SSL offloader device in front of your Connections environment

Certain bigger companies have technical tools available such as SSL offloaders.
You can utilize these to decrypt the SSL traffic with the help of SSL decryptor hardware.
SSL offloading decrypts the HTTPS traffic and forwards it in HTTP.

An example of such a device is the Netscaler appliance of Citrix.

By using such a device you can take the load of the SSL decryption process
from your IHS webserver. This way you can handle more load on your IHS webserver.

I noticed *situations that with an SSL offloader in front IHS was capable of doing twice
the load vs. the situation where IHS took care of the SSL decryption process.
For both situations goes that we pushed IHS to the limit of it’s CPU processing.

( *Lotus Connections 2.5 env. with forceConfidentialCommunications = “true”
   and ssl_enabled=”true” for all LC parts. )
      
The only cavecat you will run into with Lotus Connections and SSL offloading
is that WAS/Connections demands SSL traffic. If the traffic is not HTTPS it will
try to do the request again.

This way it will get stuck in a loop because the request will again pass the
SSL offloader device it will decrypt the HTTPS traffic and forward it
in HTTP to WebSphere/Connections. From there it starts over again and
gets stuck in an infinite loop.

To get around this you will have to find a way to convince WebSphere/Connections
that HTTPS decryption already has been done.

For this you can configure a custom WebContainer property called HttpsIndicatorHeader.
This property contains a HTTP header that when set determines if WebSphere/Connections
can accept the traffic because HTTPS decryption already has been done.

See the following document for an explanation of this feature.

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PQ86347

Please note that the above URL describes WAS 5.1 the feature still exist in the later
versions of WAS only in WAS 6.1.0.23 you have to use the property
without the capital H, so it becomes httpsIndicatorHeader.

The thing next to do is add this HTTP header to all the requests that are designated
to go to the WAS/Connections box. You can do this on the SSL offloader device, Citrix
Netscaler is capable of doing this. But you can also do this on the IHS webserver
by making use of the header module. See the link below.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html#requestheader

This entry was posted in lotus connections and tagged . Bookmark the permalink.

One Response to SSL offloader device in front of your Connections environment

  1. Erik says:

    nice – thanks for the post. we were kicking around the idea of offloading SSL to our f5s – so this is good to know.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 807,335 bad guys.