General server errors while making updates in CDD

book

Article ID: 225627

calendar_today

Updated On:

Products

Continuous Delivery Director

Issue/Introduction

After upgrading from CDD 6.6 to 8.2 we are attempting to update the value of a Release Token. It results in a "General server error". 

 

 

 

Cause

When making updates in CDD, CDD:

  1. Compares the Origin Header to the following values used in the settings.properties file: 
    • cdd.url.port
    • cdd.url.schema
    • cdd.url.virtual_ip
  2. Compares the Origin header to the servlet request received by CDD. 

 

If the second test fails it will generate an error in the cdd-server log.

 

For example: 

An environment may have an environment that involves the following:

Client Chrome Browser -----(HTTPS)---->   F5   ---(HTTP)--->  CDD Tomcat Service
 

The above indicates that the chrome browser is accessing CDD using HTTPS. That request is handled by an F5 load balancer that is terminating the https session and therefore sends the request to CDD over http. In this case the error in the log shows the following error:

WARN  com.ca.rp.utils.HttpOriginValidator - Origin header : https://<servername>.com
WARN  com.ca.rp.utils.HttpOriginValidator - Forwarded Header: null
WARN  com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Host Header: null
WARN  com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Port Header: null
WARN  com.ca.rp.utils.HttpOriginValidator - X-Forwarded-Proto Header: null
WARN  com.ca.rp.utils.HttpOriginValidator - Servlet Request: http, <servername>, 80
ERROR c.c.r.w.f.OriginVerificationFilter - Failed session request based on its origin/referer. You may clear the JSESSIONID,CDDSESSIONID cookies request header, logout from the related CDD session, verify that the login URL matches the URL used for installation, or update 'cdd.url.*' configuration in settings.properties. Internal exception: [Access to resource '/cdd/design/00000000-0000-0000-0000-000000000000/v1/releases/<releaseId>/tokens/<tokenId>' is forbidden to 'https://<servername>.com', verified by origin header. Reason(s): Scheme 'http' was not as expected Port '80' was not as expected ]
com.ca.rp.exceptions.rest.ValidationException: Access to resource '/cdd/design/00000000-0000-0000-0000-000000000000/v1/releases/<releaseId>/tokens/<tokenId>' is forbidden to 'https://<servername>.com', verified by origin header. Reason(s): Scheme 'http' was not as expected Port '80' was not as expected
        at com.ca.rp.utils.HttpOriginValidator.validateOriginHeader(HttpOriginValidator.java:87)

 

 

Environment

Release : 8.2

Component : CONTINUOUS DELIVERY DIRECTOR

Resolution

The following values (in .cdd/conf/settings.properties) should be equal to the the Origin header:

  • cdd.url.port
  • cdd.url.schema
  • cdd.url.virtual_ip
 
In the example given in the messages above (WARN  com.ca.rp.utils.HttpOriginValidator - Origin header : https://<servername>.com), it should be:
cdd.url.port=443
cdd.url.schema=https
cdd.url.virtual_ip=<servername>.com

 

However, because we later see that the F5 is terminating the https connection and converting it to http:

  • F5 needs to either:
    • Change the HTTP Origin header (if it is going to terminate the https and convert to http); or
    • Do not terminate the https connection and make sure CDD is configured with a HTTPS Connector (via tomcat/conf/server.xml)
  • Update .cdd/conf/settings.properties with the appropriate information - based on the appropriate HTTP Origin header being used/set by F5. 
    • For example, if F5 continues to terminate the https connection and converts it to http then the settings in this file should look like:
      • cdd.url.port=<port used by F5 team while setting Origin header>
      • cdd.url.schema=http
      • cdd.url.virtual_ip=<servername>.com

 

If an immediate workaround is needed then please contact technical support for "Internal Notes" relating to settings.properties entries that can be used temporarily to bypass the security checks performed.
 
 

Attachments