SSL CLIENT CACHING MAY USE WRONG CREDENTIALS WHEN MULTIPLE SSL PROXY PROFILES ARE USED TO THE SAME IP/PORT BY AN XML MANAGER
An XML Manager using multiple SSL Proxy Profiles for connections to the same IP address and port number, may result in SSL connections presenting the wrong certificate if 'Client-side Session Caching' is enabled.
SSL connection errors may occur.
This problem can occur because each XML Manager maintains the SSL session cache based on the IP address and port of the SSL connections. So if there exists multiple SSL Proxy Profiles under the same XML Manager, it can cause the wrong SSL credentials (certificate) to be sent when connecting to the same IP address and port.
For example, the problem can be encountered if all of the following conditions exist:
a) MPGW-Test is configured with a dynamic backend and uses XML Manager-Test
b) The dynamic backend is set to either:
http://126.96.36.199:4545 using SSL-Proxy-Profile-A or http://188.8.131.52:4545 using SSL-Proxy-Profile-B.
c) Each SSL Proxy Profile has 'Client-side Session caching' enabled.
Resolving the problem
One of the following options can be used to avoid this issue:
1) Disable 'Client-side Session Caching' in the SSL Proxy Profile.
2) Assign a unique IP/port pair on the backend server for each SSL Proxy Profile.
3) Use a distinct XML manager for each SSL Proxy Profile by creating 'chained' servicing. This would mean adding a service (i.e XML Firewall) behind the current 'client-facing' service. The XMLFW would then use a single SSL Proxy Profile and its own unique XML manager to forward the request to the backend server.
4) Upgrade to firmware version 6.0 or higher for the official fix - APAR IC82397.
Translate this page: