|
Home > Archive > WebSphere HTTP Server > April 2006 > SSL on caching proxy
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL on caching proxy
|
|
|
| I need to serve secure (https) and un-secure pages from two separate applications running on separate virtual hosts in a network deployment environment via SSL. I need assistance getting one of two options to work:
1.) the caching proxy handles the SSL handshake and all communication from the proxy to the backend servers is unsecure. (This works for one virtual host with a single keystore). I need to use two separate key stores for separate virtual hosts or contai
n the two certificates in a single key store and let the caching proxy determine which to use.
2.) use ssl tunneling to allow IHS to handle the SSL handshake. (This works for both virtual hosts when client interacts directly with IHS, but the caching proxy is not allowing the https requests through. I have enabled CONNECT and SSL Tunneling howeve
r, the caching proxy error log shows a conflict the proxy mapping. I need to use /* for each virual host for http and https as there is not a directory such as /secure/ for the pages that need to be secured.
Here is the mapping I am using in the caching proxy:
Proxy /* http://hostA/* hostACluster
Proxy /* http://hostB/* hostBCluster
Proxy /* https://hostA/* hostACluster:443
Proxy /* https://hostB/* hostBCluster:443
Any assistance on either scenario would be greatly appreciated.
-Matt
| |
| Sunit Patke 2006-04-27, 8:21 am |
| 1. IHS points to a single keystore (kdb) and each virtualhost can then point
to its own certificate file by using SSLServerCert directive.
Sunit
<msauer@averittexpress.com> wrote in message
news:661022834.1143499788918.JavaMail.wassrvr@ltsgwas007.sby.ibm.com...
>I need to serve secure (https) and un-secure pages from two separate
>applications running on separate virtual hosts in a network deployment
>environment via SSL. I need assistance getting one of two options to work:
>
> 1.) the caching proxy handles the SSL handshake and all communication from
> the proxy to the backend servers is unsecure. (This works for one virtual
> host with a single keystore). I need to use two separate key stores for
> separate virtual hosts or contain the two certificates in a single key
> store and let the caching proxy determine which to use.
>
> 2.) use ssl tunneling to allow IHS to handle the SSL handshake. (This
> works for both virtual hosts when client interacts directly with IHS, but
> the caching proxy is not allowing the https requests through. I have
> enabled CONNECT and SSL Tunneling however, the caching proxy error log
> shows a conflict the proxy mapping. I need to use /* for each virual host
> for http and https as there is not a directory such as /secure/ for the
> pages that need to be secured.
>
> Here is the mapping I am using in the caching proxy:
> Proxy /* http://hostA/* hostACluster
> Proxy /* http://hostB/* hostBCluster
> Proxy /* https://hostA/* hostACluster:443
> Proxy /* https://hostB/* hostBCluster:443
>
>
> Any assistance on either scenario would be greatly appreciated.
>
> -Matt
| |
|
| in IHS, I have both sites working properly using two separate key stores. The problem lies when trying to use SSL tunneling in IBM caching proxy. Here is the flow of the request:
user -> Caching proxy -> load balancer(via plugin) -> IHS -> WAS(via plugin)
If I take the caching proxy and load balancer out of the chain, all requests are served properly. I am unable to use ssl tunneling in the caching proxy to allow IHS to handle the encryption/decryption.
Thanks,
Matt
| |
| Sunit Patke 2006-04-27, 8:21 am |
| I am unable to see your entire configuration but does this help you?
http://www-1.ibm.com/support/docvie...uid=swg21158667
Sunit
SSL connections are established between browser and the Caching Proxy. So
the certificate should be on the Proxy server.
<msauer@averittexpress.com> wrote in message
news:823027717.1143564727336.JavaMail.wassrvr@ltsgwas007.sby.ibm.com...
> in IHS, I have both sites working properly using two separate key stores.
> The problem lies when trying to use SSL tunneling in IBM caching proxy.
> Here is the flow of the request:
>
> user -> Caching proxy -> load balancer(via plugin) -> IHS -> WAS(via
> plugin)
>
> If I take the caching proxy and load balancer out of the chain, all
> requests are served properly. I am unable to use ssl tunneling in the
> caching proxy to allow IHS to handle the encryption/decryption.
>
> Thanks,
> Matt
|
|
|
|
|