NFA 22.2.4 - 22.2.6 SOAP HTTPS Issue
search cancel

NFA 22.2.4 - 22.2.6 SOAP HTTPS Issue

book

Article ID: 260918

calendar_today

Updated On:

Products

Network Observability Network Flow Analysis

Issue/Introduction

Starting in NFA 22.2.4, we started supporting SOAP HTTPS. This allows us to not use the IIS Port 80 / HTTP Binding.

We found that after enabling SOAP HTTPS, that ASP.NET pages stopped loading due to the fact that the web service was looking to ensure that the IP Address of the NFA Console could be found in the Server certificate. In order to get past the IP lookup in the certificate, we had to create a set of patches to be applied.

Environment

Release : 22.2.4-22.2.6

Resolution

We will be providing 22.2.5 and 22.2.6 patches. If you need a 22.2.4 patch, please contact Broadcom Support. This fix will be included in 22.2.7 and ApplyHTTPS will do these steps for you.

To apply (this assumes HTTPS for IIS is already setup in NFA) :

1. Download the proper patch below and copy it to the NFA Console Server.

2. Extract the contents and follow the readme to apply the patch.

3. Once the patch is applied, we can turn on SOAP HTTPS.

4. Open a CMD Prompt:

  1. mysql -unetqos -pnetqos reporter -t -e "update data_sources2 set port=443;"
  2. mysql -unetqos -pnetqos reporter -t -e "update data_sources2 set consoleport=443;"
  3. mysql -unetqos -pnetqos reporter -t -e "update data_sources2 set protocol='https';"
  4. mysql -unetqos -pnetqos reporter -t -e "update data_sources2 set consoleprotocol='https';"

5. Now go to the x:/CA/NFA/DBUsers/ReporterAnalyzer.ini file and edit:

  1. ReporterAnalyzer.wsschema=https
  2. ReporterAnalyzer.wsport=443
  3. ReporterAnalyzer.Host=<insert the server DNS friendly name like nfa.broadcom.com or another address which is found in your certs common name or subject alternative name>

6. Go to x:/CA/NFA/Reporter\NetQoS.ReporterAnalyzer.WebService\web.config and replace all instances of

  1. "mexHttpBinding" with "mexHttpsBinding"
  2. "httpGetEnabled" with "httpsGetEnabled"

7. Go to x:\CA\NFA\Portal\SSO\webapps\sso\configuration and edit ReporterAnalyzer.xml under the <SingleSignOnWebServiceUrl> section:

  1. Set scheme to "https"
  2. Set port to "443"

8. Save the file and restart the CA MySQL Service.

9. At this point we are done. If you have any questions please contact Broadcom Support.

 

Additional Information

At this time there is no patch for NFA 22.2.4. If you need to apply SOAP HTTPS, please contact Broadcom Support.

We are looking to make it so you can have 1 single HTTPS binding restricted to a single hostname and IP by 22.2.10. 

Attachments

NFA_22.2.5_PTF_001_1678113618783.zip get_app
NFA_22.2.6_PTF_001_1678113555628.zip get_app