topic Re: How do you configure WFA 2.1 for HTTPS-only access? in Active IQ Unified Manager Discussions

How do you configure WFA 2.1 for HTTPS-only access?

SCOTT_LINDLEY — Thu, 05 Jun 2025 05:54:01 GMT

The install and setup documentation supplied with WFA 2.1 documents the same procedure for configuring WFA to allow only HTTPS access that the 2.0.x versions document. Unfortunately, the specified path to the server.xml file does not exist, and there is no server.xml file in the WFA hierarchy. How does one go about configuring WFA 2.1 for HTTPS-only access?

Scott Lindley

Re: How do you configure WFA 2.1 for HTTPS-only access?

sinhaa — Fri, 13 Sep 2013 03:47:32 GMT

Scott,

There is a file named standalone-full.xml located at WFA\jboss\standalone\configuration folder.

1. Find and comment/delete the following line.

2. Restart the WFA Database service ( It will restart the WFA server service too ). Wait for services to come up.

3. Open the browser and you'll see that WFA will only connect using HTTPS and not HTTP.

warm regards,

sinhaa

Re: How do you configure WFA 2.1 for HTTPS-only access?

bachman — Fri, 13 Sep 2013 14:30:28 GMT

Out of curiosity, why do we have to configure this by editing a file, rather than setting it within the UI? That would be the appropriate place for what should be a common setting.

Phil

Re: How do you configure WFA 2.1 for HTTPS-only access?

SCOTT_LINDLEY — Fri, 13 Sep 2013 22:38:58 GMT

Thank you so much for your prompt reply. I did exactly what you said and it worked perfectly, first time. Hopefully the docs for the GA version will be updated before it is released.

Scott

Re: How do you configure WFA 2.1 for HTTPS-only access?

sinhaa — Sat, 14 Sep 2013 04:00:35 GMT

Scott,

Good to know that it worked for you. We have identified it to be fixed in GA documentation.

sinhaa

Re: How do you configure WFA 2.1 for HTTPS-only access?

sinhaa — Sat, 14 Sep 2013 04:11:22 GMT

Phil,

Making WFA for HTTPS environment working completely, would require more than editing this line. The steps mentioned above just prevents any HTTP connect and allows only HTTPS. But for HTTPS environment configuration, the WFA user will need to generate a CSR , obtain his certificate from CSA(CA) and import it in WFA to replace the self-signed certificate which comes with WFA installer with a real one which is given by the CSA. These all can't be done from UI alone.

warm regards,

Abhishek

Re: How do you configure WFA 2.1 for HTTPS-only access?

SCOTT_LINDLEY — Thu, 03 Apr 2014 17:45:07 GMT

I need to warn you that performing this step with WFA 2.1.0.70.32 will break WFA's ability to communicate with cDOT clusters. You will receive the "Unable to connect to remote server" error should you implement this change per the directions above. It is also possible that this could impact 2.2 as well - I will be testing this when I get some of that mythical "free time".

Scott Lindley

Re: How do you configure WFA 2.1 for HTTPS-only access?

sinhaa — Thu, 03 Apr 2014 19:07:04 GMT

Ahh.. you are right Scott and it was my bad.

My apologies for any inconvenience caused.

Re: How do you configure WFA 2.1 for HTTPS-only access?

bestinj — Thu, 03 Apr 2014 20:04:14 GMT

In WFA, some of the commandlets(like Get-WfaLogger and Connect-WfaCluster) internally use http connection to WFA server over localhost.

These will be impacted if WFA is not deployed over http.

Here are the steps to restrict WFA http access to localhost.

1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

2. Find the standalone-full.xml file at WFA installation directory(<WFA Install>/jboss/standalone/configuration/standalone-full.xml.

3. Take a backup of this file.

4. Open the file and go to the section "<interfaces>". This is towards the end of the file.

5. Add one more "<interface>" section for localhost only binding.

....

<inet-address value="127.0.0.1"/>

</interface>

......

</interfaces>

5. Now locate http socket binding section in "<socket-binding-group>".

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

....

<socket-binding name="http" interface="localhost-only" port="${http.port}"/>

....

</socket-binding-group>

7. Start WFA service.

NOTE: Updated the post as per Scott's post below.

Re: How do you configure WFA 2.1 for HTTPS-only access?

SCOTT_LINDLEY — Tue, 08 Apr 2014 16:04:14 GMT

I have implemented the fix, though there is one minor change. This section:

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

....

<socket-binding name="http" interface="localhost-only" port="{http.port}"/>

....

</socket-binding-group>

Should read (difference in red😞

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

....

<socket-binding name="http" interface="localhost-only" port="${http.port}"/>

....

</socket-binding-group>

Scott Lindley