OneClick Console won't launch after enabling ModSecurity in SSL mode
Article ID: 46402
Updated On:
Products
Issue/Introduction
After enabling ModSecurity in SSL and configuring httpd (Apache Web Server) to only listen on TCP/433, i.e. removed (commented) the following in $SPECROOT/apache/conf/httpd.conf
Listen 80
ProxyPreserveHost OnProxyPass /spectrum http://localhost:8080/spectrum
ProxyPassReverse /spectrum http://localhost:8080/spectrum
and have the following configuration in $SPECROOT/apache/conf/extra/httpd-ssl.conf
<VirtualHost *:443> ProxyPreserveHost On ProxyPass /spectrum http://localhost:8080/spectrum
ProxyPassReverse /spectrum http://localhost:8080/spectrum
(other attributes here)
</VirtualHost>
OneClick Web Admin page is accessible via HTTPS (TCP/443) but when you click the "Start Console" link, OneClick Console won't launch. "Unable to launch the application" dialog error is shown.
The following java exceptions occurred.
com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://<hostname>/spectrum/oneclick.jnlp
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Environment
DX NetOps Spectrum all currently supported releases
Cause
This occurs when ModSecurity on httpd (Apache Web Server) has been configured in SSL mode but Tomcat is not in SSL mode. Tomcat should be configured in SSL mode to avoid this problem.
Resolution
1. OneClick needs to be configured for SSL mode. For example you can use the following Connector configuration in $SPECROOT/tomcat/conf/server.xml file.
<Connector address="127.0.0.1" port="8444" enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="C:/win32app/Spectrum/custom/keystore/cacerts" keystorePass="changeit"> </Connector>
Note: Specifying 'address="127.0.0.1"' in the Connector configuration above will block external direct access to TCP/8444. You should also comment out the HTTP Connector configuration in server.xml file so that Tomcat is only running in SSL mode.
2. While configuring Modsecurity in SSL mode, replace the Virtual Host configuration in $SPECROOT/apache/conf/extra/httpd-ssl.conf file with the following:
<VirtualHost *:443> ProxyPreserveHost on SSLEngine on SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass /spectrum https://localhost:8444/spectrum
ProxyPassReverse /spectrum https://localhost:8444/spectrum
(other attributes here)
</VirtualHost>
This configuration indicates that ModSecurity on httpd (Apache Web Server) is running in SSL mode on port TCP/443 and Tomcat is running in SSL mode on port TCP/8444 locally.
Additional Information
Please reference the following sections of the documentation for more information:
TechDocs : DX NetOps Spectrum 24.3 : Enable HTTPS for OneClick
TechDocs : DX NetOps Spectrum 24.3 : Enable ModSecurity Web Application Firewall
Feedback
