Chris_G.Davis
Post Count: 12
 |
| 12/12/2008 10:26 AM |
|
Hi,
We are in the process of implementing ssl offload on our LTM-3400’s for Oracle 10g. The servers we are load balancing to on the backend are listening on port 80. We have a valid Verisign cert in place. The first time you connect to the ssl vip the server downloads “JInitiator” to the local computer which is a java program. Once the installation is complete it attempts to load the app from the server. But it fails with an “X509CertChainInvalidErr” java error. I figured out a work around for individual computers, but this isn’t a valid solution for the general public. The work around is to add the cert assigned to the ssl vip to what a I think is a cert chain file call “C:\Program Files\Oracle\JInitiator 1.3.1.26\lib\security\certdb.txt on the local computer. Once added I restart the browser and all is well.
Like I said earlier this isn’t a practical work around as this site will be used by the public.
Has anyone seem this or know how to fix it?
I attached a copy of the certdb.txt (example-certdb.txt) file without my cert for an example.
Any help would be greatly appreciated.
Thanks,
Christopher G Davis
Sr. Network Engineer
SITA Atlanta Data Center |
 example-certdb.txt
|
|
|
|
hoolio
Post Count: 11053
|
| 12/23/2008 03:18 AM |
|
Hi Chris, You should be able to import the chain cert under Local Traffic >> SSL certificates and then specify it in the client SSL profile. SOL6401: Configuring the BIG-IP to use an intermediate or chain certificate with a client SSL profile ( Click here) Aaron |
|
|
|
|
Jacquie Mir
Post Count: 3
|
| 11/04/2009 07:51 AM |
|
Hi Chris
Did you ever manage to get this to work. You probably don't remember now it was so long ago but I'm having the same issues.
Would appreciate any tips for getting it working.
Cheers
Jacquie |
|
|
|
|
hoolio
Post Count: 11053
|
| 11/04/2009 08:01 AM |
|
Hi Jacquie,
Did you try importing the intermediate cert and configuring that in the client SSL profile?
Aaron |
|
|
|
|
Jacquie Mir
Post Count: 3
|
| 11/04/2009 08:14 AM |
|
No I have a certificate & key for the website configured in the client SSL profile. Do I need to convert this into a certificate bundle? I wasn't sure how to do that. |
|
|
|
|
hoolio
Post Count: 11053
|
| 11/04/2009 08:16 AM |
|
You can check SOL6401 (linked above) for details on configuring an intermediate cert:
https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html
Aaron |
|
|
|
|
Jacquie Mir
Post Count: 3
|
| 11/04/2009 08:33 AM |
|
Tried adding the ca-bundle from the chain drop down as well as having the website certificate and key configured but still getting the same error. |
|
|
|
|
hoolio
Post Count: 11053
|
| 11/04/2009 08:34 AM |
|
Sorry, I was suggesting that you download the most current intermediate certificate from the certificate authority, add that to the bundle and then update the client SSL profile by clicking save. The last step loads the changed cert file into LTM memory for use. If you get stuck in this process, you could open a case with F5 Support and ask for help.
Aaron |
|
|
|
|
Yuliy
Post Count: 2
|
| 12/17/2009 03:49 PM |
|
I am trying to implement the SSL for Oracle 10g Forms/Reports standalone behind the BIG-IP 9.3.1 Build 37.1.
I have three (will be more) servers in teh Load Balanced pool.
I am have isntalled the Certificate on the F5 unit and want to terminate the SSL communcation on the F5 instead of the Oracle servers.
Can someone explain/assist with understanding on how to configure the F5 to line up to the ports that Oracle is listening to.
|
|
|
|
|
Chris Akker
Post Count: 27
|
| 12/17/2009 04:56 PM |
|
Hi Yuliy, take a look at the F5 deployment guide for Oracle 10g. It has a section on SSL offload, here: http://www.f5.com/pdf/deployment-guides/f5-oracle10g-dg.pdf
-Chris.
|
|
|
|
|
jrcma.oracle
Post Count: 1
|
| 01/18/2010 01:33 AM |
|
hi chris,
where can we find the deployment guide for 9iAS release 2? we're still using this version in our reporting services. does it also include an SSL implementation guide as well? we're experiencing similar error messages during our testing phase in our TEST environment.
regards,
bhotskie |
|
|
|
|
rcorder
Post Count: 24
|
| 01/18/2010 05:07 PM |
|
jrcma.oracle
Sorry, but 10g was the first deployment guide for Application Server that we made.
|
|
|
|
|
garfield Linton
Post Count: 1
|
| 02/15/2010 08:48 AM |
|
Chris: This is garfield. Didnt know you went back to F-5. Hope you are doing well. Quick question: So what was the definitive solution for the Terminating SSL @ F-5 versus back-end proxy for Oracle forms applications?
We still have the issue, do you guys find a solution @ F-5, or do we need to seek one from Oracle?
Thanks.
|
|
|
|
|
Nityanand
Post Count: 2
|
|
Chris Akker
Post Count: 27
|
| 03/17/2010 10:51 AM |
|
Thank You for the attachment, it explains this issue very well, and will be a big help to the rest of the forum...thanx for contributing  |
|
|
|
|