5 Replies Latest reply on Jan 10, 2017 9:42 PM by Rafael Soares (Tuelho)

    JBoss 7.1 behind F5 BigIP load balancers

    francoisbegin Newbie

      I am fairly new to JBoss and up to this point, we have only been using a single 6.x server in standalone mode. We now want to put two JBoss 7.1 servers (both running in standalone mode) behind an F5 load balancer. The F5 holds the SSL cert for our domain, security-dev.tsl.domain.com. Both back end hosts have CA-signed certs:

       

           sddijboss7pr-01.tsl.domain.com:8443

           sddijboss7pr-02.tsl.domain.com:8443

       

      I can get to https://sddijboss7pr-02.tsl.domain.com:8443 and JBoss responds with the default page. The F5 is configured with an https monitor and it can see the two back end nodes as listening to ports 8443 with valid certs. So far so good but when I hit  https://security-dev.tsl.domain.com in a browser though, I get

       

          The connection was reset

          The connection to the server was reset while the page was loading.

       

      And turning on verbose debugging in jboss show nothing besides the F5 monitors checking the certs on the back end nodes to ensure the service is available. If I access https://security-dev.tsl.domain.com/test.html, I would expect to see this request make it to one of the back end node. The page does not exist and I would therefore expect to see a 404 reply. But I see nothing. The request never seems to make it to the back end JBoss servers. The flow should be 

       

         Client browser

            ->  F5 (https://security-dev.tsl.domain.com)

               -> One of the JBoss server on port 8443

                  -> Back to the F5

                     -> Back to the client browser

       

      There is encryption between the client browser and the F5 and another (different) encryption communication between the F5 and the nodes.

       

      Here is the entry under socket-binding-group

       

         <socket-binding name="https" port="8443"/>

       

      Here is the subsystem/connector entry

       

      <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

                  <connector

                              name="https"

                              protocol="HTTP/1.1"

                              scheme="https"

                              socket-binding="https"

                              secure="true">

                      <ssl

                              name="tomcat-ssl"

                              key-alias="tomcat"

                              password="--PWD--"

                              certificate-key-file="/opt/jboss/ssl/sddijboss7pr-02.key"

                              protocol="TLS"/>

                  </connector>

                  <virtual-server name="default-host" enable-welcome-root="true"/>

              </subsystem>

       

      What am I missing?

       

      François

        • 1. Re: JBoss 7.1 behind F5 BigIP load balancers
          francoisbegin Newbie

          Well, never trust a network guy...

           

          The above setup was indeed all that was required on my 2 nodes but the F5 was missing a route to the nodes.

           

          Everything is now working correctly.

          • 2. Re: JBoss 7.1 behind F5 BigIP load balancers
            Randy Moran Newbie

            Hi Francois,

             

            I noticed in your configuration you have both sides of the communication encrypted (client to F5 and F5 to node). I'm running a similar configuration and am having some issues. The main problem seems to be this: The jboss application wants user certs from the client which it then should pass to another authentication server elsewhere on the network. The load balancer is configured to take that client-provided user cert, insert it into the http header, and re-encrypt the traffic back to the Jboss node. What we want to happen is that the jboss node would then de-crypt the packet, inspect the http header for the user cert, then send THAT cert to the authentication server. What appears to be happening is that the Jboss server takes the cert provided by the BigIP for the initial ssl transaction and sends that one to the authentication server.

             

            This is a shot in the dark and I'm sure you're a busy person but I was hoping you might have some insight into this kind of setup.

             

            Thanks!

             

            Randy

            • 3. Re: JBoss 7.1 behind F5 BigIP load balancers
              francoisbegin Newbie

              Sorry, that is beyond me. The F5 configuration in my case was done by a separate team. It is a plain vanilla F5-in-the-middle for SSL, with two separate SSL cert transactions: client to F5 (where the real SSL cert of the site is found) then F5 to backend node (where it is the F5 that initiate a separate SSL connectin to the node and trusts the node's host certs). By the time you hit the nodes, they think that the connection was made by the F5 and not the client. You might find some hints as to whether what you want to do is feasible or note at DevCentral (devcentral.f5.com) from an F5 perspective. As for the alternative (manipulating the SSL session on Jboss itself to achieve what you want), I have no idea if this is possible.

               

              • 4. Re: JBoss 7.1 behind F5 BigIP load balancers
                Anandababu Bolisetti Newbie

                Hi Francois,

                 

                We are also trying to Loab Balance Liferay Portal Servers bundled with Jboss 7.1.1 using F5. When we try reaching the Load Balancer host and port, we are observing a strange behaviour.

                 

                If we try to reach https://<<Loadbalancer_Host>>:<<Loadbalancer_Port>>, we are being redirected to https://<<Loadbalancer_Host>>:<<Liferay_Port>>/c/portal/layout page.

                 

                We have configured the certificates properly on both the jboss servers and they are accessible individually without any issues.

                 

                We are not able to identify whether this is issue with the profile we configured on F5 or are we missing the configuration on Jboss.

                 

                Regards,

                Anand.

                • 5. Re: JBoss 7.1 behind F5 BigIP load balancers
                  Rafael Soares (Tuelho) Novice

                  randymoran I believe you can achieve this using the approach described here: SSLMod_proxyForwarding

                  This approach is used in the apache httpd mod_cluster context, but you can follow the same path (using the same Http headers) on F5 side.