Wednesday, 1 August 2012

IBM HTTP Server 7 - client denied by server configuration: /opt/IBMIHS

I'm posting this mainly to stop others from falling into the same trap as me.

So here's the background, I'm completing the setup of a WebSphere Portal 8 environment ( more later ) for a Portal/BPM project on which I'm engaged.

I've re-used a VMware image that already contained IBM HTTP Server (IHS) 7, so I thought I might as well re-use that for the Portal server.

IHS consists of two specific instances of Apache; one running on port 80 ( the normal web server ) and one running on port 8008 ( the Admin server ).

Having completed the connectivity between WebSphere Application Server (WAS) 8 and IHS, allowing me to manage/start/stop IHS from within the WAS Integrated Solutions Console, I decided to try accessing the IHS admin instance directly.

This is the URL that I used: -

Sadly, this failed with HTTP 403, and I saw: -

Forbidden

You don't have permission to access / on this server.

with a corresponding set of errors in the log - /opt/IBM/HTTPServer/logs/admin_error.log

... 
[Wed Aug 01 11:48:37 2012] [notice] Using config file /opt/IBM/HTTPServer/conf/admin.conf 
[Wed Aug 01 11:48:37 2012] [notice] IBM_HTTP_Server/7.0.0.0 (Unix) configured -- resuming normal operations
[Wed Aug 01 11:48:37 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:24 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:29 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
...

This led me to check whether I'd correctly set up the IHS admin instance, so I ran the following command: -

$ /opt/IBM/HTTPServer/bin/setupadm -usr ihsadmin -grp ihsadmins -cfg /opt/IBM/HTTPServer/conf/httpd.conf -plg /opt/IBM/HTTPServer/Plugins/config/wp8.uk.ibm.com/plugin-cfg.xml -adm /opt/IBM/HTTPServer/conf/admin.conf

which returned: -

-usr ihsadmin -grp ihsadmins -cfg /opt/IBM/HTTPServer/conf/httpd.conf -plg /opt/IBM/HTTPServer/Plugins/config/wp8.uk.ibm.com/plugin-cfg.xml -adm /opt/IBM/HTTPServer/conf/admin.conf
Script Completed RC(90)

However, I still got the same problem.

Then, after some Googling, I tried a different URL: -

http://wp8.uk.ibm.com:8008/wasadmin

which presented me with a login box - when I tried to log in as ihsadmin, I got this in the logs: -

...
[Wed Aug 01 13:26:55 2012] [error] [client 127.0.0.1] user ihsadmin: authentication failure for "/wasadmin": Password Mismatch
[Wed Aug 01 13:27:33 2012] [error] [client 127.0.0.1] user ihsadmin: authentication failure for "/wasadmin": Password Mismatch
...

This made me question whether I'd set the password correctly for ihsadmin so I ran: -

$ /opt/IBM/HTTPServer/bin/htpasswd /opt/IBM/HTTPServer/conf/admin.passwd ihsadmin

to explicitly set the password.

This time around, I was able to log in to: -


but I then got: -

<?xml version="1.0" ?>
<SAIL_Error Severity="C2_WARN"  ID="AC_INVALID_HEADER" Msg="mod_ibm_admin: Missing the following request headers --- Command, Argument,  request will not be processed" />


At that point, I was ready to give up ....

Then I realised that I was being very very dumb.

The IHS admin instance is NO LONGER designed to be used by end-users - all the interaction is directly from WAS via the ISC.

In other words, there's no need to access the IHS admin instance on 8008 directly - all the interaction can be performed in one single place - the WAS ISC.

So it was a waste of time, but a useful learning curve ...


No comments: