• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 457
  • Last Modified:

How do I exclude certain URIs from being encrypted by my content rules?

I have set up a CSS to redirect HTTP requests to HTTPS that is handled by SSL offloading.  On the back side, there is one websphere server that listens on port 7778.  The domain being handled is https://www.webtest.org.  The problem is that when you go to a URI that begins with /forms you get a gray box and nothing shows up (it's like a java frame that never fills in).  I'm told that it's behaving like that because it cannot be encrypted--it's incrypted by Websphere.  Is there a way to exclude a URI from being encryped?  For example, encrypt everything at https://www.webtest.org except https://www.webtest.org/forms?

I've attached a code snippet.
CSS11501# sh run
!Generated on 01/31/2008 13:12:53
!Active version: sg0810106
 
configure
 
 
!*************************** GLOBAL ***************************
  ssl associate rsakey TR-Key TR-Key.pem
  ssl associate cert training-cert cert-training.pem
 
 
!************************* INTERFACE *************************
 
 
!************************** CIRCUIT **************************
 
 
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list proxy1
  ssl-server 10
  ssl-server 10 vip address aaa.bbb.150.96
  ssl-server 10 rsacert training-cert
  ssl-server 10 rsakey SCOTI-TR-Key
  ssl-server 10 cipher rsa-with-rc4-128-sha 172.16.20.100 7778
  active
 
!************************** SERVICE **************************
service service1
  ip address 172.16.156.4
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active
 
service service2
  ip address 172.16.156.4
  protocol tcp
  port 7778
  keepalive type tcp
  keepalive port 7778
  active
 
service redirect-training
  ip address 1.1.1.1
  keepalive type none
  type redirect
  no prepend-http
  domain https://www.webtest.org
  active
 
service ssl-module
  type ssl-accel
  keepalive type none
  add ssl-proxy-list proxy1
  slot 2
  active
 
!*************************** OWNER ***************************
owner SCOTI
 
  content training-http
    vip address 172.16.20.100
    add service service2
    protocol tcp
    port 7778
    active
 
  content training-out
    vip address aaa.bbb.150.96
    protocol tcp
    port 80
    url "/*"
    add service redirect-training
    active
 
  content training-ssl
    vip address aaa.bbb.150.96
    port 443
    protocol tcp
    add service ssl-module
    active
 
!*************************** GROUP ***************************
group scoti-training
  vip address aaa.bbb.150.96
  add service service1
  active

Open in new window

0
stylosnet
Asked:
stylosnet
  • 4
  • 2
1 Solution
 
HonorGodCommented:
It sounds like to need to configure the WebSphere resource to be available via HTTP (i.e., non-SSL).  If this is the case, then the following portion of the online documentation will probably help you:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/uwbs_providehttp.html
0
 
stylosnetAuthor Commented:
I'll have the server guys take a look at that and get back to you.  Thanks for your response!
0
 
HonorGodCommented:
I just hope that it helps.  Good luck
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
stylosnetAuthor Commented:
The WebSphere admins said it's actually OracleAS that's hosting the application.  I was told, by leadership, that I need to make this work on the CSS.  I have noted that a similar application being load-balanced by an F5 BigIP allows exclusions based on URI.

Looks like I'm back to needing help on how to do exclusions.  Thanks for any help!
0
 
stylosnetAuthor Commented:
I've discovered, via trial and error in the lab, how to exclude URIs from being encrypted.  Thanks for any feedback I got.
0
 
stylosnetAuthor Commented:
Okay, here's what I did:  I created separate content rules with the same VIP address and specified the URIs that I didn't want encrypted.  Instead of routing them to the service that is the SSL engine, I routed them directly to the required port on the back-end servers.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now