Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
14 replies Latest Post - ‏2012-12-05T16:17:39Z by Liv2luv
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic var://service/routing-url-sslprofile does not change SSL Proxy profile

‏2012-11-28T09:43:38Z |
For a client, I'm trying to implement the following scenario:

  • DataPower XG45 which has one public IP-address.
  • only port 443 is open to that public IP.
  • Based on the FQDN/DNS-name that was used to access the IP of the datapower:
- a certain service on the DataPower or a certain backend should be chosen.
- a certain wildcard-certificate should be offered

Example:
via a browser I'm going to the following url:
  • https://service1.prod.company.com should bring me to an internal webserver service1.prod.company.int and offer the *.prod.company.com wildcard-certificate to the browser
  • https://service1.test.company.com should bring me to an internal webserver service1.test.company.int and offer the *.test.company.com wildcard-certificate to the browser

The first part: routing based on the FQDN works without problems:
  • using a matching rule for the url https://service1.prod.company.com* and an XSL route action route_prod.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.prod.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


  • using a matching rule for the url https://service1.test.company.com* and an XSL route action route_test.xsl

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.test.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


Now I'm trying to set the SSL proxy profile based on the executed action by setting the routing-url-sslprofile variable.

I created two SSL Proxy Profile
  • ssl_test_company, which offers the *.test.company.com wildcard-certificate
  • ssl_prod_company, which offers the *.prod.company.com wildcard-certificate

I changed the XSL as follows:
route_test.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url-sslprofile'" value=
"'ssl_test_company_be'" /> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.test.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


route_prod.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url-sslprofile'" value=
"'ssl_prod_company_be'" /> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.prod.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


Only this doesn't seem to have any effect on the certificate that is offered to the browser...
If I look, by using the probe, the variable is correctly changed as it should but it seems that the action is not taken.

Any ideas how to solve this issue or maybe there is another solution?
Thanks in advance!
Updated on 2012-12-05T16:17:39Z at 2012-12-05T16:17:39Z by Liv2luv
  • kenhygh
    kenhygh
    1475 Posts
    ACCEPTED ANSWER

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T10:54:58Z  in response to SystemAdmin
    Jens,
    First, routing-url-sslprofile sets the proxy for backend calls, not front end. For the browser/front end, you'll need to have two separate FSHs each with their own SSL proxy profile with an idcred containing the appropriate browser.

    BTW, it's really a bad idea to have test and prod on the same device.

    Ken
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

      ‏2012-11-28T12:49:24Z  in response to kenhygh
      Ken,

      Thanks for your reply.
      So if I understand correct, we will need another port number or another IP-address to be able to create two Front Side Handlers and to present the two different certificates?

      Test and prod was only an example and it does not involve DataPower test or prod environments but backend-application testing in differnt domains.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

        ‏2012-11-28T12:59:33Z  in response to SystemAdmin
        Sorry for the extra message but does this mean that if we want to present a different certificate for every service which we define on the DataPower, we need to use a different IP-address? (considering we do not want to change the port 443)
        • swlinn
          swlinn
          1346 Posts
          ACCEPTED ANSWER

          Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

          ‏2012-11-28T19:06:48Z  in response to SystemAdmin
          Each HTTPS front side handler should present its own certificate, hopefully matching the domain name of the dns name used, but each front side handler must have a unique IP and port, so if you don't want to change the port, you must have a unique IP. You can associate multiple IPs with an interface by specifying them as the secondary IPs of the interface.

          Regards,
          Steve
          • SystemAdmin
            SystemAdmin
            6772 Posts
            ACCEPTED ANSWER

            Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

            ‏2012-11-28T20:54:23Z  in response to swlinn
            I know about the existence of the secondary IP but could you tell me if we can use that in combination with the active/standby of the XG45? Is the secondary IP like a subinterface and can we add the subinterface also to a separate standby group?

            At this time, I don't have access to the device to test this.

            We currently have the following setup:

            • XG45 #1 IP:1.1.1.2 (active)
            • -- virtual IP: 1.1.1.4 (used by DNS)
            • XG45 #2 IP:1.1.1.3 (standby)

            So if we want to be able to present a different certificate to a different DNS-name, we need to create an extra public (secondary) IP per appliance?
            • kenhygh
              kenhygh
              1475 Posts
              ACCEPTED ANSWER

              Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

              ‏2012-11-28T21:21:14Z  in response to SystemAdmin
              Yes. And if you want failover on that other address, you'll need another VIP and standby.

              Ken
              • SystemAdmin
                SystemAdmin
                6772 Posts
                ACCEPTED ANSWER

                Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                ‏2012-11-29T10:29:17Z  in response to kenhygh
                Just to be clear:
                so it is possible to create a secondary address and a separate standby group for that secondary address of both DataPowers?
                We would like to keep the current cabling and it would be very unpractical to add a physical cable to have the extra IP's.
                • kenhygh
                  kenhygh
                  1475 Posts
                  ACCEPTED ANSWER

                  Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                  ‏2012-11-29T11:06:23Z  in response to SystemAdmin
                  You do not need to add cables. You just need to reserve additional IP addresses and have your boxes listen to those secondary addresses.

                  Each interface can listen to multiple IP addresses. To do this, while logged in to the default domain with administrative privileges, you can add secondary addresses to your enabled interface.

                  You then bind service 1 to the primary address, and service 2 to the secondary address.

                  This is similar to virtual hosts in an HTTP server configuration, if that helps.

                  Ken
                  • SystemAdmin
                    SystemAdmin
                    6772 Posts
                    ACCEPTED ANSWER

                    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                    ‏2012-11-29T13:54:49Z  in response to kenhygh
                    Ken,

                    I know that such is possible, I only worry if the secondary address is usable with the virtual IP and a standby group.

                    Currently we have for example:
                    • DP#1: interface eth0, IP:1.1.1.2, standby group: 1
                    • DP#2: interface eth0, IP:1.1.1.3, standby group: 1
                    • virtual IP:1.1.1.4 for standby group 1

                    equal services are bound to eth0 on both DP's and the DNS-names resolve to 1.1.1.4.

                    is it possible to create on the same eth0 interface a secondary address, but for a different standby group, as follows:
                    • DP#1: interface eth0, primary IP:1.1.1.2, standby group: 1
                    • DP#1: interface eth0, secondary IP:1.1.1.5, standby group: 2
                    • DP#2: interface eth0, primary IP:1.1.1.3, standby group: 1
                    • DP#2: interface eth0, secondary IP:1.1.1.6, standby group: 2
                    • virtual IP:1.1.1.4 for standby group 1
                    • virtual IP:1.1.1.7 for standby group 2

                    We could then do the following:
                    • service1: listen on 1.1.1.2 on DP#1 and 1.1.1.3 on DP#2, DNS-names for service1 resolve to 1.1.1.4
                    • service2: listen on 1.1.1.5 on DP#1 and 1.1.1.6 on DP#2, DNS-names for service2 resolve to 1.1.1.7

                    As soon as I have access to the DP's, I can test this but for now I don't.

                    Thanks for the replies until now :)
                    • Liv2luv
                      Liv2luv
                      573 Posts
                      ACCEPTED ANSWER

                      Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                      ‏2012-11-29T18:37:55Z  in response to SystemAdmin
                      As I know, you can not add two standby groups to the same Interface. If one interface has both primary and a secondary IP. In the standby control add the Auxiliary VIP address.

                      example:

                      Interface eth0 has both 1.1.1.1 (Primary) and 2.3.4.5 (secondary) IP.
                      VIP for 1.1.1.1 is 1.1.1.2 and Auxiliary VIP for 2.3.4.5 is 2.3.4.6
                      • SystemAdmin
                        SystemAdmin
                        6772 Posts
                        ACCEPTED ANSWER

                        Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                        ‏2012-12-04T10:06:42Z  in response to Liv2luv
                        Yesterday, I tried to resolve the problem.

                        I did the following:
                        • add extra auxiliary IP to the standby group for the public interface
                        • changed my service that offers certificate1, to listen only on the normal virtual IP.
                        • created a similar service that offers certificate2, to listen only on the auxiliary IP.
                        • changed DNS-entry for service with certificate1 to use normal virtual IP
                        • changed DNS-entry for service with certificate2 to use auxiliary IP

                        This seems to work and the client gets a different certificate for the different DNS-name.

                        Only we are limited now since it is impossible to add a third IP to the standby group... So if we want to add an extra service which is using a third, different, certificate, we will have to use another interface (and thus change our physical connections).

                        Is there no workaround for this?
                        • Liv2luv
                          Liv2luv
                          573 Posts
                          ACCEPTED ANSWER

                          Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                          ‏2012-12-04T15:42:00Z  in response to SystemAdmin
                          >Only we are limited now since it is impossible to add a third IP to the standby group...

                          Not really, you can have multiple Auxiliary VIP addresses separated by a colon. Just wanted to highlight the risk as well, you're overly dependent on one Primary VIP as the auxiliary VIPs are dependent on primary.

                          Thanks.
                          • SystemAdmin
                            SystemAdmin
                            6772 Posts
                            ACCEPTED ANSWER

                            Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                            ‏2012-12-05T09:51:10Z  in response to Liv2luv
                            Thanks for the information. This solves more or less the problem which we have.

                            I tested by adding two extra IP-addresses to the standby group and it seems to work :)
                            That those auxiliary addresses depend on the primary is not a big issue since they are in the same subnet.
                            • Liv2luv
                              Liv2luv
                              573 Posts
                              ACCEPTED ANSWER

                              Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

                              ‏2012-12-05T16:17:39Z  in response to SystemAdmin
                              Thanks for the update.

                              Glad it worked well for you.