General server errors while making updates in CDD

Products

Continuous Delivery Director

Issue/Introduction

After upgrading from CDD 6.6 to 8.2 we are attempting to update the value of a Release Token. It results in a "General server error".

Environment

Release : 8.2

Component : CONTINUOUS DELIVERY DIRECTOR

Cause

When making updates in CDD, CDD:

Compares the Origin Header to the following values used in the settings.properties file:
- cdd.url.port
- cdd.url.schema
- cdd.url.virtual_ip
Compares the Origin header to the servlet request received by CDD.

If the second test fails it will generate an error in the cdd-server log.

For example:

An environment may have an environment that involves the following:

Client Chrome Browser -----(HTTPS)----> F5 ---(HTTP)---> CDD Tomcat Service

The above indicates that the chrome browser is accessing CDD using HTTPS. That request is handled by an F5 load balancer that is terminating the https session and therefore sends the request to CDD over http. In this case the error in the log shows the following error:

WARN com.ca.rp.utils.HttpOriginValidator - Origin header : https://<servername>.com
WARN com.ca.rp.utils.HttpOriginValidator - Forwarded Header: null
WARN com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Host Header: null
WARN com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Port Header: null
WARN com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Proto Header: null
WARN com.ca.rp.utils.HttpOriginValidator - Servlet Request: http, <servername>, 80
ERROR c.c.r.w.f.OriginVerificationFilter - Failed session request based on its origin/referer. You may clear the JSESSIONID,CDDSESSIONID cookies request header, logout from the related CDD session, verify that the login URL matches the URL used for installation, or update 'cdd.url.*' configuration in settings.properties. Internal exception: [Access to resource '/cdd/design/00000000-0000-0000-0000-000000000000/v1/releases/<releaseId>/tokens/<tokenId>' is forbidden to 'https://<servername>.com', verified by origin header. Reason(s): Scheme 'http' was not as expected Port '80' was not as expected ]
com.ca.rp.exceptions.rest.ValidationException: Access to resource '/cdd/design/00000000-0000-0000-0000-000000000000/v1/releases/<releaseId>/tokens/<tokenId>' is forbidden to 'https://<servername>.com', verified by origin header. Reason(s): Scheme 'http' was not as expected Port '80' was not as expected
at com.ca.rp.utils.HttpOriginValidator.validateOriginHeader(HttpOriginValidator.java:87)

Resolution

The following values (in .cdd/conf/settings.properties) should be equal to the the Origin header:

cdd.url.port
cdd.url.schema
cdd.url.virtual_ip

In the example given in the messages above (WARN com.ca.rp.utils.HttpOriginValidator - Origin header : https://<servername>.com), it should be:
cdd.url.port=443
cdd.url.schema=https
cdd.url.virtual_ip=<servername>.com

However, because we later see that the F5 is terminating the https connection and converting it to http:

F5 needs to either:
- Change the HTTP Origin header (if it is going to terminate the https and convert to http); or
- Do not terminate the https connection and make sure CDD is configured with a HTTPS Connector (via tomcat/conf/server.xml)
Update .cdd/conf/settings.properties with the appropriate information - based on the appropriate HTTP Origin header being used/set by F5.
- For example, if F5 continues to terminate the https connection and converts it to http then the settings in this file should look like:
  - cdd.url.port=<port used by F5 team while setting Origin header>
  - cdd.url.schema=http
  - cdd.url.virtual_ip=<servername>.com

If an immediate workaround is needed then please contact technical support for "Internal Notes" relating to settings.properties entries that can be used temporarily to bypass the security checks performed.