Webapp with loadbalancer. Possible configuration using HTTPS and OC WebServer not allowed to send requests to LB server
search cancel

Webapp with loadbalancer. Possible configuration using HTTPS and OC WebServer not allowed to send requests to LB server

book

Article ID: 234348

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

The customer's request is to be able to have OneClick webapp working in HTTPS passing through a LB (load-balancer) server.  Between the LB server and the OC server there is a firewall that does not allow OCWS (OneClick WebServer) communitations toward the LB server.

Articles 200661 and 231487 

https://knowledge.broadcom.com/external/article?articleId=200661

https://knowledge.broadcom.com/external/article?articleId=231487

describe possible webapp implementation in HTTP/HTTPS in a LB environment, but they not consider the case where OC WebServer is not allowed to send requests to LB server.

 

Environment

Release : 21.2

Component : Spectrum OneClick

Cause

In theory the flow to Access Webapp :

Client Browser -> LB:8080->OCWS:8443->Webapp:9443->CWS:8443 to launch Webapp. LB should only come into picture only once at the beginning and there after OCWS and Webapp should communicate with each other internally.

but currently the flow is the following:

Client Browser->LB:8080->OCWS:8443->LB:9443->Webapp:9443->LB:9443->OCWS:8443 to launch webapp.

1) Browser makes call to webserver admin page https://<LB-Name>:<port>/Spectrum (tomcat ssl port)

2) the Admin page comes up fine.

3) user click on OneClickWebapp --> OC Webserver will try to call webapp through URL https://<LB-Name>:<port>/Spectrum  (webtomcat ssl port)

Due to the firewall this is failing eg.

spectrum-test.domain.com is LB-server FQDN

9443 is the webtomcat SSL port specified in the server.xml

 

Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) -  Request Server : spectrum-test.domain.com protocol : https

Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) - Non-Docker environment, hence launching webapp with server name : spectrum-test.domain.com

Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) - WebApp URL being called :https://spectrum-test.domain.com:9443/spectrum

java.net.ConnectException: Connection timed out: connect

               at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)

               at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)

               at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

               at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

               at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

               at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)

4)  OC WebServer will try to launch on https://localhost:9443/Spectrum on localhost

this call is failing  with the IOException  as the localhost is not specified in the certificate resulting in the following error:

Now, adding the localhost in the CN= or SAN= field of certificate may not be an option as it may represent a security exposure.

How to work-around the issue?

Resolution

1) add in the certificate the LB server hostname/FQDN in the SAN DNS names in addition to the OC hostname/FQDN

2) on the OC server modify the etc/hosts file to resolve the LB hostname/FQDN (URL specified from the browser) to the IP of OC server itself.

 

Additional Information

User Story US806000 LoadBalancer Env - Launch Webapp Directly with no Interference of LB was opened  to enhance the webapp functionality in Load Balancer environment.

Currently to Access Webapp :

Client Browser->LB:8443->OCWS:8443->(click on OneClickWebapp link)-->LB:9443->Webapp:9443->LB:8443->OCWS:8443 to launch webapp.

If we observe above call flow the LB is being referred multiple times for just launching webapp once eventhough both OCWS and Webtomcat reside on the same machine.

Here its mandatory for LB to listen on both OCWS port and Webtomcat port.

Proposed solution in the US806000:

We will have a provision for customers to configure hostname in a file to launch webapp using this hostname directly. 

Customers will configure hostname in a file so that OCWS uses this hostname to launch webapp and this hostname is mostly the local server name or localhost. When this hostname is configured our code should use this configured hostname instead of reading hostname from request url. If its not configured then it will run our same existing logic of reading hostname from request url to launch webapp.

This hostname configuration is mostly only configured by users who have LB configured for OCWS. 

Out of the box, there is no hostname configured and it uses our existing logic of reading hostname from request URL.

So with this approach the call flow will be like :

Client Browser ->LB:8443->OCWS:8443 -> click on OneClickWebapp link --> Read Hostname(OCHOST) from config file --> OCHOST:9443 ->Webapp:9443->OCHOST:8443 and launches webapp.

 

Powered by Wolken Software