Community

Subscribe
Highlighted
Accepted Solution

How do you configure WFA 2.1 for HTTPS-only access?

The install and setup documentation supplied with WFA 2.1 documents the same procedure for configuring WFA to allow only HTTPS access that the 2.0.x versions document. Unfortunately, the specified path to the server.xml file does not exist, and there is no server.xml file in the WFA hierarchy. How does one go about configuring WFA 2.1 for HTTPS-only access?

Scott Lindley

Re: How do you configure WFA 2.1 for HTTPS-only access?

Scott,

      There is a file named standalone-full.xml located at WFA\jboss\standalone\configuration folder.

1. Find and comment/delete  the following line.

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" executor="http-executor" />

2. Restart the WFA Database service ( It will restart the WFA server service too ). Wait for services to come up.

3. Open the browser and you'll see that WFA will only connect using HTTPS and not HTTP.

warm regards,

sinhaa

Re: How do you configure WFA 2.1 for HTTPS-only access?

Out of curiosity, why do we have to configure this by editing a file, rather than setting it within the UI? That would be the appropriate place for what should be a common setting.

Phil

Re: How do you configure WFA 2.1 for HTTPS-only access?

Thank you so much for your prompt reply. I did exactly what you said and it worked perfectly, first time. Hopefully the docs for the GA version will be updated before it is released.

     Scott

Re: How do you configure WFA 2.1 for HTTPS-only access?

Scott,

     Good to know that it worked for you. We have identified it to be fixed in GA documentation.

sinhaa

Re: How do you configure WFA 2.1 for HTTPS-only access?

Phil,

    Making WFA for HTTPS environment working completely, would require more than editing this line. The steps mentioned above just prevents any HTTP connect and allows only HTTPS. But for HTTPS environment configuration, the WFA user will need to generate a CSR , obtain his certificate from CSA(CA) and import it in WFA to replace the self-signed certificate which comes with WFA installer with a real one which is given by the CSA. These all can't be done from UI alone.

warm regards,

Abhishek

Re: How do you configure WFA 2.1 for HTTPS-only access?

I need to warn you that performing this step with WFA 2.1.0.70.32 will break WFA's ability to communicate with cDOT clusters. You will receive the "Unable to connect to remote server" error should you implement this change per the directions above. It is also possible that this could impact 2.2 as well - I will be testing this when I get some of that mythical "free time".

     Scott Lindley

Re: How do you configure WFA 2.1 for HTTPS-only access?

     Ahh.. you are right Scott and it was my bad.

My apologies for any inconvenience caused.

Re: How do you configure WFA 2.1 for HTTPS-only access?

In WFA, some of the commandlets(like Get-WfaLogger and Connect-WfaCluster) internally use http connection to WFA server over localhost.

These will be impacted if WFA is not deployed over http.

Here are the steps to restrict WFA http access to localhost.

1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

2. Find the standalone-full.xml file at WFA installation directory(<WFA Install>/jboss/standalone/configuration/standalone-full.xml.

3. Take a backup of this file.

4. Open the file and go to the section "<interfaces>". This is towards the end of the file.

5. Add one more "<interface>" section for localhost only binding.

  <interfaces>

....

  <interface name="localhost-only">

     <inet-address value="127.0.0.1"/>

</interface>

......

</interfaces>

5. Now locate http socket binding section in "<socket-binding-group>".

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

7. Start WFA service.

NOTE: Updated the post as per Scott's post below.

Re: How do you configure WFA 2.1 for HTTPS-only access?

I have implemented the fix, though there is one minor change. This section:

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="{http.port}"/>

     ....

</socket-binding-group>

Should read (difference in red):

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

Scott Lindley