Greg,
I found a tool that you can use to look at what's going on with ssl and the
loadbalancer or orion. If you are using linux, you probably have this
already, openssl. I am not sure if there is a windows build, though.
at the command line:
openssl s_client -connect loadbalancermachine:443 -state -debug
The result is clear, ssl returns with an ssl handshake failure. If you do
this on the an instance of orion with ssl:
openssl s_client -connect orionmachine:443 -state -debug
There is no problem.
So that nails the bug down, its got to be the loadbalancer. I will post this
in bug 525 for Karl.
Regards,
the elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
Sent: Thursday, June 28, 2001 2:22 PM
To: Orion-Interest
Subject: RE: clustering + ssl together
Greg,
I just tried this...
1. I assummed that ssl was completely broken for the loadbalancer. So I
stripped off the secure=true from my loadbalancer on port 443 and all of my
secure-web-site.xml's backends'.
2. I created a new orion instance with only the secure-web-site.xml in the
server.xml.
3. I modified the global-web-application.xml so that the only servlet and
mapping is this:
<servlet>
<servlet-name>tunnel</servlet-name>
<servlet-class>com.evermind.server.http.TunnelServlet</servlet-class>
<init-param>
<param-name>targetRoot</param-name>
<param-value>http://loadbalancermachine:443/</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>tunnel</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
5. I started the new "proxy" orion instance.
With my browser, I put https://proxymachine/
...
Voila! it worked!
Its a little slow, so you could probably do this with a reverse-proxy, ssl
apache to get faster response.
This is only a workaround, since the loadbalancer ssl is broken now.
Regards,
the elephantwalker
.ps the only caveat here is the j2ee j_security_check won't work, but
otherwise, everything works. I don't understand why, though.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
Sent: Wednesday, June 27, 2001 12:00 AM
To: Orion-Interest
Subject: Re: clustering + ssl together
ew,
using your example, i have tried the equivalent of
https://localhost/mysecuresite/login
which should have gone to port 443.
in the effort to "look under orion's covers".....
i've seen a -Djavax.net.debug=all flag mentioned in a previous post by
tomas anderson (27.6.01), and gave it a try but no extra output
appeared in orion. do you know what this is supposed to show?
do you know if there is a way to see where the request is getting up to?
can we do a netstat or something to see where the request is falling over
or what processes are listening on what ports?
greg.
----- Original Message -----
From: "elephantwalker" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Wednesday, June 27, 2001 2:58 PM
Subject: RE: clustering + ssl together
> Greg,
>
> I just tried something which ALMOST worked. I tried the secure
loadbalancer
> instance like this in the browser:
>
> http://localhost:443/mysecuresite/login.
>
> The secure loadbalancer showed a session id, and forwarded the request to
> the secure island! Of course the site didn't do anything, since it was
> looking for a handshake. It looks like the loadbalancer is just not doing
> its bit...it is refusing all connections which are secure.
>
> regards,
>
> the elephantwalker
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
> Sent: Tuesday, June 26, 2001 3:00 PM
> To: Orion-Interest
> Subject: Re: clustering + ssl together
>
>
>
> ew,
>
> i was trying to run a single secure load balancer
> with it's own load-balancer.xml.
>
> loadbalancer did register the 2 orions i'd set up to appear
> in the cluster, but after being able to see them appear on
> the loadbalancer screen, i was still unable to access my
> web app. the browser just sat there with the little IE
> symbol spinning, but no joy.
>
> all orions and the loadbalancer had their own keystore
> setup using a test certificate generated from thawte.com
>
> loadbalancer => secure and on port 443 (on box1)
> orion1 => secure and on port 443 (on box2)
> orion2 => secure and on port 8080 (on box1) !! but only in some
experiments.
>
> i also tried various other configurations of the loadbalancer
> and cluster machines having secure on/off, etc. and
> swapping the port numbers around, e.g. when loadbalancer
> and orion2 were both running, they were both secure="true"
> but obviously only one can run on port 443 at one time, so
> i made orion2 run on port 8080 while secure="true" was set.
>
> i also had a look at apache for how to setup SSL but it looks
> like you've got to compile the mod in yourself for win32 so
> i've given that a miss for the moment.
>
> greg.
>
> ----- Original Message -----
> From: "elephantwalker" <[EMAIL PROTECTED]>
> To: "Orion-Interest" <[EMAIL PROTECTED]>
> Sent: Wednesday, June 27, 2001 2:48 AM
> Subject: RE: clustering + ssl together
>
>
> > Here are the <hickups> in the plan so far...see below.
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
> > Sent: Monday, June 25, 2001 1:29 AM
> > To: Orion-Interest
> > Subject: RE: clustering + ssl together
> >
> >
> > Greg,
> >
> > I am doing this now, so I will get back to the list when I am finished.
> This
> > is my working plan:
> >
> > 1. there are two loadbalancers instances, one for http and one for
https.
> > These can be on the same machine or seperate machines.
> >
> > <hickup>
> >
> > At one level this works, but you have to set the
> minimumIsland/maximumIsland
> > so that each respective loadbalancer picks up either the https island or
> the
> > http island. However, https connections do not work. It could be because
> of
> > this blurb in the load-balancer.xml description:
> >
> > secure - Whether or not to use SSL. The default is false. SSL is only
used
> > when using session (not IP)
> > based balancing and the backend and the site is using SSL. If you
> specify
> > the balancer to use SSL then
> > the backend servers will not (the balancer converts to HTTP, ie
> contains
> > the SSL layer). Note that this
> > puts the strain of decoding the SSL on the balancer.
> >
> > I'm sorry, but does this say that we have the option of NOT using SSL
for
> > the balancer, but using it for the backend? Or if we use SSL for the
> > balancer, SSL isn't used on the backend (and thus we have to strip all
of
> > the SSL configuration from the backend)?
> >
> > </hickup>
> >
> >
> > 2. the ports for your web-sites can be different from your
loadbalancer(s)
> > port. This allows you to have the loadbalancer and an orion instance on
> the
> > same machine, for example. Or the ports can be the same, in which case
the
> > loadbalancer(s) has to be on a different machine.
> >
> > <hickup>
> >
> > Since web-sites are load-balanced (not applications), its important that
> > each *web-site.xml which you use have its own island. This is done by
> > setting the cluster-island attribute in the web-site tag. See above for
> > reference to min/max island ids for the loadbalancer. The port bit seems
> to
> > work. That is, the http web-site had a port of 10180, and the http
> > loadbalancer listened on port 80. This was no problem. So if you want to
> > have the loadbalancer and web-site on the same ip address, you will need
> to
> > set the website port to something else so they don't conflict.
> >
> > </hickup>
> > 3. the same rules apply for the loadbalancer as orion for unix machines.
> You
> > need to use some port forwarding, like ipchains, if you want to run the
> > loadbalancer on a user account which is not the superuser. This applies
> also
> > for the ssl port. (skip 3 if you are using m$ or don't care)
> > 4. the ssl setup in the load-balancer.xml (see the ssl-config tag in the
> > load-balancer.xml documentation) is the same as the secure-web-site.xml,
> but
> > you will have to set the secure flag in the load-balancer tag.
Obviously,
> > this means you will need a keystore for the loadbalancer, and a keystore
> for
> > the backend for total secure communication. I believe that the
> communication
> > to the backend is transparant to the user, so you can self certify that
> > connection, irregardless of what those guys at verisign say.
> > 5. you can skip all of this and use apache for ssl (interesting, but
> slow).
> > This is what oracle advises, because they can't figure out orion, or
they
> > have so much invested in the "apache/oracle" solution.
> >
> > <hickup>
> >
> > This option is looking better and better.
> >
> > </hickup>
> >
> > I'm testing this now, as soon as I get through the hickups, I will let
the
> > list know.
> >
> > regards,
> >
> > the elephantwalker
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews
> > Sent: Sunday, June 24, 2001 3:02 PM
> > To: Orion-Interest
> > Subject: clustering + ssl together
> >
> >
> >
> > dear all,
> >
> > there has been a recent post on this but no solution posted.
> > i've got some more info on the problem.
> >
> > can the developers of orion or anyone else let me know
> > if anyone has successfully set up an ssl orion cluster?
> >
> > i can:
> > - set up clustering
> > - set up ssl
> >
> > ...but not both together.
> >
> > some clues.
> >
> > 1. on orionserver.com there is doco for load-balancer.xml that
> > suggests loadbalancer.jar can be given SSL keystore information.
> > does this mean that a clustered SSL setup requires loadbalancer
> > to share the same keystore as each box in the cluster?
> >
> > 2. how do you set the web-site.xml for a clustered secure app.
> >
> > you can't have both the loadbalancer + your secure app
> > both running on port 443 on the same box, so what do you
> > do?
> > i) run loadbalancer on another port?
> > ii) run your app on another port?
> > - the orion doco says that when your app needs to
> > be made secure you should add a secure="true"
> > attribute to the web-site element of the web-site.xml
> > plus remove the port attribute.
> >
> > if someone has made this work i'd be grateful for any information,
> > or if you couldn't be bothered explaining how to do it, just maybe
> > forward me your server.xml, loadbalancer.xml, web-site.xml and
> > i'll work it out from that.
> >
> > thanks.
> > greg.
> >
> >
> >
>
>
>
>
