The customer's request is to be able to have OneClick webapp working in HTTPS passing through a LB (load-balancer) server. Between the LB server and the OC server there is a firewall that does not allow OCWS (OneClick WebServer) communitations toward the LB server.
Articles 200661 and 231487
describe possible webapp implementation in HTTP/HTTPS in a LB environment, but they not consider the case where OC WebServer is not allowed to send requests to LB server.
Release : 21.2
Component : Spectrum OneClick
In theory the flow to Access Webapp :
Client Browser -> LB:8080->OCWS:8443->Weba
but currently the flow is the following:
1) Browser makes call to webserver admin page https://<LB-Name>:<port>/Spectrum (tomcat ssl port)
2) the Admin page comes up fine.
3) user click on OneClickWebapp --> OC Webserver will try to call webapp through URL https://<LB-Name>:<port>/
Due to the firewall this is failing eg.
spectrum-test.domain.com is LB-server FQDN
9443 is the webtomcat SSL port specified in the server.xml
Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) - Request Server : spectrum-test.domain.com protocol : https
Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) - Non-Docker environment, hence launching webapp with server name : spectrum-test.domain.com
Feb 03, 2022 11:03:08.745 (https-jsse-nio-443-exec-40) - WebApp URL being called :https://spectrum-test.domain.com:9443/spectrum
java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
4) OC WebServer will try to launch on https://localhost:9443/Spectrum on localhost
this call is failing with the IOException as the localhost is not specified in the certificate resulting in the following error:
Now, adding the localhost in the CN= or SAN= field of certificate may not be an option as it may represent a security exposure.
How to work-around the issue?
1) add in the certificate the LB server hostname/FQDN in the SAN DNS names in addition to the OC hostname/FQDN
2) on the OC server modify the etc/hosts file to resolve the LB hostname/FQDN (URL specified from the browser) to the IP of OC server itself.
User Story US806000 LoadBalancer Env - Launch Webapp Directly with no Interference of LB was opened to enhance the webapp functionality in Load Balancer environment.
Currently to Access Webapp :
Client Browser->LB:8443->OCWS:8443->(click on OneClickWebapp link)-->LB:9443->Webapp:9443->LB:8443->OCWS:8443 to launch webapp.
If we observe above call flow the LB is being referred multiple times for just launching webapp once eventhough both OCWS and Webtomcat reside on the same machine.
Here its mandatory for LB to listen on both OCWS port and Webtomcat port.
Proposed solution in the US806000:
We will have a provision for customers to configure hostname in a file to launch webapp using this hostname directly.
Customers will configure hostname in a file so that OCWS uses this hostname to launch webapp and this hostname is mostly the local server name or localhost. When this hostname is configured our code should use this configured hostname instead of reading hostname from request url. If its not configured then it will run our same existing logic of reading hostname from request url to launch webapp.
This hostname configuration is mostly only configured by users who have LB configured for OCWS.
Out of the box, there is no hostname configured and it uses our existing logic of reading hostname from request URL.
So with this approach the call flow will be like :
Client Browser ->LB:8443->OCWS:8443 -> click on OneClickWebapp link --> Read Hostname(OCHOST) from config file --> OCHOST:9443 ->Webapp:9443->OCHOST:8443 and launches webapp.