We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)
server. BigIP will handle the encryption and pass an http request to
the app server.
Everything works fine when I bypass the BigIP server and only use http
requests directly on the app server. I get an error when trying to
access via BigIP.

Here's what we have:

1. Client connects to https://host.name.edu:9098 (address
129.74.xx.xx) which is BigIP.

2. BigIP sends request to http://host.name.edu:9098 (address
172.19.xx.xx) which is 9i App Server behind the firewall.

3. Client gets menu form with
https://host.name.edu:9098/dev60cgi/...onfig=INSTANCE link on it.

4. While opening https://host.name.edu:9098/forms60ja...ine/Main.class,
we get the following error:

java.lang.ClassNotFoundException: oracle.forms.engine.Main

with java.io.IOException: javax.net.ssl.SSLException: SSL handshake
failed: X509CertChainInvalidErr appearing in the console window.

I looked up the X509CertChainInvalidErr on Metalink but the solution
doesn't apply here. Like I said, if I access the 9ias server
directly, all works as advertised. I'm sure it's something simple
that I'm overlooking but if anyone has any ideas, your help would be
greatly appreciated.

Thanks,
Dave Barstis
University of Notre Dame

Dave Barstis wrote:
> We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)
> server. BigIP will handle the encryption and pass an http request to
> the app server.
> Everything works fine when I bypass the BigIP server and only use http
> requests directly on the app server. I get an error when trying to
> access via BigIP.
>
> Here's what we have:
>
> 1. Client connects to https://host.name.edu:9098 (address
> 129.74.xx.xx) which is BigIP.
>
> 2. BigIP sends request to http://host.name.edu:9098 (address
> 172.19.xx.xx) which is 9i App Server behind the firewall.
>
> 3. Client gets menu form with
> https://host.name.edu:9098/dev60cgi/...onfig=INSTANCE link on it.
>
> 4. While opening https://host.name.edu:9098/forms60ja...ine/Main.class,
> we get the following error:
>
> java.lang.ClassNotFoundException: oracle.forms.engine.Main
>
> with java.io.IOException: javax.net.ssl.SSLException: SSL handshake
> failed: X509CertChainInvalidErr appearing in the console window.
>
> I looked up the X509CertChainInvalidErr on Metalink but the solution
> doesn't apply here. Like I said, if I access the 9ias server
> directly, all works as advertised. I'm sure it's something simple
> that I'm overlooking but if anyone has any ideas, your help would be
> greatly appreciated.
>
> Thanks,
> Dave Barstis
> University of Notre Dame

Install the dependent part of your certificate
on 9iAS; lots od browsers have base certificates on board,
9iAS does not; and your certificate is only a partial one,
Verisign, I'd bet.

Has been asked before; google is your friend
--

Regards,
Frank van Bortel

To follow up on Frank's response - One thing to keep in mind is that
the http (Apache) and Forms servers need to know that they will be
communicating via a reverse proxy with the client. In other words,
they need to be aware that an intermediary will be handling the https
side of things. This is usually done by modifying the virtual host
settings in httpd.conf, and making some changes on the Forms server
config.

The error message you show below seems to indicate that the Forms
server is trying to handle the request it sees as an encrypted (https)
request - which won't be possible, since of course the request it's
receiving is clear text, thanks to BigIP. If you have already dealt
with virtual host settings and Forms server configs, then another
route may be to have BigIP strip off the "https" - and also
communicate over an unencrypted port. One test would be to look at
the Forms server logfiles to see if it believes it's getting https
requests that it needs to decrypt. If that's true, and you cannot get
BigIP to strip off "https" (or in some way make it clear that it's not
sending encrypted requests) then a sort of messy work-around would be
to have Apache do something called "URL re-writes). I would recommend
that you try your best to avoid this approach, however.

The 9iAS version you're using leads me to believe that you're using
Forms 6i server. Consider the following links as startings point for
your research:
http://download-east.oracle.com/docs...05.htm#1018024

And
http://download-east.oracle.com/docs...ap12.htm#84263

Note that you must be using Oracle JInitiator, version 1.1.7.30 or
later to utilize HTTPS.

Two other places I would like to refer you to would be Metalink and
OTN - look for something on configuring a reverse proxy in front of
Forms Server. There are some whitepapers out there that specifically
deal with this, however I don't have time at the moment to find them.
I think you'll be able to locate them with a modest time investment
though.

If you need to research URL re-writes, here is where you might start:
http://httpd.apache.org/docs/misc/rewriteguide.html
Again I think you want to avoid this if possible.

I don't know that what I've provided above will be a specific answer
to your query. However if you haven't already looked at the material
I've referenced, perhaps it will get you going in the right direction.

Craig



Frank van Bortel <fvanbortel@netscape.net> wrote in message news:<cmoe6v$c4s$1@news6.zwoll1.ov.home.nl>...
> Dave Barstis wrote:
> > We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)
> > server. BigIP will handle the encryption and pass an http request to
> > the app server.
> > Everything works fine when I bypass the BigIP server and only use http
> > requests directly on the app server. I get an error when trying to
> > access via BigIP.
> >
> > Here's what we have:
> >
> > 1. Client connects to https://host.name.edu:9098 (address
> > 129.74.xx.xx) which is BigIP.
> >
> > 2. BigIP sends request to http://host.name.edu:9098 (address
> > 172.19.xx.xx) which is 9i App Server behind the firewall.
> >
> > 3. Client gets menu form with
> > https://host.name.edu:9098/dev60cgi/...onfig=INSTANCE link on it.
> >
> > 4. While opening https://host.name.edu:9098/forms60ja...ine/Main.class,
> > we get the following error:
> >
> > java.lang.ClassNotFoundException: oracle.forms.engine.Main
> >
> > with java.io.IOException: javax.net.ssl.SSLException: SSL handshake
> > failed: X509CertChainInvalidErr appearing in the console window.
> >
> > I looked up the X509CertChainInvalidErr on Metalink but the solution
> > doesn't apply here. Like I said, if I access the 9ias server
> > directly, all works as advertised. I'm sure it's something simple
> > that I'm overlooking but if anyone has any ideas, your help would be
> > greatly appreciated.
> >
> > Thanks,
> > Dave Barstis
> > University of Notre Dame
>
> Install the dependent part of your certificate
> on 9iAS; lots od browsers have base certificates on board,
> 9iAS does not; and your certificate is only a partial one,
> Verisign, I'd bet.
>
> Has been asked before; google is your friend

Thanks Frank and Craig. I'll review the documents. It's not a
problem with the cert. This was a standalone server before trying to
put BigIP in front of it. The server handled https requests just
fine. Now the server is configured to handle http requests since the
ssl handshake is being handled by BigIP. It works just fine when http
requests are pointed to it directly.

BigIP is supposed to strip off the "s" and communicate over an
unencrypted port.
The logfiles look like they're getting http requests.

It's got to be something simple I'm missing but I've just been staring
at this for too long.

Again, thanks for your help.

Dave

crwarman@yahoo.com (Craig Warman) wrote in message news:<a24e13f4.0411081441.33f78464@posting.google. com>...
> To follow up on Frank's response - One thing to keep in mind is that
> the http (Apache) and Forms servers need to know that they will be
> communicating via a reverse proxy with the client. In other words,
> they need to be aware that an intermediary will be handling the https
> side of things. This is usually done by modifying the virtual host
> settings in httpd.conf, and making some changes on the Forms server
> config.
>
> The error message you show below seems to indicate that the Forms
> server is trying to handle the request it sees as an encrypted (https)
> request - which won't be possible, since of course the request it's
> receiving is clear text, thanks to BigIP. If you have already dealt
> with virtual host settings and Forms server configs, then another
> route may be to have BigIP strip off the "https" - and also
> communicate over an unencrypted port. One test would be to look at
> the Forms server logfiles to see if it believes it's getting https
> requests that it needs to decrypt. If that's true, and you cannot get
> BigIP to strip off "https" (or in some way make it clear that it's not
> sending encrypted requests) then a sort of messy work-around would be
> to have Apache do something called "URL re-writes). I would recommend
> that you try your best to avoid this approach, however.
>
> The 9iAS version you're using leads me to believe that you're using
> Forms 6i server. Consider the following links as startings point for
> your research:
> http://download-east.oracle.com/docs...05.htm#1018024
>
> And
> http://download-east.oracle.com/docs...ap12.htm#84263
>
> Note that you must be using Oracle JInitiator, version 1.1.7.30 or
> later to utilize HTTPS.
>
> Two other places I would like to refer you to would be Metalink and
> OTN - look for something on configuring a reverse proxy in front of
> Forms Server. There are some whitepapers out there that specifically
> deal with this, however I don't have time at the moment to find them.
> I think you'll be able to locate them with a modest time investment
> though.
>
> If you need to research URL re-writes, here is where you might start:
> http://httpd.apache.org/docs/misc/rewriteguide.html
> Again I think you want to avoid this if possible.
>
> I don't know that what I've provided above will be a specific answer
> to your query. However if you haven't already looked at the material
> I've referenced, perhaps it will get you going in the right direction.
>
> Craig
>
>
>
> Frank van Bortel <fvanbortel@netscape.net> wrote in message news:<cmoe6v$c4s$1@news6.zwoll1.ov.home.nl>...
> > Dave Barstis wrote:
> > > We're trying to put a BigIP switch in front of our 9ias (1.0.2.2.2)
> > > server. BigIP will handle the encryption and pass an http request to
> > > the app server.
> > > Everything works fine when I bypass the BigIP server and only use http
> > > requests directly on the app server. I get an error when trying to
> > > access via BigIP.
> > >
> > > Here's what we have:
> > >
> > > 1. Client connects to https://host.name.edu:9098 (address
> > > 129.74.xx.xx) which is BigIP.
> > >
> > > 2. BigIP sends request to http://host.name.edu:9098 (address
> > > 172.19.xx.xx) which is 9i App Server behind the firewall.
> > >
> > > 3. Client gets menu form with
> > > https://host.name.edu:9098/dev60cgi/...onfig=INSTANCE link on it.
> > >
> > > 4. While opening https://host.name.edu:9098/forms60ja...ine/Main.class,
> > > we get the following error:
> > >
> > > java.lang.ClassNotFoundException: oracle.forms.engine.Main
> > >
> > > with java.io.IOException: javax.net.ssl.SSLException: SSL handshake
> > > failed: X509CertChainInvalidErr appearing in the console window.
> > >
> > > I looked up the X509CertChainInvalidErr on Metalink but the solution
> > > doesn't apply here. Like I said, if I access the 9ias server
> > > directly, all works as advertised. I'm sure it's something simple
> > > that I'm overlooking but if anyone has any ideas, your help would be
> > > greatly appreciated.
> > >
> > > Thanks,
> > > Dave Barstis
> > > University of Notre Dame
> >
> > Install the dependent part of your certificate
> > on 9iAS; lots od browsers have base certificates on board,
> > 9iAS does not; and your certificate is only a partial one,
> > Verisign, I'd bet.
> >
> > Has been asked before; google is your friend