Monday July 23, 2007 Meena Vyas
All
|
DTrace Web Server 7.0
|
ACLs Web Server 7.0
|
General Web Server 7.0
|
HttpCompression Web Server 7.0
|
Intrusion Detection Web Server 7.0
|
Open Web Server
|
Reference Deployments of Web Server 7.0
|
Reverse Proxy Web Server 7.0
|
Security Web Server 7.0
|
Troubleshooting Web Server 7.0
|
WebDAV Web Server 7.0
Monday July 23, 2007 Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server is SSL enabled
Configuring reverse proxy in Sun Java System Web Server 7.0 when origin server is SSL enabled
In my last blog I explained configuration of a simple non SSL reverse proxy. In this blog I have tried to set up a
scenario where a non SSL Sun Java System Web Server 7.0 tries to connect to origin server which is SSL enabled.
Creating SSL enabled origin server
If you already have an SSL
enabled origin server you can skip this.
For ease of use I have used SJS Web Server 7.0 as origin server also.
Start the administration server, and go to wadm
>./wadm --user=admin
Please enter admin-user-password> ****
For ease of use I have used SJS Web Server 7.0 as origin server also.
Start the administration server, and go to wadm
>./wadm --user=admin
Please enter admin-user-password> ****
- Create a self signed certificate
wadm>create-selfsigned-cert--config=test.sun.com--server-name=test.sun.com --nickname=My-CA-Cert - Create a HTTP listener
wadm> create-http-listener--listener-port=8888 --config=test.sun.com--server-name=test.sun.com--default-virtual-server-name=test.sun.commylistener
- Enable SSL for this listener and set the server certificate
wadm> set-ssl-prop--config=test.sun.com--http-listener=mylistenerserver-cert-nickname=My-CA-Cert enabled=true
- Deploy the changes
wadm>deploy-configtest.sun.com - Start this origin server instance.
Settings in Web Server 7.0 instance
Lets say we want to forward all
requests to /xyz to the origin server. Go the Web Server instance config directory and modify the obj.conf as given below
<Object
name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/export2/mv/lib/icons" name="es-internal"
NameTrans fn="map" from="/xyz" name="reverse-proxy-/" to="/xyz"
PathCheck fn="uri-clean"
...
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="https://test.sun.com:8888"
</Object>
**Note that I have given manual steps here. In my last blog I have given Administration CLI steps.
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/export2/mv/lib/icons" name="es-internal"
NameTrans fn="map" from="/xyz" name="reverse-proxy-/" to="/xyz"
PathCheck fn="uri-clean"
...
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="https://test.sun.com:8888"
</Object>
**Note that I have given manual steps here. In my last blog I have given Administration CLI steps.
Lets say for this instance server.xml has <port>8080</port>.
Make sure that the origin server is up and running.
Start the server and access http://test.sun.com:8080/xyz/ should show you xyz directory in the docroot of the origin server.
Troubleshooting
In case we get a Gateway Timeout error
and in error logs we see some error like
[23/Jul/2007:16:44:11] failure (27927): for host .... trying to GET ...., service-http reports: HTTP7758: error sending request (SEC_ERROR_UNTRUSTED_ISSUER: Client certificate is signed by an untrusted issuer.)
We get this error because the origin server's certificate was not issued by a trusted CA. It means we need to export CA certificate of the origin server instance and import it into Web Server instance.
[23/Jul/2007:16:44:11] failure (27927): for host .... trying to GET ...., service-http reports: HTTP7758: error sending request (SEC_ERROR_UNTRUSTED_ISSUER: Client certificate is signed by an untrusted issuer.)
We get this error because the origin server's certificate was not issued by a trusted CA. It means we need to export CA certificate of the origin server instance and import it into Web Server instance.
Export the origin server's CA certificate
Go to <server-instance>/config
directory of the origin server, and list certificates and then use pk12util to export the
certificate.
>../../bin/certutil
-L -d .
My-CA-Cert CTu,CTu,CTu
>../../bin/pk12util -o /tmp/exported.crt -n My-CA-Cert -d .
My-CA-Cert CTu,CTu,CTu
>../../bin/pk12util -o /tmp/exported.crt -n My-CA-Cert -d .
Import the origin server CA certificate in server instance config directory
Initialize NSS Database
To import certificate in server
instance config directory you have to first initialize the NSS database.
Note that if this Web Server instance is SSL enabled you can skip this
NSS database intialization part.
>../../bin/certutil -N -d .
Enter Password or Pin for "NSS Certificate DB":
Re-enter password:
Password changed successfully.
>../../bin/certutil -N -d .
Enter Password or Pin for "NSS Certificate DB":
Re-enter password:
Password changed successfully.
Import the certificate
Lets say the file /tmp/exported.crt contained the
CA cert of the origin server, import that to NSS database.
> ../../bin/pk12util -i /tmp/exported.crt -d . -v
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Confirm by listing certs
>../../bin/certutil -L -d .
My-CA-Cert u,u,u
> ../../bin/pk12util -i /tmp/exported.crt -d . -v
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Confirm by listing certs
>../../bin/certutil -L -d .
My-CA-Cert u,u,u
Modify trust flags if required
You can see that the certificates
imported doesn't contain 'CT' trust flags.
>../../bin/certutil -M -n My-CA-Cert -t 'CTu,CTu,CTu' -d .
Now u can see it is now a proper CA cert
>../../bin/certutil -L -d .
My-CA-Cert CTu,CTu,CTu
>../../bin/certutil -M -n My-CA-Cert -t 'CTu,CTu,CTu' -d .
Now u can see it is now a proper CA cert
>../../bin/certutil -L -d .
My-CA-Cert CTu,CTu,CTu
Restart the server instance and things should work fine now.
Posted by meena ( Jul 23 2007, 07:13:46 PM IST ) Permalink Comments [3]
Trackback URL: http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_web
Post a Comment:
This blog copyright 2009 by meena
I have noticed that the reverse proxy server don't use SSL, (you use http://test.sun.com:8080/xyz/ to redirect to https://test.sun.com:8888). Is possible to use https://test2.sun.com:443/xyz/ to redirect to https://test.sun.com:8888? If so, how?
Please help me resolve it.
Posted by ramamoorthy on December 30, 2008 at 05:58 AM IST #
Whether the reverse proxy server is SSL or non SSL, the behavior is not any different.
In the server instance of test2.sun.com, looking at server.xml find out http-listener which listens to port 443. It will have a corresponding virtual server. In that virtual server, it will have a *obj.conf (default value is obj.conf). In that *obj.conf file add "map" and "proxy-retrieve" and "set-origin-server" (with https://test.sun.com:8888 ) SAFs.
For any more help write to
http://forum.java.sun.com/forum.jspa?forumID=759
Posted by Meena on December 30, 2008 at 12:23 PM IST #
Lets discuss this in this thread
http://forums.sun.com/thread.jspa?threadID=5359313&tstart=0
Posted by meena on January 08, 2009 at 12:31 PM IST #