Enforcing the HTTP/1.1 protocol

You must use the HTTP/1.1 protocol in a QRadar® Suite Software environment when the certificate used for QRadar Suite Software is also a valid certificate for the IBM foundational services domain. Using the HTTP/2 protocol can cause the load balancer to coalesce connections when two routes exist for a custom certificate.

Procedure

  1. Log in to your Red Hat® OpenShift® Container Platform cluster by typing either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Confirm that the HTTP/2 protocol is in use by typing the following command. 
    oc get svc ambassadorcfg -o yaml | grep alpn_protocols

    If the HTTP/2 protocol is in use, the first line of the output includes h2. Go to step 3. For example:

    alpn_protocols: h2, http/1.1
alpn_protocols: h2, http/1.1

    If the first line of the output doesn't include h2, the HTTP/1.1 protocol is in use. Go to step 6.

  3. Create a YAML snippet similar to the following to apply the CP4SConfiguration custom resource: 
    apiVersion: isc.ibm.com/v1
kind: CP4SConfiguration
metadata:
  name: ingress
spec:
  values:
  - ingress.alpn_protocols=http/1.1
  4. Apply the CP4SConfiguration CR by typing the following command, where <file_name> is the name of the .yaml file that you created in step 3. 
    oc apply -f <file_name>
  5. Confirm that the HTTP/1.1 protocol is in use by typing the following command. 
    oc get svc ambassadorcfg -o yaml | grep alpn_protocols

    If the HTTP/1.1 protocol is in use, the first line of the output doesn't include h2. For example:

    alpn_protocols: http/1.1
alpn_protocols: h2, http/1.1
  6. Confirm that the HTTP/2 protocol is in use by Red Hat OpenShift Container Platform ingress by typing the following command. 
    oc get ingresses.config/cluster -o jsonpath='{.metadata.annotations}'

    If ingress.operator.openshift.io/default-enable-http2 is set to true, the HTTP/2 protocol is in use. Disable the HTTP/2 protocol for Red Hat OpenShift Container Platform ingress by typing the following command.

    oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2-

    If ingress.operator.openshift.io/default-enable-http2 doesn't appear in the output, the HTTP/2 protocol is not in use.