MFP Server: Specifying a particular interface on a multi-homed host - mobilefirst-server

MFP 7.0.0 with IF201506081356
on WebSphere Liberty 8.5.5.5 on Linux
My idea was to modify server.xml
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443"
host="*" > <=== change this to a specific ipaddress
And change this JNDI entry
<jndiEntry jndiName="ibm.worklight.admin.jmx.host" value="localhost"/>
to specify the same ipaddress.
After making those changes server does not initialise correctly, it attempts to access JMX on the localhost, even though nowhere in my serverl.xml is the word "localhost"
[6/11/15 13:19:24:232 CEST] 00000040 com.worklight.common.util.jmx.LibertyRuntimeMBeanHandler I Establishing REST connection to service:
jmx:rest://localhost:9443/IBMJMXConnectorREST SSL handler=null
That attempt just repeats ad nauseum ...
Is there some cached value somewhere? Something else I need to set?

During the startup of the runtimes "localhost" is always used for the JMX connection. It is a defect, an APAR will be created.

Related

Fusion Middleware Consol - hostname in URL

I try to display Fusion Middleware Consol (WebLogic 12c) in my browse according to pattern:
http://hostname.domain:port/em
The port is 7001, the name of domain is domains but I can't find hostname in config.xml file. If hostname should be the hostname of the computer it doesn't work for me. Where I find the hostname?
EDIT:
Snippet from my config.xml:
<name>domains</name>
<domain-version>12.2.1.2.0</domain-version>
(...)
<server>
<name>myAdminServerName</name>
<ssl>
<name>myAdminServerName</name>
<listen-port>7002</listen-port>
</ssl>
<machine>wls_machine_1</machine>
<listen-address>127.0.0.1</listen-address>
</server>
If I run admin console in this addres: http://127.0.0.1:7001/console it works. But if I try run Fusion Middleware Consol in this URL: http://127.0.0.1.domains:7001/em or http://127.0.0.1.domains:7002/emit doesn't work.
Greetings.
By default, weblogic listens on every available address. But if you change the listening address setting, you would find it between the <listen-address></listen-address> tags
<server>
<name>myserver</name>
<listen-port-enabled>true</listen-port-enabled>
<listen-address>localhost</listen-address>
</server>

Tomcat 7 RemoteHostValve not working for localhost

I am trying to restrict access to a Tomcat 7 Server by using this valve: org.apache.catalina.valves.RemoteHostValve.
It's working fine for other hosts, but I can not access the server locally by using the localhost (http://localhost:8080).
Here is the Valve:
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="host2.xy.i|host2.xy.i|localhost"/>
Any ideas?
for this function Hostname Lookups are needet.
Did you check that you have set ?
<Connector enableLookups="true" />
If its not working with the Hostname, you could reach the same result with:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\..*"/>
But check if you have localhost V6 IP, this example matches only ipv4

Consume a restful service without port in Mule

I have a restful service deployed in public IP, and thus does not have a port number associated with it. I need to invoke that service, in mule and create a workflow.
I can consume a service with port number as specified below but am unable to do the same for a service which does not have a port number associated.
<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8105" doc:name="HTTP Listener Configuration" />
<http:request-config name="HTTP_Request_Configuration" host="localhost" port="8080" basePath="/onlineexam" doc:name="HTTP Request Configuration"/>
Please help
It will always have a port. If the URL does not have one specified then it is using the default http port '80' so set the port attribute to 80.
I was also facing the issue despite adding default port 443 for my HTTPS request. Usually this issue persists when the hostname ends with .io or .org. Mine was .io
Adding this inside the <http:request > block helped:
<http:request-builder>
<http:header headerName="Host" value="hostname"/>
</http:request-builder>
This will overrirde the configuration host and port. So you would still have to mention host and port number in the request configuration which will be overridden.
For http, use port 80 and for HTTPS, use port 443

why is keycloak removing the SSL in the redirect uri?

We have a simple requirement where:
PS: https:/ === https://
When user hits https:/company_landing.company.com , they should be redirected to keycloak login page (at https:/ourcompany-keycloak.company.com). User enters his/her keycloak login credentials. Upon successful login to keycloak , they will be presented to the company_landing page.
The trouble is :
When User types - https:/company_landing.company.com
Keycloak tries to bring up the landing page but gives 500 Internal server error and says "Incorrect redirect uri" and in the browser I see this:
https:/ourcompany-keycloak.company.com/auth/realms/realm1/tokens/login?client_id=company_dev&state=aaaafffff-559d-4312-a8be-123412341234&redirect_uri=http%3A%2F%2Fcompany_landing.company.com%3A8081%2F%3Fauth_callback%3D1
If you observe the redirect uri above, I think the problem is that instead of https the redirect uri starts with http and http:/company-landing.company.com doesn't exist.
Settings:
keycloak settings: -
Realm --> settings --> login : Require SSL = all Requests (tried with "external" also)
Applications-->realm1-->settings-->Redirect URI = https://company_landing.company.com/*
AWS load balancer:
Port config: 443(https) forwarding to 8443
I am confused as to why it is stripping the SSL? The above works fine when testing on local environment(probably because its http://localhost) but this always gives an invalid redirect url when trying to access any link that is ssl encrypted.
-mm
You have to add the following property in the proxy configuration json file, (by default proxy.json) as an application attribute (same level as "adapter-config"):
"proxy-address-forwarding" : true,
This configuration attribute is not documented, however present in the sources of the proxy configuration: https://github.com/keycloak/keycloak/blob/master/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java
You don't need a certificate to be installed or use changes in adapter config.
This needs to be done in your standalone.xml, standalone-ha or domain.xml (as the case may be) as documented in the Keycloak document reverse proxy section https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
Assuming that your reverse proxy doesn’t use port 8443 for SSL you also need to configure what port HTTPS traffic is redirected to.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Add the redirect-socket attribute to the http-listener element. The value should be proxy-https which points to a socket binding you also need to define.
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>

link apache web server on port 80 and tomcat webapp on port 8080

On port 80 I have normal apache web server.
On port 8080 I have tomcat with client and server side stuff.
My goal is:
www.mydomain.com renders a static and SEO friendly index.html while javascript stuff is loading.
In the header of this index.html I load www.mydomain.com:8080/myapp/stuff.js
stuff.js is compiled with gwt and calls a RootLayoutPanel.get().add(nice_panel) which will remove static content and show dynamic widgets. It also calls servlets (server side code).
Problem: for security reasons, browsers wont let me load www.mydomain.com:8080/myapp/stuff.js because it is on a different port.
Wrong attempt: I tried to create a symlink from "normal" apache web server directory to the tomcat webapp containing stuff.js. I am now able to load stuff.js because its url is: www.mydomain.com/mysymlink_to_tomcat/stuff.js. But stuff.js is not able anymore to call servlets on server side again because of browsers security rules ("XMLHttpRequest cannot load ... origin ...is not allowed by Access-Control-Allow-Origin").
I would like to avoid the "crazy" solution of redirect from index.html to tomcat with header('location: http://mydomain.com:8080/another_index_on_tomcat.html'). This solution works but it has many drawbacks (SEO...)
What would be the best approach ?
Thanks.
You have basically two solutions:
make it work with the 2 origins: use the xsiframe linker in GWT to allow the page on :80 to load the script from :8080 (for readers: it's not about loading, it's about what the script does).
Add the following to your `gwt.xml:
<add-linker name='xsiframe' />
That unfortunately won't solve your issue with GWT-RPC (o whatever you use to talk to the server). For that, there's CORS.
use a single origin: use Apache's mod_proxy (or mod_jk) to proxy your Tomcat through your Apache. Nobody will ever use :8080, everything will go through :80. See Using Tomcat with Apache HTTPD and a proxy at https://developers.google.com/web-toolkit/doc/latest/DevGuideServerCommunication#DevGuideRPCDeployment
And of course there's also the solution of ditching the HTTPD and serving everything with Tomcat (recent Java and Tomcat versions have fixed their slowness issues).
I'm not sure if this would avoid the security error, but you could try an iframe. On apache, you have the index and an iframe to the tomcat, where the JS loads inside the iframe. Dunno if that will help with the SEO problem.
The best solution would be to redirect the port 80 calls to 8080 on apache when the client call is asking for a tomcat application.
Install mod_jk on apache and configure it to mount a context on the path you want
example: (edit /mods_enabled/jk.conf)
# Configure access to jk-status and jk-manager
# If you want to make this available in a virtual host,
# either move this block into the virtual host
# or copy it logically there by including "JkMountCopy On"
# in the virtual host.
# Add an appropriate authentication method here!
<Location /jk-status>
# Inside Location we can omit the URL in JkMount
JkMount jk-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /jk-manager>
# Inside Location we can omit the URL in JkMount
JkMount jk-manager
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
JkMount /*/myAppDir/* ajp13
Then add a virtual host in your site settings (edit /apache2/sites-enabled/)
<VirtualHost *:80>
. Here is the rest of the
. of the config of
. the host
# Tomcat jk connector settings
JkMount /*.jsp ajp13_worker
JkMount /myAppDir/* ajp13_worker
JkMount /myAppDir* ajp13_worker
JKMount /manager* ajp13_worker
JkMount /manager/* ajp13_worker
</VirtualHost>
And you should also edit the server.xml file and inside the tag write and comment the previous Host name="localhost"
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Host name="localhost" appBase="webapps" unpackWARs="true"
autoDeploy="true" >
<Context path="/" docBase="/var/lib/tomcat7/webapps/myAppDir/"
debug="0" reloadable="true" />
<!-- please notes on logs down below -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/var/lib/tomcat7/logs" prefix="tomcat_access_"
suffix=".log" pattern="common" resolveHosts="false" />
</Host>
The only thing left to do is edit the workers.properties file and add
worker.myapp2.port=8009
worker.myapp2.host=localhost
worker.myapp2.type=ajp13
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
Then you should be set to work, and when a url containing the myAppDir appears, the apache server will redirect the calls to tomcat the answer will come back from apache.