Question & Answer
Question
You are trying to view Message Flow statistics in the App Connect Enterprise (ACE) Admin console but when you click on the "Flow Statistics" tab in the Admin console you get the following error:
Failed to connect for statistics! This is a WebSocket error. Contact your system administrator or check your settings in server.conf.yaml
Answer
This error occurs when one connects to the web UI using a different hostname than the one specified in the host property of the RestAdminListener.
The web UI included in ACE follows industry standard best practices and specifies a Content-Security-Policy header. This header explicitly allows websocket connections to originate from only pages served by the same hostname as was configured on the listener.
For example:
- In the /etc/hosts file, set the host property to the name of the virtual machine (testsystem) for both the ACE runtime and the web browser system to correctly resolve the name "testsystem". When loading the web UI using the name "testsystem", the web socket connection is created successfully.
- If we instead use the fully qualified hostname to connect to the system, the request to establish the websocket is rejected.
The cause for an error case versus a successful connection is the difference in "Origin" header set by the browser.
Compare the parameters used in a failing request to those used by a successful request:
Failed request:
curl -H 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits' \
-H 'Sec-WebSocket-Key: ef+QhHPD9XMJcBwbayIHjA==' \
-H 'Sec-WebSocket-Version: 13' \
-H 'Upgrade: websocket' \
-H 'Connection: Upgrade' \
-H 'Origin: http://testsystem1.ibm.com:4416'; \
-v http://testsystem1.ibm.com:4416/raw-ws
* Trying 123.123.123.123:4416...
* Connected to testsystem1.ibm.com (123.123.123.123) port 4416 (#0)
> GET /raw-ws HTTP/1.1
> Host: testsystem1.ibm.com:4416
> User-Agent: curl/7.79.1
> Accept: */*
> Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
> Sec-WebSocket-Key: ef+QhHPD9XMJcBwbayIHjA==
> Sec-WebSocket-Version: 13
> Upgrade: websocket
> Connection: Upgrade
> Origin: http://testsystem1.ibm.com:4416
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection 0
Successful request:
curl -H 'Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits' \
-H 'Sec-WebSocket-Key: ef+QhHPD9XMJcBwbayIHjA==' \
-H 'Sec-WebSocket-Version: 13' \
-H 'Upgrade: websocket' \
-H 'Connection: Upgrade' \
-H 'Origin: http://testsystem:4416'; \
-v http://testsystem1.ibm.com:4416/raw-ws
* Trying 123.123.123.123:4416...
* Connected to testsystem1.ibm.com (123.123.123.123) port 4416 (#0)
> GET /raw-ws HTTP/1.1
> Host: testsystem1.ibm.com:4416
> User-Agent: curl/7.79.1
> Accept: */*
> Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
> Sec-WebSocket-Key: ef+QhHPD9XMJcBwbayIHjA==
> Sec-WebSocket-Version: 13
> Upgrade: websocket
> Connection: Upgrade
> Origin: http://testsystem:4416
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 101 Switching Protocols
< Upgrade: websocket
< Connection: Upgrade
< Sec-WebSocket-Accept: MEvkIMLzOWo0uPZ9aORm/3d9JN4=
<
Even though the Host used for the actual HTTP request is the same, the difference in "Origin" is enough for the request to be rejected as it violates the Content-Security-Policy. It is not possible to configure the Content Security Policy to allow websocket connections from multiple hostnames.
To resolve the issue, update the hostname in the RestAdminListener configuration so that it accurately reflects the hostname used for the web UI when connecting to the Integration Node.
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"ARM Category":[{"code":"a8m0z000000cwQwAAI","label":"ACE-\u003EPerformance"}],"ARM Case Number":"TS011986374","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 April 2023
UID
ibm16983873