Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Oracle 10g SSL Offload - JInitiator:X509CertChainInvalidErr error

Hi,

We are in the process of implementing ssl offload on our LTM-3400’s for Oracle 10g. The servers we are load balancing to on the backend are listening on port 80. We have a valid Verisign cert in place. The first time you connect to the ssl vip the server downloads “JInitiator” to the local computer which is a java program. Once the installation is complete it attempts to load the app from the server. But it fails with an “X509CertChainInvalidErr” java error. I figured out a work around for individual computers, but this isn’t a valid solution for the general public. The work around is to add the cert assigned to the ssl vip to what a I think is a cert chain file call “C:\Program Files\Oracle\JInitiator 1.3.1.26\lib\security\certdb.txt on the local computer. Once added I restart the browser and all is well.

Like I said earlier this isn’t a practical work around as this site will be used by the public.

Has anyone seem this or know how to fix it?

I attached a copy of the certdb.txt (example-certdb.txt) file without my cert for an example.

Any help would be greatly appreciated.

Thanks,

Christopher G Davis
Sr. Network Engineer
SITA Atlanta Data Center
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Chris,

You should be able to import the chain cert under Local Traffic >> SSL certificates and then specify it in the client SSL profile.

SOL6401: Configuring the BIG-IP to use an intermediate or chain certificate with a client SSL profile (Click here)

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Chris

Did you ever manage to get this to work. You probably don't remember now it was so long ago but I'm having the same issues.

Would appreciate any tips for getting it working.

Cheers
Jacquie
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Jacquie,

Did you try importing the intermediate cert and configuring that in the client SSL profile?

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
No I have a certificate & key for the website configured in the client SSL profile. Do I need to convert this into a certificate bundle? I wasn't sure how to do that.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You can check SOL6401 (linked above) for details on configuring an intermediate cert:

https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Tried adding the ca-bundle from the chain drop down as well as having the website certificate and key configured but still getting the same error.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Sorry, I was suggesting that you download the most current intermediate certificate from the certificate authority, add that to the bundle and then update the client SSL profile by clicking save. The last step loads the changed cert file into LTM memory for use. If you get stuck in this process, you could open a case with F5 Support and ask for help.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I am trying to implement the SSL for Oracle 10g Forms/Reports standalone behind the BIG-IP 9.3.1 Build 37.1.
I have three (will be more) servers in teh Load Balanced pool.
I am have isntalled the Certificate on the F5 unit and want to terminate the SSL communcation on the F5 instead of the Oracle servers.
Can someone explain/assist with understanding on how to configure the F5 to line up to the ports that Oracle is listening to.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Yuliy, take a look at the F5 deployment guide for Oracle 10g. It has a section on SSL offload, here: http://www.f5.com/pdf/deployment-guides/f5-oracle10g-dg.pdf

-Chris.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
hi chris,

where can we find the deployment guide for 9iAS release 2? we're still using this version in our reporting services. does it also include an SSL implementation guide as well? we're experiencing similar error messages during our testing phase in our TEST environment.

regards,
bhotskie
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
jrcma.oracle

Sorry, but 10g was the first deployment guide for Application Server that we made.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Chris: This is garfield. Didnt know you went back to F-5. Hope you are doing well. Quick question: So what was the definitive solution for the Terminating SSL @ F-5 versus back-end proxy for Oracle forms applications?

We still have the issue, do you guys find a solution @ F-5, or do we need to seek one from Oracle?


Thanks.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Chris,

Find the attachment..hope it will help you.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thank You for the attachment, it explains this issue very well, and will be a big help to the rest of the forum...thanx for contributing
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Chris,

Can I have the attachment. We are facing the same issue.

0