I have an internal web app I need to load balance. this app is SSL and I would like to use cookie persistence. I have setup my cert on my LTM and setup persistence before for other apps and it works well. issue I have run across with this new app is that even though the apache cert on the app matches our cert on the LTM, there is a portion of this app that uses java with the companies certificate. this results in the ssl decryption\encryption needed for cookie persistence to break on the java portion making the web app not function all together. are there any options in this scenario of java cert being different from the web server cert or am I stuck changing my persistence from cookie to ssl? PS I have an older bigip 1600 with 9.4 running.

Would it be safe to say that the java app portion happens during the HTTP session, and that the java app 1) doesn't handle cookies, and/or 2) can't consume and use the cookie from the browser? Do you see the java app sending the persistence cookie? If you disable all pool members but one, does it work?

It appears you have two different SSL certs being used, am I correct? If that is the case then you need to update the cert being used by "that part" of that Java App to match that of you virtual or your cookie persistence will not work. In this scenario, you can try multiple persistence. Set cookie persistence as primary then SSL persistence as secondary.

to answer kevin stewart, I already have it down to 1 pool member and it still doesn't work. Kevin Davies, I will try this and post back results

Kevin Davies I just tried using a fallback persistence profile but after selecting cookie based on the default my only option on the fallback was source_addr

So just to level set, you said you now only have one server in the pool. If that's true, and it's still not working, then persistence is probably not to blame. So does it fail when the java app is invoked? Are there specific differences in the SSL requirements between the two apps?

LTM and java certs | DevCentral

19 Replies

jnowlin_44976
Nimbostratus
Sep 05, 2013
i just got off a call with the application vendor. they use a JSESSIONID cookie, that if is not found on the client will result in the same experience i am seeing. will F5 prevent a JSESSIONID cookie from being installed on the end users machine?
Kevin_Stewart
Employee
Sep 05, 2013
Not usually. So the java app uses a JSESSIONID??
jnowlin_44976
Nimbostratus
Sep 05, 2013
yes. in order for the app to allow users to login it has to see this JSESSIONID cookie, according to the vendor.

but i can see this being created so im back to the http profile being the issue. if i use an http profile in order to do cookie persistence it fails. if i set http profile to none it works.
Kevin_Stewart
Employee
Sep 05, 2013
Very interesting. Okay, another two questions for clarification:

It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?
nitass
Employee
Sep 08, 2013
i think the problem is about ssl handshake.

without ssl profile, http profile cannot be used because bigip cannot parse http header (since it is encrypted). so, i understand it is expected that you have to remove http profile when not doing ssl offloading.

normally bigip does not alter cookie, so i do not think there is an issue on jsessionid cookie. also, you have mentioned it does not work even using one pool member/server.

just my 2 cents.
Kevin_Stewart
Employee
Sep 08, 2013
i think the problem is about ssl handshake.

I'm not sure that we've established that just yet. While the functioning of the HTTP profile DOES require, at the very least, a client SSL profile, I don't believe jnowlin has definitively answered the following questions:

It works with client and server SSL profiles applied to the VIP but NO HTTP profile. Correct? Decrypting and re-encrypting the java app's traffic.

With client and server SSL profiles applied, if you enable a basic HTTP profile on the VIP, but DO NOT enable any persistence or any iRule, does it work?

It could indeed be that the Java client can handle the SSL termination and re-encryption, but it could also be that it simply can't handle the HTTP manipulation.
jnowlin_44976
Nimbostratus
Oct 30, 2013
with client and server SSL profiles but NO http profile it does not work. returns to login page
with ssl profiles applied, basic HTTP profile on the VIP, and NO persistence\irule it does not work. returns to login page.

Forum Discussion

LTM and java certs

19 Replies

Recent Discussions

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Portal Access to HTTPS resources slow

How to Implement 2 Way SSL in F5 LTM

Azure DP-100 Exam Questions

Related Content

LTM HA Pair SSL Certs

extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk

iControl Library For Java With Source

Java Object Ltm Rule

Java Object Ltm Pool