How do I exclude certain URIs from being encrypted by my content rules?

I have set up a CSS to redirect HTTP requests to HTTPS that is handled by SSL offloading.  On the back side, there is one websphere server that listens on port 7778.  The domain being handled is https://www.webtest.org.  The problem is that when you go to a URI that begins with /forms you get a gray box and nothing shows up (it's like a java frame that never fills in).  I'm told that it's behaving like that because it cannot be encrypted--it's incrypted by Websphere.  Is there a way to exclude a URI from being encryped?  For example, encrypt everything at https://www.webtest.org except https://www.webtest.org/forms?

I've attached a code snippet.
CSS11501# sh run
!Generated on 01/31/2008 13:12:53
!Active version: sg0810106
 
configure
 
 
!*************************** GLOBAL ***************************
  ssl associate rsakey TR-Key TR-Key.pem
  ssl associate cert training-cert cert-training.pem
 
 
!************************* INTERFACE *************************
 
 
!************************** CIRCUIT **************************
 
 
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list proxy1
  ssl-server 10
  ssl-server 10 vip address aaa.bbb.150.96
  ssl-server 10 rsacert training-cert
  ssl-server 10 rsakey SCOTI-TR-Key
  ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.20.100 7778
  active
 
!************************** SERVICE **************************
service service1
  ip address 172.16.156.4
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active
 
service service2
  ip address 172.16.156.4
  protocol tcp
  port 7778
  keepalive type tcp
  keepalive port 7778
  active
 
service redirect-training
  ip address 1.1.1.1
  keepalive type none
  type redirect
  no prepend-http
  domain https://www.webtest.org
  active
 
service ssl-module
  type ssl-accel
  keepalive type none
  add ssl-proxy-list proxy1
  slot 2
  active
 
!*************************** OWNER ***************************
owner SCOTI
 
  content training-http
    vip address 172.16.20.100
    add service service2
    protocol tcp
    port 7778
    active
 
  content training-out
    vip address aaa.bbb.150.96
    protocol tcp
    port 80
    url "/*"
    add service redirect-training
    active
 
  content training-ssl
    vip address aaa.bbb.150.96
    port 443
    protocol tcp
    add service ssl-module
    active
 
!*************************** GROUP ***************************
group scoti-training
  vip address aaa.bbb.150.96
  add service service1
  active

Open in new window

stylosnetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HonorGodSoftware EngineerCommented:
It sounds like to need to configure the WebSphere resource to be available via HTTP (i.e., non-SSL).  If this is the case, then the following portion of the online documentation will probably help you:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/uwbs_providehttp.html
0
stylosnetAuthor Commented:
I'll have the server guys take a look at that and get back to you.  Thanks for your response!
0
HonorGodSoftware EngineerCommented:
I just hope that it helps.  Good luck
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

stylosnetAuthor Commented:
The WebSphere admins said it's actually OracleAS that's hosting the application.  I was told, by leadership, that I need to make this work on the CSS.  I have noted that a similar application being load-balanced by an F5 BigIP allows exclusions based on URI.

Looks like I'm back to needing help on how to do exclusions.  Thanks for any help!
0
stylosnetAuthor Commented:
I've discovered, via trial and error in the lab, how to exclude URIs from being encrypted.  Thanks for any feedback I got.
0
stylosnetAuthor Commented:
Okay, here's what I did:  I created separate content rules with the same VIP address and specified the URIs that I didn't want encrypted.  Instead of routing them to the service that is the SSL engine, I routed them directly to the required port on the back-end servers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.