Oracle 10g SSL Offload - JInitiator:X509CertChainInvalidErr error

Hi,

We are in the process of implementing ssl offload on our LTM-3400’s for Oracle 10g. The servers we are load balancing to on the backend are listening on port 80. We have a valid Verisign cert in place. The first time you connect to the ssl vip the server downloads “JInitiator” to the local computer which is a java program. Once the installation is complete it attempts to load the app from the server. But it fails with an “X509CertChainInvalidErr” java error. I figured out a work around for individual computers, but this isn’t a valid solution for the general public. The work around is to add the cert assigned to the ssl vip to what a I think is a cert chain file call “C:\Program Files\Oracle\JInitiator 1.3.1.26\lib\security\certdb.txt on the local computer. Once added I restart the browser and all is well.

Like I said earlier this isn’t a practical work around as this site will be used by the public.

Has anyone seem this or know how to fix it?

I attached a copy of the certdb.txt (example-certdb.txt) file without my cert for an example.

Any help would be greatly appreciated.

Thanks,

Christopher G Davis

Sr. Network Engineer

SITA Atlanta Data Center

oracle

partner

14 Replies

hooleylist
Cirrostratus
Dec 23, 2008
Hi Chris,

You should be able to import the chain cert under Local Traffic >> SSL certificates and then specify it in the client SSL profile.

SOL6401: Configuring the BIG-IP to use an intermediate or chain certificate with a client SSL profile (Click here)

Aaron
Jacquiec_105785
Nimbostratus
Nov 04, 2009
Hi Chris

Did you ever manage to get this to work. You probably don't remember now it was so long ago but I'm having the same issues.

Would appreciate any tips for getting it working.

Cheers

Jacquie
hooleylist
Cirrostratus
Nov 04, 2009
Hi Jacquie,

Did you try importing the intermediate cert and configuring that in the client SSL profile?

Aaron
Jacquiec_105785
Nimbostratus
Nov 04, 2009
No I have a certificate & key for the website configured in the client SSL profile. Do I need to convert this into a certificate bundle? I wasn't sure how to do that.
hooleylist
Cirrostratus
Nov 04, 2009
You can check SOL6401 (linked above) for details on configuring an intermediate cert:

https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6401.html

Aaron
Jacquiec_105785
Nimbostratus
Nov 04, 2009
Tried adding the ca-bundle from the chain drop down as well as having the website certificate and key configured but still getting the same error.
hooleylist
Cirrostratus
Nov 04, 2009
Sorry, I was suggesting that you download the most current intermediate certificate from the certificate authority, add that to the bundle and then update the client SSL profile by clicking save. The last step loads the changed cert file into LTM memory for use. If you get stuck in this process, you could open a case with F5 Support and ask for help.

Aaron
Yuliy_100882
Nimbostratus
Dec 17, 2009
I am trying to implement the SSL for Oracle 10g Forms/Reports standalone behind the BIG-IP 9.3.1 Build 37.1.

I have three (will be more) servers in teh Load Balanced pool.

I am have isntalled the Certificate on the F5 unit and want to terminate the SSL communcation on the F5 instead of the Oracle servers.

Can someone explain/assist with understanding on how to configure the F5 to line up to the ports that Oracle is listening to.
Chris_Akker_129
Historic F5 Account
Dec 17, 2009
Hi Yuliy, take a look at the F5 deployment guide for Oracle 10g. It has a section on SSL offload, here: http://www.f5.com/pdf/deployment-guides/f5-oracle10g-dg.pdf

-Chris.
jrcma_oracle_47
Nimbostratus
Jan 18, 2010
hi chris,

where can we find the deployment guide for 9iAS release 2? we're still using this version in our reporting services. does it also include an SSL implementation guide as well? we're experiencing similar error messages during our testing phase in our TEST environment.

regards,

bhotskie