Monday, 4 December 2017

WebSphere Liberty Profile - why doesn't HTTPS work ?

It took me a while to work out where I'd gone wrong earlier.

I was configuring a newly installed WebSphere Liberty Profile environment ( actually hosting IBM Mobile First Platform ) for HTTPS, and couldn't work out why the server wasn't listening on port 9443.

This is, in brief, what I did: -

Create Default Server

/opt/ibm/WebSphere/Liberty/bin/server create

Server defaultServer created.

Install MFP

/opt/ibm/InstallationManager/eclipse/tools/imcl -input /mnt/ResponseFiles/installMFP8.rsp -acceptLicense

***********************************************************************
Before you start using the product, you must deploy a MobileFirst Server to your application server. 
For more information about deploying projects with the Server Configuration Tool or command line tools, see 
the documentation at http://ibm.biz/knowctr#SSHS8R_8.0.0/com.ibm.worklight.deploy.doc/topics/c_deploy.html. 
***********************************************************************
Installed com.ibm.mobilefirst.foundation.server_8.0.0.20160610_0940 to the /opt/ibm/MFP directory.


Create WLP Keystore and Public/Private Keypair

/opt/ibm/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

Configure WLP/MFP 

vi /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/server.xml

inserting: -

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>

    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />


Start MFP

/opt/ibm/WebSphere/Liberty/bin/server start

Check logs

tail -f /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/logs/console.log /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/logs/messages.log

Weirdly, whilst I saw this: -

[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/ibm/api/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/IBMJMXConnectorREST/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/appcenterconsole/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://192.168.153.131:9080/applicationcenter/


I saw NO reference to port 9443.

Check WLP via HTTPS

curl —insecure https://mfp.uk.ibm.com:9443/

curl: (7) Failed connect to mfp.uk.ibm.com:9443; Connection refused

I must've spent 20 minutes tinkering with this, including looking at my server.xml : -

cat ../server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

    <!-- Enable features -->
    <featureManager>
        <feature>jsp-2.3</feature>
    
        <!-- Begin of features added by IBM MobileFirst installer. -->
        <!-- The following lines will be removed when the application is uninstalled -->
        <feature>jdbc-4.1</feature>
        <feature>servlet-3.1</feature>
        <feature>appSecurity-2.0</feature>
        <feature>usr:MFPDecoderFeature-1.0</feature>
        <!-- End of features added by IBM MobileFirst installer. -->

        <feature>ssl-1.0</feature>
        <feature>restConnector-1.0</feature>

    </featureManager>

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

    </httpEndpoint>

Can you see what I did wrong ?

Yep, here it is: -

    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

    </httpEndpoint>


For some STUPID reason, I put the keystore stanza INSIDE the httpEndpoint stanza.

Which won't do.

Once I fixed it: -

...
    <httpEndpoint id="defaultHttpEndpoint"
                  httpPort="9080"
                  httpsPort="9443" host="*" >
        <!-- Option soReuseAddr added by IBM MobileFirst installer. -->
        <tcpOptions soReuseAddr="true"/>

    </httpEndpoint>
    
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />

and restarted WLP, things looked much better: -


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>WebSphere Liberty 17.0.0.3</title>
<style>
body{
color: white;

doVersionCheck(latestReleasedVersion);
</script>
<script type="text/javascript" src="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/adminCenter-welcome.js"></script>
</html>


See, it's ALL about the position :-)





No comments:

Yay, VMware Fusion and macOS Big Sur - no longer "NAT good friends" - forgive the double negative and the terrible pun ...

After macOS 11 Big Sur was released in 2020, VMware updated their Fusion product to v12 and, sadly, managed to break Network Address Trans...