Subscribe
Accepted Solution

Can http Access be Disabled in WFA?

IHAC who's using https for WFA and would like to disable http access for internal IT audit reasons. Is there currently any way to do this?

Thanks in advance,

Jason

Re: Can http Access be Disabled in WFA?

http on WFA can be disabled for the external access of WFA server i.e. access using IP or Hostname. Access of WFA using "localhost" over http will still work and its also required by WFA.

How? It depends on your WFA vesion. What is the WFA version you are using?

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Can http Access be Disabled in WFA?

Customer is using two versions; 2.0 for 7-mode and 2.2 for cDOT

Re: Can http Access be Disabled in WFA?

For 2.0

====

Steps

     1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

     2. Edit the server.xml file:

     a) Open the server.xml file from the following location using an XML editor such as Notepad++:

     c:\Program Files\NetApp\WFA\jboss\server\default\deploy\jbossweb.sar

     b) Locate the following element: <Connector protocol="HTTP/1.1" port="${http.port}" address="${jboss.bind.address}" connectionTimeout="20000" redirectPort="${https.port}" maxSavePostSize="-1"

restrictedUserAgents="^.*MS Web Services Client Protocol.*$" />.


     c) Replace "${jboss.bind.address}" with "127.0.0.1".

     d) Save the server.xml file.

3. Restart the NetApp WFA Server service.

For 2.2

======

See the installation and setup guide https://library.netapp.com/ecm/ecm_get_file/ECMP1397247

Page 29.

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Can http Access be Disabled in WFA?

Thank you very much sinhaa. Do you have any detail as to why http access is still needed using "localhost" and we can't simply stop the http port from listening? I know I'm going to be asked that.

Thanks in advance,

Jason

Re: Can http Access be Disabled in WFA?

WFA cmdlets like Get-WfaLogger etc internally make rest call using localhost on http. Other job executors also use http on localhost. This is by design. So if the http port is disabled, WFA server willsure  come up and you can login too, but you can't do anything useful with it.

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Can http Access be Disabled in WFA?

Sinhaa. Appreciate the additional explanation. Thanks for all your help!

Jason