Out of curiosity, why do we have to configure this by editing a file, rather than setting it within the UI? That would be the appropriate place for what should be a common setting.

Phil

Thank you so much for your prompt reply. I did exactly what you said and it worked perfectly, first time. Hopefully the docs for the GA version will be updated before it is released.

     Scott

Scott,

     Good to know that it worked for you. We have identified it to be fixed in GA documentation.

sinhaa

Phil,

    Making WFA for HTTPS environment working completely, would require more than editing this line. The steps mentioned above just prevents any HTTP connect and allows only HTTPS. But for HTTPS environment configuration, the WFA user will need to generate a CSR , obtain his certificate from CSA(CA) and import it in WFA to replace the self-signed certificate which comes with WFA installer with a real one which is given by the CSA. These all can't be done from UI alone.

warm regards,

Abhishek

I need to warn you that performing this step with WFA 2.1.0.70.32 will break WFA's ability to communicate with cDOT clusters. You will receive the "Unable to connect to remote server" error should you implement this change per the directions above. It is also possible that this could impact 2.2 as well - I will be testing this when I get some of that mythical "free time".

     Scott Lindley

     Ahh.. you are right Scott and it was my bad.

My apologies for any inconvenience caused.

In WFA, some of the commandlets(like Get-WfaLogger and Connect-WfaCluster) internally use http connection to WFA server over localhost.

These will be impacted if WFA is not deployed over http.

Here are the steps to restrict WFA http access to localhost.

1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

2. Find the standalone-full.xml file at WFA installation directory(<WFA Install>/jboss/standalone/configuration/standalone-full.xml.

3. Take a backup of this file.

4. Open the file and go to the section "<interfaces>". This is towards the end of the file.

5. Add one more "<interface>" section for localhost only binding.

  <interfaces>

....

  <interface name="localhost-only">

     <inet-address value="127.0.0.1"/>

</interface>

......

</interfaces>

5. Now locate http socket binding section in "<socket-binding-group>".

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

7. Start WFA service.

NOTE: Updated the post as per Scott's post below.

I have implemented the fix, though there is one minor change. This section:

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="{http.port}"/>

     ....

</socket-binding-group>

Should read (difference in red😞

6. Modify http binding to use the localhost-only interface defined in step 4.

<socket-binding-group .....>

     ....

     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

     ....

</socket-binding-group>

Scott Lindley