Forum Discussion

dianasy_22580's avatar
dianasy_22580
Icon for Nimbostratus rankNimbostratus
Feb 15, 2013

SSL all the way thru webserver and websphere

Hello All,

 

 

I have been recently researching about security and how to implement it correctly in our environmnent. Here is the scenario,

 

browser connect thru https -----> F5 (termnate SSL) ---http---> Apache 2.2 (http) ---http--> WebSphere Portal (http)

 

\

 

\/

 

Case 1. In between making a connection from f5 to apache, the authentication happens in the cloud with a product that does 2 factor authentication

 

Case 2. User is not in the highly protected flow therefore redirect to Oracle Access Manager to get credential.

 

Either way, the end result is a cookie being inserted to the browser is used within all throughout the session.

 

 

Also note: When running a trace, all the request goes thru https.

 

 

And first of all, I apologize for my lack of knowledge in this topic, I am still learning this and gathering information. My questions are:

 

1. Is it a security problem that the connection between f5 to Apache is unencrypted. Though this is an internal network and the network team are doing some security on their side. Is that going to be enough? Can anyone within the internal network sniff the packet and steal the information. (intentionally or unintentionally). Same goes with the connection between Apache and Websphere Portal.

 

2. A follow up question, though it is good to have ssl all the way thru, it is just taxing and I am concern about the performance hit.

 

3. On the scenario above, when I say case 2, even though I see https and again f5 is offloading the ssl, when I run a trace (live http header) in particular, I see a clear text username and password when I login. That is my real concern.

 

 

I have many other follow up question that I can come up w/ can anyone pls help me figure this out?

 

 

Thanks,

 

Dee.

 

1 Reply

  • Dee,

     

     

    1) Probably, that depends on your security policy and the data of course. Yes, anyone can sniff/packet capture the data. Yes, same for Apache to Websphere.

     

    2) There may be a performance hit on the servers (the F5 won't break a sweat) but you'll only be able to judge this by testing I would have thought.

     

    3) LiveHTTPHeaders is displaying the data once the browser has unencrypted it (as with all the relevant HTTP content). To confirm it is encrypted (which I'm sure it is) run Wireshark on the PC and capture traffic to the F5; it'll be clear it's encrypted.