IBM Support

PI77874: PLUGIN OFFLOAD/ONLOAD FOR SSL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Plugin can now be configured to ignore client to IBM HTTP
    Server protocol.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server web        *
    *                  server plugin users                         *
    ****************************************************************
    * PROBLEM DESCRIPTION: The WebSphere web server plugin can     *
    *                      not be configured to change             *
    *                      communication protocols used between    *
    *                      the client and WebSphere.               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The web server plugin tries to match communication protocols
    so if a client makes a http request to the web server, the
    client will try to make a http connection to WebSphere. If the
    client uses https, the plugin will attempt to use https.
    

Problem conclusion

  • There is a custom property (UseInsecure) which can be
    configured to allow incoming https client requests to use http
    connections to WebSphere when plugin detects error with the
    security configuration and https connections are not possible
    but there may be times when a user would like for the plugin
    component to change protocols regardless of the security
    configuration.
    
    The plugin component now accepts a new Config tag called
    SSLMapMode. This can be set thru WebSphere custom properties
    or if using IHS or apache, it can be set as a web server
    environment variable. The properties allows for values:
    "onload" which will use a https connection to WebSphere when
    the client uses a http connection to the web server
    "offload" which will use a http connection to WebSphere when
    the client uses a https connection to the web server
    or
    "default" which will retain the same behavior as if the
    property was not set.
    
    To set using a WebSphere custom property, navigate to the
    webserver-><servername>->Plug-in properties->Custom
    Properties window and add the property SSLMapMode with a
    value of "onload", "offload" or "default".
    
    
    
    You can use Apache environment variables to limit the scope of
    ssl-map-mode to a particular subset of requests. To configure
    using an Apache or IBM HTTP Server environment variable, set
    the environment variable "ssl-map-mode" to onload, offload or
    default. Default will use the same connection type to
    WebSphere that the client used.
    
    As an example, use add the following directive to transform
    https requests for /myapp to http requests when the requests
    are sent to the WebSphere Application Server:
    
    1. Make sure the LoadModule directive for mod_setenvif is
    uncommented.
    2. Append the following directive to httpd.conf, choosing
    a mode:
    
    SetEnvIf Request_URI /myapp.* ssl-map-mode=offload
    
    
    Note: The SetEnv directive can also be used to configure this
    mode if the plugin component is NOT using Intelligent
    Management.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 9.0.0.4.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI77874

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-03-09

  • Closed date

    2017-03-10

  • Last modified date

    2021-07-21

  • APAR is sysrouted FROM one or more of the following:

    PI76001

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021