Active IQ Unified Manager Discussions

How do you configure WFA 2.1 for HTTPS-only access?

SCOTT_LINDLEY
5,814 Views

The install and setup documentation supplied with WFA 2.1 documents the same procedure for configuring WFA to allow only HTTPS access that the 2.0.x versions document. Unfortunately, the specified path to the server.xml file does not exist, and there is no server.xml file in the WFA hierarchy. How does one go about configuring WFA 2.1 for HTTPS-only access?

Scott Lindley

1 ACCEPTED SOLUTION

sinhaa
5,814 Views

Scott,

      There is a file named standalone-full.xml located at WFA\jboss\standalone\configuration folder.

1. Find and comment/delete  the following line.

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" executor="http-executor" />

2. Restart the WFA Database service ( It will restart the WFA server service too ). Wait for services to come up.

3. Open the browser and you'll see that WFA will only connect using HTTPS and not HTTP.

warm regards,

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

9 REPLIES 9

sinhaa
5,815 Views

Scott,

      There is a file named standalone-full.xml located at WFA\jboss\standalone\configuration folder.

1. Find and comment/delete  the following line.

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" executor="http-executor" />

2. Restart the WFA Database service ( It will restart the WFA server service too ). Wait for services to come up.

3. Open the browser and you'll see that WFA will only connect using HTTPS and not HTTP.

warm regards,

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

bachman
5,814 Views

Out of curiosity, why do we have to configure this by editing a file, rather than setting it within the UI? That would be the appropriate place for what should be a common setting.

Phil

sinhaa
5,814 Views

Phil,

    Making WFA for HTTPS environment working completely, would require more than editing this line. The steps mentioned above just prevents any HTTP connect and allows only HTTPS. But for HTTPS environment configuration, the WFA user will need to generate a CSR , obtain his certificate from CSA(CA) and import it in WFA to replace the self-signed certificate which comes with WFA installer with a real one which is given by the CSA. These all can't be done from UI alone.

warm regards,

Abhishek

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

SCOTT_LINDLEY
5,814 Views

Thank you so much for your prompt reply. I did exactly what you said and it worked perfectly, first time. Hopefully the docs for the GA version will be updated before it is released.

     Scott

sinhaa
5,814 Views

Scott,

     Good to know that it worked for you. We have identified it to be fixed in GA documentation.

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

SCOTT_LINDLEY
5,814 Views

I need to warn you that performing this step with WFA 2.1.0.70.32 will break WFA's ability to communicate with cDOT clusters. You will receive the "Unable to connect to remote server" error should you implement this change per the directions above. It is also possible that this could impact 2.2 as well - I will be testing this when I get some of that mythical "free time".

     Scott Lindley

sinhaa
5,814 Views

     Ahh.. you are right Scott and it was my bad.

My apologies for any inconvenience caused.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

bestinj
5,814 Views

In WFA, some of the commandlets(like Get-WfaLogger and Connect-WfaCluster) internally use http connection to WFA server over localhost.

These will be impacted if WFA is not deployed over http.

Here are the steps to restrict WFA http access to localhost.

1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

2. Find the standalone-full.xml file at WFA installation directory(<WFA Install>/jboss/standalone/configuration/standalone-full.xml.

3. Take a backup of this file.

4. Open the file and go to the section "<interfaces>". This is towards the end of the file.

5. Add one more "<interface>" section for localhost only binding.

  <interfaces>

....

  <interface name="localhost-only">

     <inet-address value="127.0.0.1"/>

</interface>

......

</interfaces>

5. Now locate http socket binding section in "<socket-binding-group>".

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

7. Start WFA service.

NOTE: Updated the post as per Scott's post below.

SCOTT_LINDLEY
5,814 Views

I have implemented the fix, though there is one minor change. This section:

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="{http.port}"/>

     ....

</socket-binding-group>

Should read (difference in red😞

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

Scott Lindley

Public