9 Replies Latest reply: Apr 8, 2014 9:04 AM by SCOTT.LINDLEY RSS

How do you configure WFA 2.1 for HTTPS-only access?

SCOTT.LINDLEY Sprinter
Currently Being Moderated

The install and setup documentation supplied with WFA 2.1 documents the same procedure for configuring WFA to allow only HTTPS access that the 2.0.x versions document. Unfortunately, the specified path to the server.xml file does not exist, and there is no server.xml file in the WFA hierarchy. How does one go about configuring WFA 2.1 for HTTPS-only access?

 

Scott Lindley

  • Re: How do you configure WFA 2.1 for HTTPS-only access?
    sinhaa NetApp Employee Kart Racer
    Currently Being Moderated

    Scott,

          There is a file named standalone-full.xml located at WFA\jboss\standalone\configuration folder.

     

    1. Find and comment/delete  the following line.

     

    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" executor="http-executor" />

     

    2. Restart the WFA Database service ( It will restart the WFA server service too ). Wait for services to come up.

     

    3. Open the browser and you'll see that WFA will only connect using HTTPS and not HTTP.

     

    warm regards,

    sinhaa

    • Re: How do you configure WFA 2.1 for HTTPS-only access?
      bachman NetApp Employee Cyclist
      Currently Being Moderated

      Out of curiosity, why do we have to configure this by editing a file, rather than setting it within the UI? That would be the appropriate place for what should be a common setting.

       

      Phil

      • Re: How do you configure WFA 2.1 for HTTPS-only access?
        sinhaa NetApp Employee Kart Racer
        Currently Being Moderated

        Phil,

            Making WFA for HTTPS environment working completely, would require more than editing this line. The steps mentioned above just prevents any HTTP connect and allows only HTTPS. But for HTTPS environment configuration, the WFA user will need to generate a CSR , obtain his certificate from CSA(CA) and import it in WFA to replace the self-signed certificate which comes with WFA installer with a real one which is given by the CSA. These all can't be done from UI alone.

         

        warm regards,

        Abhishek

    • Re: How do you configure WFA 2.1 for HTTPS-only access?
      SCOTT.LINDLEY Sprinter
      Currently Being Moderated

      Thank you so much for your prompt reply. I did exactly what you said and it worked perfectly, first time. Hopefully the docs for the GA version will be updated before it is released.

       

           Scott

      • Re: How do you configure WFA 2.1 for HTTPS-only access?
        sinhaa NetApp Employee Kart Racer
        Currently Being Moderated

        Scott,

             Good to know that it worked for you. We have identified it to be fixed in GA documentation.

         

        sinhaa

        • Re: How do you configure WFA 2.1 for HTTPS-only access?
          SCOTT.LINDLEY Sprinter
          Currently Being Moderated

          I need to warn you that performing this step with WFA 2.1.0.70.32 will break WFA's ability to communicate with cDOT clusters. You will receive the "Unable to connect to remote server" error should you implement this change per the directions above. It is also possible that this could impact 2.2 as well - I will be testing this when I get some of that mythical "free time".

           

               Scott Lindley

          • Re: How do you configure WFA 2.1 for HTTPS-only access?
            sinhaa NetApp Employee Kart Racer
            Currently Being Moderated

                 Ahh.. you are right Scott and it was my bad.

             

            My apologies for any inconvenience caused.

            • Re: How do you configure WFA 2.1 for HTTPS-only access?
              bestinj NetApp Employee Novice
              Currently Being Moderated

              In WFA, some of the commandlets(like Get-WfaLogger and Connect-WfaCluster) internally use http connection to WFA server over localhost.

              These will be impacted if WFA is not deployed over http.

               

              Here are the steps to restrict WFA http access to localhost.

               

              1. Open the Windows services console by using services.msc and stop the NetApp WFA Server service.

              2. Find the standalone-full.xml file at WFA installation directory(<WFA Install>/jboss/standalone/configuration/standalone-full.xml.

              3. Take a backup of this file.

              4. Open the file and go to the section "<interfaces>". This is towards the end of the file.

              5. Add one more "<interface>" section for localhost only binding.

                <interfaces>

              ....

                <interface name="localhost-only">

                   <inet-address value="127.0.0.1"/>

              </interface>

              ......

              </interfaces>

               

              5. Now locate http socket binding section in "<socket-binding-group>".

               

              6. Modify http binding to use the localhost-only interface defined in step 4.

              <socket-binding-group .....>

                   ....

                   <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

                   ....

              </socket-binding-group>

               

              7. Start WFA service.

               

              NOTE: Updated the post as per Scott's post below.

              • Re: How do you configure WFA 2.1 for HTTPS-only access?
                SCOTT.LINDLEY Sprinter
                Currently Being Moderated

                I have implemented the fix, though there is one minor change. This section:

                 

                6. Modify http binding to use the localhost-only interface defined in step 4.

                <socket-binding-group .....>

                     ....

                     <socket-binding name="http" interface="localhost-only" port="{http.port}"/>

                     ....

                </socket-binding-group>

                 

                Should read (difference in red):

                 

                6. Modify http binding to use the localhost-only interface defined in step 4.

                <socket-binding-group .....>

                     ....

                     <socket-binding name="http" interface="localhost-only" port="${http.port}"/>

                     ....

                </socket-binding-group>

                 

                Scott Lindley

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points