Topic
  • 3 replies
  • Latest Post - ‏2013-06-11T11:08:32Z by mkiltz
mkiltz
mkiltz
3 Posts

Pinned topic HTTPS redirect

‏2013-06-07T17:39:44Z |

Hello,

In my server.xml I configured SSL, as follows:

    <httpEndpoint httpPort="-1" httpsPort="8443">
    <sslOptions sslRef="defaultSSLSettings"/>
    </httpEndpoint>
    <sslDefault sslRef="defaultSSLSettings" />
    <ssl id="defaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<keyStore id="defaultKeyStore" password="{xor}" />
    <keyStore id="defaultTrustStore" password="{xor}" />
 

As you can see, I have disabled the HTTP port. I have now two questions:

1) HTTP is not really disabled, the application can still be reached with the default port 9080. Why is that the case?

2) Is there a option as in Tomcat to redirect the HTTP port to HTTPS?

Thanks a lot in advance.

Best regards,

Marco

  • mkiltz
    mkiltz
    3 Posts

    Re: HTTPS redirect

    ‏2013-06-11T10:25:08Z  

    In one part I can now answer my own question. With additional features, I am now able to redirect the port:

    <server description="WebAdminServer">
     
        <!-- Enable features -->
        <featureManager>
            <feature>ssl-1.0</feature>
            <feature>jsp-2.2</feature>
            <feature>servlet-3.0</feature>
            <feature>monitor-1.0</feature>
            <feature>appSecurity-1.0</feature>
            <feature>serverStatus-1.0</feature>
            <feature>localConnector-1.0</feature>
        </featureManager>
     
        <httpEndpoint host="*" httpPort="9079" httpsPort="9440">
            <sslOptions sslRef="mySSLConfig"/>
        </httpEndpoint>
        <sslDefault sslRef="AlternateSSLConfig" />
        <ssl id="mySSLConfig" keyStoreRef="myKeyStore" />
        <keyStore id="myKeyStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <ssl id="AlternateSSLConfig" keyStoreRef="AlternateKeyStore" trustStoreRef="AlternateTrustStore" />
        <keyStore id="AlternateKeyStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <keyStore id="AlternateTrustStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <applicationMonitor updateTrigger="mbean" dropins="dropins" dropinsEnabled="true"/>
     
    </server>

    But the port 9080 is already in use, therefore I see the following exception:

    [6/11/13 9:08:06:358 CEST] 0000000f com.ibm.ws.tcpchannel.internal.TCPPort                       E CWWKO0221E: TCP Channel defaultHttpEndpoint initialization did not succeed.  The socket bind did not succeed for host localhost and port 9080.  The port might already be in use.
    [6/11/13 9:08:06:367 CEST] 0000000f com.ibm.ws.logging.internal.impl.Incident                    I FFDC1015I: An FFDC Incident has been created: "com.ibm.wsspi.channelfw.exception.RetryableChannelException: Address already in use ChannelUtils.start chain" at ffdc_13.06.11_09.08.06.0.log
    [6/11/13 9:08:06:370 CEST] 0000000f com.ibm.ws.tcpchannel.internal.TCPPort                       E CWWKO0221E: TCP Channel defaultHttpEndpoint-ssl initialization did not succeed.  The socket bind did not succeed for host localhost and port 9443.  The port might already be in use.
    [6/11/13 9:08:06:545 CEST] 0000000f com.ibm.ws.serverstatus.internal.ServerStatusImpl            I CWWKJ0001I: The server status service started successfully.
    [6/11/13 9:08:06:779 CEST] 0000000f com.ibm.ws.app.manager.internal.monitor.DropinMonitor        A CWWKZ0058I: Monitoring dropins for applications.
    [6/11/13 9:08:06:807 CEST] 00000015 com.ibm.ws.app.manager.internal.statemachine.StartAction     I CWWKZ0018I: Starting application WebAdmin.
    [6/11/13 9:08:07:986 CEST] 00000015 com.ibm.ws.webcontainer.osgi.webapp.WebGroup                 I SRVE0169I: Loading Web Module: WebAdmin.
    [6/11/13 9:08:07:986 CEST] 00000015 com.ibm.ws.webcontainer                                      I SRVE0250I: Web Module WebAdmin has been bound to default_host.
    [6/11/13 9:08:07:989 CEST] 00000015 com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://localhost:9079/WebAdmin/*
     
    As you can see the server tries still to use the default ports, how can I stop this? I already tried to define my own virtual host, but with the same result.

    Thanks,

    Marco

  • Ross Pavitt
    Ross Pavitt
    2 Posts

    Re: HTTPS redirect

    ‏2013-06-11T10:57:32Z  
    • mkiltz
    • ‏2013-06-11T10:25:08Z

    In one part I can now answer my own question. With additional features, I am now able to redirect the port:

    <server description="WebAdminServer">
     
        <!-- Enable features -->
        <featureManager>
            <feature>ssl-1.0</feature>
            <feature>jsp-2.2</feature>
            <feature>servlet-3.0</feature>
            <feature>monitor-1.0</feature>
            <feature>appSecurity-1.0</feature>
            <feature>serverStatus-1.0</feature>
            <feature>localConnector-1.0</feature>
        </featureManager>
     
        <httpEndpoint host="*" httpPort="9079" httpsPort="9440">
            <sslOptions sslRef="mySSLConfig"/>
        </httpEndpoint>
        <sslDefault sslRef="AlternateSSLConfig" />
        <ssl id="mySSLConfig" keyStoreRef="myKeyStore" />
        <keyStore id="myKeyStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <ssl id="AlternateSSLConfig" keyStoreRef="AlternateKeyStore" trustStoreRef="AlternateTrustStore" />
        <keyStore id="AlternateKeyStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <keyStore id="AlternateTrustStore" type="JKS" password="{xor}KDMvayg6PT47MjYx" />
        <applicationMonitor updateTrigger="mbean" dropins="dropins" dropinsEnabled="true"/>
     
    </server>

    But the port 9080 is already in use, therefore I see the following exception:

    [6/11/13 9:08:06:358 CEST] 0000000f com.ibm.ws.tcpchannel.internal.TCPPort                       E CWWKO0221E: TCP Channel defaultHttpEndpoint initialization did not succeed.  The socket bind did not succeed for host localhost and port 9080.  The port might already be in use.
    [6/11/13 9:08:06:367 CEST] 0000000f com.ibm.ws.logging.internal.impl.Incident                    I FFDC1015I: An FFDC Incident has been created: "com.ibm.wsspi.channelfw.exception.RetryableChannelException: Address already in use ChannelUtils.start chain" at ffdc_13.06.11_09.08.06.0.log
    [6/11/13 9:08:06:370 CEST] 0000000f com.ibm.ws.tcpchannel.internal.TCPPort                       E CWWKO0221E: TCP Channel defaultHttpEndpoint-ssl initialization did not succeed.  The socket bind did not succeed for host localhost and port 9443.  The port might already be in use.
    [6/11/13 9:08:06:545 CEST] 0000000f com.ibm.ws.serverstatus.internal.ServerStatusImpl            I CWWKJ0001I: The server status service started successfully.
    [6/11/13 9:08:06:779 CEST] 0000000f com.ibm.ws.app.manager.internal.monitor.DropinMonitor        A CWWKZ0058I: Monitoring dropins for applications.
    [6/11/13 9:08:06:807 CEST] 00000015 com.ibm.ws.app.manager.internal.statemachine.StartAction     I CWWKZ0018I: Starting application WebAdmin.
    [6/11/13 9:08:07:986 CEST] 00000015 com.ibm.ws.webcontainer.osgi.webapp.WebGroup                 I SRVE0169I: Loading Web Module: WebAdmin.
    [6/11/13 9:08:07:986 CEST] 00000015 com.ibm.ws.webcontainer                                      I SRVE0250I: Web Module WebAdmin has been bound to default_host.
    [6/11/13 9:08:07:989 CEST] 00000015 com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://localhost:9079/WebAdmin/*
     
    As you can see the server tries still to use the default ports, how can I stop this? I already tried to define my own virtual host, but with the same result.

    Thanks,

    Marco

    Hi Marco,

    For the HTTP endpoint issue, I notice you don't have the id attribute set on your httpEndpoint. This means that you have defined a new httpEndpoint, rather than overridden the default one. Try adding id="defaultHttpEndpoint" to your httpEndpoint element and you should find only the ports you specify will attempt to bind.

    Thanks Marco,

    Ross.

  • mkiltz
    mkiltz
    3 Posts

    Re: HTTPS redirect

    ‏2013-06-11T11:08:32Z  

    Hi Marco,

    For the HTTP endpoint issue, I notice you don't have the id attribute set on your httpEndpoint. This means that you have defined a new httpEndpoint, rather than overridden the default one. Try adding id="defaultHttpEndpoint" to your httpEndpoint element and you should find only the ports you specify will attempt to bind.

    Thanks Marco,

    Ross.

    Hi Ross,

    Thanks a lot for your update. That was the solution. Thanks a lot for your help.

    Are the IDs for other components also important (in terms of create a new object instead of overwritting it)?

    Thanks,

    Marco