wrote:
    thanks reply.

    Web Server and WAS Using same certificate issued by the Verisign.

    WAS server certificate must be installed in the web server instance?


    In the Web Server error log was "SSL_ERROR_HANDSHAKE_FAILURE_ALERT: SSL peer was unable to negotiate an acceptable set of security parameters"

    connect to WAS using the openssl command the following message appears.
    # openssl s_client -state -debug -verify 0 -connect xxx.xxx.xxx.xxx:443 > x
    verify depth is 0
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:SSLv3 read server hello A
    depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
    This means there are 3 certificates in the chain,most likely: the Root VeriSign Certificate, an Intermediate Verisign, and your server certificate.

    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    SSL3 alert write:fatal:unknown CA
    This indicates that the CA is not known and needs to be imported into the trust database.

    The most likely subject is the Intermediate Verisign CA certificate which needs to be imported.
  • 4. Re: How reverse proxy HTTPS configure( iplanet6.1sp10)
    868980 Newbie
    Currently Being Moderated
    thanks Reply...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points