Service Proxy SSL config / truststore cert placement & Load Balancers

[Sathish Ganesan]

Hello Everyone,

Sorry to keep spamming this forum with questions.

My previous topic was answered and I made it work. :) 

Now I have two questions:

1. SSL configuration 

Setup info:

Jboss + Membrane proxy (war) + SSL configured

Tomcat (SSL configured)

Scenario:

When a service proxy is visited, it must be redirected to the tomcat homepage (SSL)

Result:

So when I try to hit the service proxy, the tomcat homepage shows up with normal HTTP configuration in tomcat(80)

And when I try to make them secure (443), the page is redirected successfully. (By placing the truststore config in /WEB-INF/ as suggested in the previous post by Tobbias)

However, when I try to extract the path of the truststore certificate to outside the WAR file, the resource retrieval fails to load that.

We cannot place the *.jks file into the war file in production environment.

What should be done to place the truststore outside the war file?

Exception:

org.springframework.context.ApplicationContextException: Failed to start bean 'router'; nested exception is java.lang.RuntimeException: java.lang.RuntimeException:                                                                                                                 com.predic8.membrane.core.resolver.ResourceRetrievalException: null while retrieving ///C:/proj/security/tomcat-ssl/jboss.jks

org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:176)

org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)

org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)

org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)

org.springframework.context.support.DefaultLifecycleProcessor.start(DefaultLifecycleProcessor.java:91)

org.springframework.context.support.AbstractApplicationContext.start(AbstractApplicationContext.java:1276)

com.predic8.membrane.servlet.RouterUtil.initializeRoutersFromSpringWebContext(RouterUtil.java:43)

com.predic8.membrane.servlet.embedded.MembraneServlet.init(MembraneServlet.java:49)

org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)

org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)

org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)

java.lang.Thread.run(Thread.java:745)

2. When I have multiple clusters, the nodes are not picked up by the LoadBalancingInterceptor other than the Default cluster.

              Scenario:

                                <clusters>

                                        <cluster>

                                                <node host="localhost" port="4000"/>                                           

                                        </cluster>

                                       <cluster name="Cluster2">

                                                <node host="localhost" port="4010"/>

                                                <node host="localhost" port="4011"/>

                                                <node host="localhost" port="4012"/>

                                       </cluster>

                                </clusters>

LoadBalancingInterceptor picks up only localhost:4000 and doesn't pick up other nodes from Cluster2.

What should be done to pick all other nodes from multiple clusters?

Thanks in advance,

Sathish G