ssl rewrite issue for IDM application

Yahshanulla S · ‎08-19-2011

We have IDM application with SSL offloading in ACE with action REWRITE statement. We are using IDM for both HTTP and HTTPS applications authentication. But we have problem for HTTP sites like after IDM authentication HTTP header will be rewrite as HTTPS.

HTTP VIP --> IDM VIP -->Converted to HTTPS because of action REWRITE

IDM VIP has the following config:

------------------------------------------------

action-list type modify http REWRITE

ssl url rewrite location ".*"

policy-map type loadbalance first-match LB-rtp-login-stg-S443

class class-default

sticky-serverfarm SG-rtp-login-stg-S80

action REWRITE

insert-http IS_SSL header-value "ssl"

But if we remove action REWRITE then HTTPS applications are breaking after IDM authentication. How to fix this issue?

Yahshanulla S · ‎08-19-2011

Guys,

Any body is having any idea about this???

ohynderi · ‎08-22-2011

Can you show me your multi-match policy as well? I guess you have a different class for http and https. Are you using the same loadbalance policy for http and https?

Thanks,

Olivier

Yahshanulla S · ‎08-22-2011

Yes. we have separate multi-match policy for HTTP and HTTPS IDM VIP.

policy-map multi-match GP-SUBPROD-01-VIP

class VC-rtp-login-stg-S80

loadbalance vip inservice

loadbalance policy LB-rtp-login-stg-S80

loadbalance vip icmp-reply active

nat dynamic 1 vlan 2513

nat dynamic 1 vlan 2514

connection advanced-options TCP_PARAM_MAP

class VC-rtp-login-stg-S443

loadbalance vip inservice

loadbalance policy LB-rtp-login-stg-S443

loadbalance vip icmp-reply active

appl-parameter http advanced-options http_paramater_map

ssl-proxy server SO-rtp-login-stg-S

connection advanced-options TCP_PARAM_MAP

ohynderi · ‎08-22-2011

I assume you didn't apply the rewrite action to the LB-rtp-login-stg-S80 policy. Do you maybe have some network captures exhibiting the problem?

Thanks,

Olivier

Yahshanulla S · ‎08-22-2011

Well. the problem with only HTTPS( VC-rtp-login-stg-S443), As i explained before. This is IDM application(VIP) and we need to use HTTPS only as this is internet based. So the problem with only if other HTTP application gets authenticated with this IDM HTTPS VIP then the result is HTTPS (original request was HTTP).

Application (1) HTTP VIP --> IDM VIP -->Converted to HTTPS of Application (1) because of action REWRITE

I hope you understood the problem.

Yahshanulla S · ‎08-22-2011

Adding the screenshots

Yahshanulla S · ‎08-23-2011

Hi oliver,

Do you have any suggestion

ohynderi · ‎08-24-2011

You basically need to rewrite the action-list so that it doesn't match

http://stagesupport.netap.com. Currently it is matching everything.

You should try to have a sniffer trace on the server side so that you can confirm the URL present in the Location header of the http redirection

Olivier

Yahshanulla S · ‎08-24-2011

What do you want to put exactly under action list. Please give me some example.

ohynderi · ‎08-25-2011

Just have a look at this:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

In the example, ACE is configured to rewrite location headers matching www.cisco.com only. You should do the same: have a restricted list of urls that need to be rewrite in http redirections.

Thanks,

Olivier