X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • July 23, 2007

Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server has SSL enabled

Configuring reverse proxy in Oracle iPlanet Web Server 7.0 when origin server has SSL enabled.

Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP -->  client/Browser

There are various SSL and non SSL configurations we can have for Reverse Proxy and Origin Servers

  1. Origin Server <--- HTTP ---> Reverse Proxy Server <--- HTTP ---> client/Browser
  2. Origin Server <-- HTTP ---> Reverse Proxy Server <--
    HTTPS --> client/Browser i.e. Reverse proxy SSL termination End point
  3. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP --> client/Browser
  4. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTPS --> client/Browser
In my last blog I explained configuration of a simple non SSL reverse proxy(i.e. scenario 1). In this blog I have tried to set up a SCENARIO 3 shown above, where a non SSL Oracle iPlanet Web Server 7.0 tries to connect to origin server which is SSL enabled

Creating SSL enabled origin server

If you already have an SSL
enabled origin server you can skip this.



For ease of use I have used Oracle iPlanet Web Server 7.0 as origin server also.
Start the administration
server, and go to wadm
>./wadm --user=admin
Please enter
admin-user-password> \*\*\*\*

Create a self signed certificate

wadm>create-selfsigned-cert --config=test --server-name=www.test.com --nickname=OriginServerServer-Cert

Optional : Create a HTTP listener (or use existing one)

wadm> create-http-listener --listener-port=8888 --config=test --server-name=www.test.com --default-virtual-server-name=www.test.com mylistener

Enable SSL for this listener and set the server certificate nickname

wadm> set-ssl-prop --config=test --http-listener=mylistenerserver-cert-nickname=OriginServerServerCert enabled=true

Deploy the changes

wadm> deploy-config test

Start this origin server instance.

Settings in Web Server 7.0 instance

Lets say we want to forward all
requests to /xyz to the origin server.

Go the Web Server instance config directory and modify the obj.conf as given below

<Object name="default">

AuthTrans fn="match-browser"browser="\*MSIE\*" ssl-unclean-shutdown="true"

NameTrans fn="ntrans-j2ee" name="j2ee"

NameTrans fn="pfx2dir" from="/mc-icons" dir="/export2/mv/lib/icons" name="es-internal"
NameTrans fn="map" from="/xyz" name="reverse-proxy-/" to="/xyz"

PathCheck fn="uri-clean"

...

</Object>
<Object ppath="\*">

Service fn="proxy-retrieve" method="\*"
</Object>

<Object name="reverse-proxy-/">

Route fn="set-origin-server" server="https://test.sun.com:8888"
</Object>


\*\*Note that I have given manual steps here. In my last blog I have given Administration CLI steps.


Lets say for this instance server.xml has <port>8080</port>.
Make sure that the origin
server is up and running.

Start the server and access http://test.sun.com:8080/xyz/
should show you xyz directory in the docroot of the origin server.

Troubleshooting

In case we get a Gateway Timeout error
and in error logs we see some error like

[23/Jul/2007:16:44:11] failure
(27927): for host .... trying to GET ...., service-http reports:
HTTP7758: error sending request
(SEC_ERROR_UNTRUSTED_ISSUER: Client certificate is signed by an
untrusted issuer.)



We get this error because the origin server's certificate was not issued by a trusted CA. It means we need to export CA certificate of the origin server instance and import it into Web Server instance. In this case, Origin Server certificate (nickname OriginServerServerCert) is the CA for itself so we import that certificate.

This step is not required if the Origin Server's certificate chain ends
at a root CA Certificate which is a trusted CA and is present in
built-in root CA certificate DB.

Export the origin server's CA certificate

Go to <server-instance>/config 
directory of the origin server, and list certificates and then use pk12util to export the
certificate.

$../../bin/pk12util -o /tmp/exported.crt -n OriginServerServerCert -d .

Import the origin server CA certificate in server instance config
directory

Initialize NSS Database

To import certificate in server
instance config directory you have to first initialize the NSS database.

Note that if this Web Server instance is SSL enabled you can skip this
NSS database intialization part.

$../../bin/certutil -N -d .

Import the certificate

Lets say the file /tmp/exported.crt contained the
CA cert of the origin server, import that to NSS database.

$ ../../bin/pk12util -i /tmp/exported.crt -d .

Confirm by listing certs using certutil

$../../bin/certutil -L -d .

OriginServerServerCert          u,u,

Modify trust flags if required (if its a self signed cert)

You can see that the certificates
imported doesn't contain 'CT' trust flags.

$../../bin/certutil -M -n OriginServerServer-Cert -t 'CTu,CTu,CTu' -d .

Now u can confirm

$../../bin/certutil -L -d .
OriginServerServerCert       CTu,CTu,CTu

Restart the server instance and things should work fine now.


Join the discussion

Comments ( 4 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.