Thursday, 29 September 2016

IBM Business Process Manager - More Cookie Fun

Following this earlier post: -


I've been tinkering further with cookies, in the context of IHS and, as importantly, IBM BPM Advanced.

I'm running BPM on WebSphere Application Server (WAS) 8.5.5.10, and using the corresponding version of IHS and the WebSphere Plugin.

Having implemented my earlier suggestion: -

LoadModule headers_module modules/mod_headers.so
Header set Set-Cookie HttpOnly;Secure

things appeared to work ….

However, I did find that, in the context of BPM, the Business Process Choreographer (BPC) Explorer UI failed to render once this cookie trick was in place :-(

Whilst it appeared to work, I realised that the BPC login page never actually loaded; the browser would just "spin" through an apparently infinite redirection loop, with this going through the IHS logs: -

192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/Default.jsp?BPCTZ=-60 HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/layouts/views/TaskInstanceListView.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/ibm_security_logout?logoutExitPage=/index.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/index.jsp HTTP/1.1" 200 1049
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/Default.jsp?BPCTZ=-60 HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/pages/layouts/views/TaskInstanceListView.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/faces/ibm_security_logout?logoutExitPage=/index.jsp HTTP/1.1" 302 -
192.168.153.1 - - [27/Sep/2016:08:56:00 +0100] "GET /bpc/index.jsp HTTP/1.1" 200 1049


repeatedly.

When I enabled tracing in WAS: -

*=info:com.ibm.ws.webcontainer*=all:com.ibm.wsspi.webcontainer*=all:HTTPChannel=all:GenericBNF=all:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all

( for the SupCluster JVM ), I saw this: -

[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:894 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:904 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:915 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:915 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:950 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10
[9/27/16 10:19:11:950 BST] 000000bd CookieHeaderB 3   Token not valid for header, Key: Cookie Ordinal: 14 undefined: false Key: httponly Ordinal: 10


which, to my simple mind, implied that the httponly cookie was somehow "choking" the SupCluster Web Container :-(

So I've spent the past day or so tinkering, and believe I have a viable solution.

I further modified httpd.conf and strategically placed the Header directive inside the Virtual Host that's used to configure IHS to listen on 8443 for HTTPS traffic: -

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
LoadModule headers_module modules/mod_headers.so
Listen 8443
<VirtualHost *:8443>
        Header setifempty Set-Cookie HttpOnly;Secure
        SSLEnable
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/BPM/ssl/keystore.kdb
SSLDisable


This is the only place where I modify the headers.

Note also that I'm using the setifempty verb rather than set or edit.

With this in place, I ran a series of tests for the BPM URLs via IHS: -

https://IBMCloud:8443/

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:06:16 GMT
Last-Modified: Fri, 24 Jun 2016 18:25:52 GMT
Etag: "da5-5360a4cf12c00"
Accept-Ranges: bytes
Content-Length: 3493
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html


https://IBMCloud:8443/foobar.html

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:06:30 GMT
Last-Modified: Thu, 29 Sep 2016 06:22:07 GMT
Etag: "15-53d9f7f3add59"
Accept-Ranges: bytes
Content-Length: 21
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html

https://IBMCloud:8443/ProcessAdmin/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:07:28 GMT
X-Powered-By: Servlet/3.0
Content-Length: 3906
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/ProcessAdmin/ProcessAdmin/com.lombardisoftware.processadmin.ProcessAdmin/ProcessAdmin.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 09:55:23 GMT
X-Powered-By: Servlet/3.0
BPM_GENERIC_HEADER: SERVED
Last-Modified: Wed, 04 Jun 2014 09:44:06 GMT
Content-Length: 77122
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=99
Connection: Keep-Alive
Content-Type: text/css
Content-Language: en-US


https://IBMCloud:8443/ProcessPortal/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:07:43 GMT
X-Powered-By: Servlet/3.0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US


https://IBMCloud:8443/ProcessPortal/dashboards/TWP/BPM_WORK?tw.local.view=tasks&tw.local.state=open

HTTP/1.1 302 Found
Date: Thu, 29 Sep 2016 08:18:04 GMT
X-Powered-By: Servlet/3.0
Location: https://IBMCloud:8443/ProcessPortal/jsp/index.jsp#%2Fdashboards%2FTWP%2FBPM_WORK?tw.local.view=tasks&tw.local.state=open
Content-Length: 0
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/PerformanceAdmin/login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:08:12 GMT
X-Powered-By: Servlet/3.0
Content-Length: 2255
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/PerformanceAdmin/console/Welcome.do

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:48:06 GMT
X-Powered-By: Servlet/3.0
Set-Cookie: HttpOnly;Secure
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Language: en-US


https://IBMCloud:8443/bpc/faces/pages/Login.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:08:30 GMT
X-Powered-By: Servlet/3.0
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oam.Flash.RENDERMAP.TOKEN=kdtlsujc7; Path=/bpc; Secure; HttpOnly
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US


https://IBMCloud:8443/bpc/faces/pages/layouts/views/TaskInstanceListView.jsp

HTTP/1.1 200 OK
Date: Thu, 29 Sep 2016 08:16:29 GMT
X-Powered-By: Servlet/3.0
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oam.Flash.RENDERMAP.TOKEN=kdtlsujcf; Path=/bpc; Secure; HttpOnly
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Content-Language: en-US

Some of my inspiration came from here: -


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...