topic Re: ssl rewrite issue for IDM application in Application Networking

ssl rewrite issue for IDM application

Yahshanulla S — Fri, 19 Aug 2011 12:08:48 GMT

We have IDM application with SSL offloading in ACE with action REWRITE statement. We are using IDM for both HTTP and HTTPS applications authentication. But we have problem for HTTP sites like after IDM authentication HTTP header will be rewrite as HTTPS.

HTTP VIP --> IDM VIP -->Converted to HTTPS because of action REWRITE

IDM VIP has the following config:

------------------------------------------------

action-list type modify http REWRITE

ssl url rewrite location ".*"

policy-map type loadbalance first-match LB-rtp-login-stg-S443

class class-default

sticky-serverfarm SG-rtp-login-stg-S80

action REWRITE

insert-http IS_SSL header-value "ssl"

But if we remove action REWRITE then HTTPS applications are breaking after IDM authentication. How to fix this issue?

ssl rewrite issue for IDM application

Yahshanulla S — Fri, 19 Aug 2011 20:20:03 GMT

Guys,

Any body is having any idea about this???

ssl rewrite issue for IDM application

ohynderi — Mon, 22 Aug 2011 09:15:41 GMT

Can you show me your multi-match policy as well? I guess you have a different class for http and https. Are you using the same loadbalance policy for http and https?

Thanks,

Olivier

ssl rewrite issue for IDM application

Yahshanulla S — Mon, 22 Aug 2011 11:03:08 GMT

Yes. we have separate multi-match policy for HTTP and HTTPS IDM VIP.

policy-map multi-match GP-SUBPROD-01-VIP

class VC-rtp-login-stg-S80

loadbalance vip inservice

loadbalance policy LB-rtp-login-stg-S80

loadbalance vip icmp-reply active

nat dynamic 1 vlan 2513

nat dynamic 1 vlan 2514

connection advanced-options TCP_PARAM_MAP

class VC-rtp-login-stg-S443

loadbalance vip inservice

loadbalance policy LB-rtp-login-stg-S443

loadbalance vip icmp-reply active

appl-parameter http advanced-options http_paramater_map

ssl-proxy server SO-rtp-login-stg-S

connection advanced-options TCP_PARAM_MAP

ssl rewrite issue for IDM application

ohynderi — Mon, 22 Aug 2011 13:28:02 GMT

I assume you didn't apply the rewrite action to the LB-rtp-login-stg-S80 policy. Do you maybe have some network captures exhibiting the problem?

Thanks,

Olivier

ssl rewrite issue for IDM application

Yahshanulla S — Mon, 22 Aug 2011 14:21:42 GMT

Well. the problem with only HTTPS( VC-rtp-login-stg-S443), As i explained before. This is IDM application(VIP) and we need to use HTTPS only as this is internet based. So the problem with only if other HTTP application gets authenticated with this IDM HTTPS VIP then the result is HTTPS (original request was HTTP).

Application (1) HTTP VIP --> IDM VIP -->Converted to HTTPS of Application (1) because of action REWRITE

I hope you understood the problem.

Re: ssl rewrite issue for IDM application

Yahshanulla S — Mon, 22 Aug 2011 14:49:29 GMT

Adding the screenshots

Re: ssl rewrite issue for IDM application

Yahshanulla S — Wed, 24 Aug 2011 04:31:26 GMT

Hi oliver,

Do you have any suggestion

Re: ssl rewrite issue for IDM application

ohynderi — Wed, 24 Aug 2011 09:21:27 GMT

You basically need to rewrite the action-list so that it doesn't match

http://stagesupport.netap.com. Currently it is matching everything.

You should try to have a sniffer trace on the server side so that you can confirm the URL present in the Location header of the http redirection

Olivier

Re: ssl rewrite issue for IDM application

Yahshanulla S — Thu, 25 Aug 2011 06:22:55 GMT

What do you want to put exactly under action list. Please give me some example.

ssl rewrite issue for IDM application

ohynderi — Thu, 25 Aug 2011 08:11:35 GMT

Just have a look at this:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

In the example, ACE is configured to rewrite location headers matching www.cisco.com only. You should do the same: have a restricted list of urls that need to be rewrite in http redirections.

Thanks,

Olivier