Wednesday, 1 August 2012

IBM HTTP Server 7 - client denied by server configuration: /opt/IBMIHS

I'm posting this mainly to stop others from falling into the same trap as me.

So here's the background, I'm completing the setup of a WebSphere Portal 8 environment ( more later ) for a Portal/BPM project on which I'm engaged.

I've re-used a VMware image that already contained IBM HTTP Server (IHS) 7, so I thought I might as well re-use that for the Portal server.

IHS consists of two specific instances of Apache; one running on port 80 ( the normal web server ) and one running on port 8008 ( the Admin server ).

Having completed the connectivity between WebSphere Application Server (WAS) 8 and IHS, allowing me to manage/start/stop IHS from within the WAS Integrated Solutions Console, I decided to try accessing the IHS admin instance directly.

This is the URL that I used: -

Sadly, this failed with HTTP 403, and I saw: -

Forbidden

You don't have permission to access / on this server.

with a corresponding set of errors in the log - /opt/IBM/HTTPServer/logs/admin_error.log

... 
[Wed Aug 01 11:48:37 2012] [notice] Using config file /opt/IBM/HTTPServer/conf/admin.conf 
[Wed Aug 01 11:48:37 2012] [notice] IBM_HTTP_Server/7.0.0.0 (Unix) configured -- resuming normal operations
[Wed Aug 01 11:48:37 2012] [notice] Core file limit is 0; core dumps will be not be written for server crashes
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:21 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:24 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
[Wed Aug 01 11:57:29 2012] [error] [client 127.0.0.1] client denied by server configuration: /opt/IBMIHS
...

This led me to check whether I'd correctly set up the IHS admin instance, so I ran the following command: -

$ /opt/IBM/HTTPServer/bin/setupadm -usr ihsadmin -grp ihsadmins -cfg /opt/IBM/HTTPServer/conf/httpd.conf -plg /opt/IBM/HTTPServer/Plugins/config/wp8.uk.ibm.com/plugin-cfg.xml -adm /opt/IBM/HTTPServer/conf/admin.conf

which returned: -

-usr ihsadmin -grp ihsadmins -cfg /opt/IBM/HTTPServer/conf/httpd.conf -plg /opt/IBM/HTTPServer/Plugins/config/wp8.uk.ibm.com/plugin-cfg.xml -adm /opt/IBM/HTTPServer/conf/admin.conf
Script Completed RC(90)

However, I still got the same problem.

Then, after some Googling, I tried a different URL: -

http://wp8.uk.ibm.com:8008/wasadmin

which presented me with a login box - when I tried to log in as ihsadmin, I got this in the logs: -

...
[Wed Aug 01 13:26:55 2012] [error] [client 127.0.0.1] user ihsadmin: authentication failure for "/wasadmin": Password Mismatch
[Wed Aug 01 13:27:33 2012] [error] [client 127.0.0.1] user ihsadmin: authentication failure for "/wasadmin": Password Mismatch
...

This made me question whether I'd set the password correctly for ihsadmin so I ran: -

$ /opt/IBM/HTTPServer/bin/htpasswd /opt/IBM/HTTPServer/conf/admin.passwd ihsadmin

to explicitly set the password.

This time around, I was able to log in to: -


but I then got: -

<?xml version="1.0" ?>
<SAIL_Error Severity="C2_WARN"  ID="AC_INVALID_HEADER" Msg="mod_ibm_admin: Missing the following request headers --- Command, Argument,  request will not be processed" />


At that point, I was ready to give up ....

Then I realised that I was being very very dumb.

The IHS admin instance is NO LONGER designed to be used by end-users - all the interaction is directly from WAS via the ISC.

In other words, there's no need to access the IHS admin instance on 8008 directly - all the interaction can be performed in one single place - the WAS ISC.

So it was a waste of time, but a useful learning curve ...


2 comments:

cesar carlos calderon said...

Hey! You almost saved my life! ALmost beacuse I'm super newbie in WebSphere and still don't know how to access the console. Can you please let me know? Thanks!

Dave Hay said...

Hi Cesar

Thanks for your kind comments.

So, for WAS, the administration console, known as the Integrated Solutions Console (ISC), is installed when you create a WAS profile ( I'm using the latest WAS 8.5.5.12 ), and will, by default, listen on a port around 904x.

As an example, on my environment, I have two cells, one managed by a Deployment Manager, where the ISC listens on port 9043, and one with a single standalone server, where the ISC listens on 9047.

Look in your logs for messages such as: -

[10/01/18 13:54:41:055 GMT] 00000094 webcontainer I com.ibm.ws.webcontainer.VirtualHostImpl addWebApplication SRVE0250I: Web Module adminconsole redirector has been bound to admin_host[*:9060,*:9043].

and: -

[11/01/18 09:01:54:402 GMT] 0000004d webcontainer I com.ibm.ws.webcontainer.VirtualHostImpl addWebApplication SRVE0250I: Web Module adminconsole redirector has been bound to admin_host[*:9064,*:9047].

( where the first port is HTTP and the second port is HTTPS ).

The URLs for the ISC look like this: -

https://bpm86.uk.ibm.com:9047/ibm/console/unsecureLogon.jsp

https://bpm86.uk.ibm.com:9043/ibm/console/logon.jsp

etc.

Hope this helps.

Cheers, Dave