Monday 4 December 2017

WebSphere Liberty Profile - why doesn't HTTPS work ?

It took me a while to work out where I'd gone wrong earlier.

I was configuring a newly installed WebSphere Liberty Profile environment ( actually hosting IBM Mobile First Platform ) for HTTPS, and couldn't work out why the server wasn't listening on port 9443.

This is, in brief, what I did: -

Create Default Server

/opt/ibm/WebSphere/Liberty/bin/server create

Server defaultServer created.

Install MFP

/opt/ibm/InstallationManager/eclipse/tools/imcl -input /mnt/ResponseFiles/installMFP8.rsp -acceptLicense

***********************************************************************
Before you start using the product, you must deploy a MobileFirst Server to your application server. 
For more information about deploying projects with the Server Configuration Tool or command line tools, see 
the documentation at http://ibm.biz/knowctr#SSHS8R_8.0.0/com.ibm.worklight.deploy.doc/topics/c_deploy.html. 
***********************************************************************
Installed com.ibm.mobilefirst.foundation.server_8.0.0.20160610_0940 to the /opt/ibm/MFP directory.


Create WLP Keystore and Public/Private Keypair

/opt/ibm/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

Configure WLP/MFP 

vi /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/server.xml

inserting: -

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>

    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />


Start MFP

/opt/ibm/WebSphere/Liberty/bin/server start

Check logs

tail -f /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/logs/console.log /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/logs/messages.log

Weirdly, whilst I saw this: -

[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/ibm/api/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/IBMJMXConnectorREST/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/appcenterconsole/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/applicationcenter/


I saw NO reference to port 9443.

Check WLP via HTTPS

curl —insecure https://mfp.uk.ibm.com:9443/

curl: (7) Failed connect to mfp.uk.ibm.com:9443; Connection refused

I must've spent 20 minutes tinkering with this, including looking at my server.xml : -

cat ../server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.3</feature>
    
        <!-- Begin of features added by IBM MobileFirst installer. -->
        <!-- The following lines will be removed when the application is uninstalled -->
        <feature>jdbc-4.1</feature>
        <feature>servlet-3.1</feature>
        <feature>appSecurity-2.0</feature>
        <feature>usr:MFPDecoderFeature-1.0</feature>
        <!-- End of features added by IBM MobileFirst installer. -->

        <feature>ssl-1.0</feature>
        <feature>restConnector-1.0</feature>

    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

    </httpEndpoint>

Can you see what I did wrong ?

Yep, here it is: -

    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

    </httpEndpoint>


For some STUPID reason, I put the keystore stanza INSIDE the httpEndpoint stanza.

Which won't do.

Once I fixed it: -

...
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>

    </httpEndpoint>
    
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

and restarted WLP, things looked much better: -


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>WebSphere Liberty 17.0.0.3</title>
<style>
body{
color: white;

doVersionCheck(latestReleasedVersion);
</script>
<script type="text/javascript" src="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/adminCenter-welcome.js"></script>
</html>


See, it's ALL about the position :-)





No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...