Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server has SSL enabled

Configuring reverse proxy in Oracle iPlanet Web Server 7.0 when origin server has SSL enabled.

Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP -->  client/Browser

There are various SSL and non SSL configurations we can have for Reverse Proxy and Origin Servers

  1. Origin Server <--- HTTP ---> Reverse Proxy Server <--- HTTP ---> client/Browser
  2. Origin Server <-- HTTP ---> Reverse Proxy Server <-- HTTPS --> client/Browser i.e. Reverse proxy SSL termination End point
  3. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP --> client/Browser
  4. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTPS --> client/Browser
In my last blog I explained configuration of a simple non SSL reverse proxy(i.e. scenario 1). In this blog I have tried to set up a SCENARIO 3 shown above, where a non SSL Oracle iPlanet Web Server 7.0 tries to connect to origin server which is SSL enabled

Creating SSL enabled origin server

If you already have an SSL enabled origin server you can skip this.

For ease of use I have used Oracle iPlanet Web Server 7.0 as origin server also.
Start the administration server, and go to wadm
>./wadm --user=admin
Please enter admin-user-password> \*\*\*\*

Create a self signed certificate

wadm>create-selfsigned-cert --config=test --server-name=www.test.com --nickname=OriginServerServer-Cert

Optional : Create a HTTP listener (or use existing one)

wadm> create-http-listener --listener-port=8888 --config=test --server-name=www.test.com --default-virtual-server-name=www.test.com mylistener

Enable SSL for this listener and set the server certificate nickname

wadm> set-ssl-prop --config=test --http-listener=mylistenerserver-cert-nickname=OriginServerServerCert enabled=true

Deploy the changes

wadm> deploy-config test

Start this origin server instance.

Settings in Web Server 7.0 instance

Lets say we want to forward all requests to /xyz to the origin server.

Go the Web Server instance config directory and modify the obj.conf as given below

<Object name="default">
AuthTrans fn="match-browser"browser="\*MSIE\*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/export2/mv/lib/icons" name="es-internal"
NameTrans fn="map" from="/xyz" name="reverse-proxy-/" to="/xyz"
PathCheck fn="uri-clean"
...
</Object>
<Object ppath="\*">
Service fn="proxy-retrieve" method="\*"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="https://test.sun.com:8888"
</Object>


\*\*Note that I have given manual steps here. In my last blog I have given Administration CLI steps.

Lets say for this instance server.xml has <port>8080</port>.
Make sure that the origin server is up and running.
Start the server and access http://test.sun.com:8080/xyz/ should show you xyz directory in the docroot of the origin server.

Troubleshooting

In case we get a Gateway Timeout error and in error logs we see some error like

[23/Jul/2007:16:44:11] failure (27927): for host .... trying to GET ...., service-http reports: HTTP7758: error sending request (SEC_ERROR_UNTRUSTED_ISSUER: Client certificate is signed by an untrusted issuer.)


We get this error because the origin server's certificate was not issued by a trusted CA. It means we need to export CA certificate of the origin server instance and import it into Web Server instance. In this case, Origin Server certificate (nickname OriginServerServerCert) is the CA for itself so we import that certificate.

This step is not required if the Origin Server's certificate chain ends at a root CA Certificate which is a trusted CA and is present in built-in root CA certificate DB.

Export the origin server's CA certificate

Go to <server-instance>/config  directory of the origin server, and list certificates and then use pk12util to export the certificate.

$../../bin/pk12util -o /tmp/exported.crt -n OriginServerServerCert -d .

Import the origin server CA certificate in server instance config directory

Initialize NSS Database

To import certificate in server instance config directory you have to first initialize the NSS database.

Note that if this Web Server instance is SSL enabled you can skip this NSS database intialization part.

$../../bin/certutil -N -d .

Import the certificate

Lets say the file /tmp/exported.crt contained the CA cert of the origin server, import that to NSS database.

$ ../../bin/pk12util -i /tmp/exported.crt -d .

Confirm by listing certs using certutil

$../../bin/certutil -L -d .
OriginServerServerCert          u,u,

Modify trust flags if required (if its a self signed cert)

You can see that the certificates imported doesn't contain 'CT' trust flags.

$../../bin/certutil -M -n OriginServerServer-Cert -t 'CTu,CTu,CTu' -d .

Now u can confirm

$../../bin/certutil -L -d .
OriginServerServerCert       CTu,CTu,CTu

Restart the server instance and things should work fine now.


Comments:

I have noticed that the reverse proxy server don't use SSL, (you use http://test.sun.com:8080/xyz/ to redirect to https://test.sun.com:8888). Is possible to use https://test2.sun.com:443/xyz/ to redirect to https://test.sun.com:8888? If so, how?

Please help me resolve it.

Posted by ramamoorthy on December 29, 2008 at 09:58 PM IST #

Whether the reverse proxy server is SSL or non SSL, the behavior is not any different.

In the server instance of test2.sun.com, looking at server.xml find out http-listener which listens to port 443. It will have a corresponding virtual server. In that virtual server, it will have a \*obj.conf (default value is obj.conf). In that \*obj.conf file add "map" and "proxy-retrieve" and "set-origin-server" (with https://test.sun.com:8888 ) SAFs.

For any more help write to
http://forum.java.sun.com/forum.jspa?forumID=759

Posted by Meena on December 30, 2008 at 04:23 AM IST #

Lets discuss this in this thread
http://forums.sun.com/thread.jspa?threadID=5359313&tstart=0

Posted by meena on January 08, 2009 at 04:31 AM IST #

Hello Meena, Your Article is superb in a way of conveying pin point information. Appreciate your effort in doing so. It really helped me learn. Thanks again, Dilip.M

Posted by Dilip on May 12, 2011 at 08:13 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today