-
1. Re: HTTPS?
ips May 13, 2011 10:25 AM (in response to joblandin)Edit <jon-server-home>/jbossas/server/default/deploy/jboss-web.deployer/conf/web.xml and add the following lines at the bottom of the file, just before the "</web-app>" line:
<security-constraint>
<display-name>Redirect HTTP to HTTPS</display-name>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
then restart the JON Server.
-
2. HTTPS?
ips May 13, 2011 12:00 PM (in response to ips)!! CORRECTION to my previous post !!
Add the security constraint block to <jon-server-home>/jbossas/server/default/deploy/rhq.ear/rhq-portal.war/WEB-INF/web.xml instead of to <jon-server-home>/jbossas/server/default/deploy/jboss-web.deployer/conf/web.xml. And if you are on JON 2.4.0 or later, also add it to <jon-server-home>/jbossas/server/default/deploy/rhq.ear/coregui.war/WEB-INF/web.xml.
The problem with adding it to the global web.xml, as I originally suggested is that it also affects the JMX Remoting servlet invoker war and ends up breaking communication with Agents.
-
3. HTTPS?
joblandin May 13, 2011 1:29 PM (in response to ips)I made the changes and tried HTTPS on port 7443 without success, page not display using IE. I checked the boot log and noticed the following error
10:04:11,078 DEBUG [LocalJBossServerDomain] handleNotification: javax.management.Notification[source=jboss.system:service=ServiceController][type=org.jboss.system.ServiceMBean.create][message=]
10:04:11,078 DEBUG [DefaultManagedObjectFactoryMap] Failed to find factory for event: javax.management.Notification[source=jboss.system:service=ServiceController][type=org.jboss.system.ServiceMBean.create][message=]
Is this the problem or should I be looking somewhere else? Thanks.
-
4. HTTPS?
ips May 13, 2011 1:39 PM (in response to joblandin)That doesn't look related. Are there any errors or warnings in your Server log?
Did you remember to restart your Server? Did you remember to not add the security constraint to the global web.xml? What error do you in the browser when you try to go to http://yourjonhost:7080/? Does it redirect to https://yourjonhost:7443/ before it fails?
-
5. HTTPS?
joblandin May 13, 2011 2:04 PM (in response to ips)I stopped and started the JON server after making the changes. Using http...7080 does not redirect to https...7443. I receive the following error using IE "Internet explorer cannot display the webpage"
This error is in the rhq-server-log4j log
at org.quartz.impl.jdbcjobstore.JobStoreSupport$MisfireHandler.run(JobStoreSupport.java:3907)
2011-05-13 10:43:18,995 WARN [org.quartz.impl.jdbcjobstore.AttributeRestoringConnectionInvocationHandler] Failed restore connection's original auto commit setting.
java.sql.SQLException: Connection is not associated with a managed connection.org.jboss.resource.adapter.jdbc.jdk5.WrappedConnectionJDK5@346801
at org.jboss.resource.adapter.jdbc.WrappedConnection.lock(WrappedConnection.java:81)
No changes to global web.xml. Only changed in the two places you mentioned above.Changes are below. Thanks!!
<security-constraint>
<display-name>Redirect HTTP to HTTPS</display-name>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint></web-app>
-
6. HTTPS?
ips May 13, 2011 3:33 PM (in response to ips)I'm not sure that error's related either. If you give me a pastebin link to your entire Server log, I can take a look at it and see if anything jumps out at me.
-
7. HTTPS?
joblandin May 13, 2011 4:23 PM (in response to ips)I've copied all the lines from the rhq-server-log4j.log. It is over 5000 lines. I saw the pastebin option previously, how can I invoke it on my reply? RIght clicking only brings up the IE options. Thanks.
-
8. HTTPS?
joblandin May 13, 2011 4:30 PM (in response to joblandin)Ok, see if this works.http://pastebin.com/mxz6ygP1
-
9. HTTPS?
ips May 13, 2011 4:40 PM (in response to joblandin)This looks like the relevant exception:
- 2011-05-13 13:02:44,825 INFO [org.apache.coyote.http11.Http11Protocol] Initializing Coyote HTTP/1.1 on http-0.0.0.0-7080
- 2011-05-13 13:02:44,847 ERROR [org.apache.coyote.http11.Http11Protocol] Error initializing endpoint
- java.io.IOException: Keystore was tampered with, or password was incorrect
- at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
- at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
- at java.security.KeyStore.load(Unknown Source)
- at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:349)
- at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:289)
- at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:462)
- at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:408)
- at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:142)
- at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:498)
- at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
- at org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
- at org.apache.catalina.core.StandardService.initialize(StandardService.java:669)
- at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
- at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
- at org.apache.catalina.startup.Catalina.start(Catalina.java:558)
- at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
- at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
- at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
- at java.lang.reflect.Method.invoke(Unknown Source)
- at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297)
- at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
- at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
- at org.jboss.web.tomcat.service.JBossWeb.startService(JBossWeb.java:457)
- ..
My guess is that you changed something in the RHQ Server's Tomcat server.xml file? I'm not sure. I don't think the issue is caused by the changes you made in the web.xml files though. Note, in general, it is not advised to change any files under the RHQ Server's jbossas/ subdirectory.
You also have quite a few DB-related exceptions in your log. I'm not sure what's going on there either.
At this point, you might want to try starting over with a fresh install of JON and following the installation guide very carefully.
By the way, what version of JON are you using?
-
10. HTTPS?
joblandin May 13, 2011 4:49 PM (in response to ips)Oh boy, tomcat is not even installed on this server so no changes to the server.xml file. So JON needs Tomcat up and running to use HTTPS, is that the problem? As you can tell, I'm not exactly a JON expert. I can spell it and install it. The jre and postgres RPMs have been installed but not Tomcat. This is a badly fumbled handoff, VM was supposed to be ready for JON and only JON was to be installed. I really appreciate your time and effort.
-
11. HTTPS?
ips May 13, 2011 5:11 PM (in response to joblandin)I was referring to the JBossAS Tomcat server that's part of the internals of the RHQ Server. Let me ask a different question - did you modify any files within the RHQ Server install dir other than those two web.xml files?
Your pastebin did not contain your full Server log (it may have been too long). Seeing your full log might be helpful. If you want, you can email it to me at ips -AT- redhat -DOT- com.
-
12. HTTPS?
joblandin May 13, 2011 5:43 PM (in response to ips)Ok that makes sense,. I saw there was a tomcat jar file as part of JON but saw nothing related to an install. I did change the keystore and truststore files but the originals still exist so I can go back to them. You are correct about the server log. There log is in two parts I pasted the most recent one and smaller one. I just e-mailed the logs files to you. Our version of JON is 2.4.1
-rw------- 1 root root 746747 May 13 14:16 rhq-server-log4j.log
-rw------- 1 root root 5242937 May 13 11:35 rhq-server-log4j.log.1
I also added this file to the link below ==>jon-server-2.4.1.GA/jbossas/server/default/deploy/jboss-web.deployer/server.xml
-
13. HTTPS?
ips May 13, 2011 10:20 PM (in response to joblandin)Please try switching back to the original keystore and truststore files and restarting the Server. Let me know if that clears up the exceptions.
You didn't change the server.xml at all, correct?
-
14. HTTPS?
joblandin May 16, 2011 3:58 PM (in response to ips)No, the server.xml file has not been changed. I backup out the changes to keystore and truststore files and restarted the server. We are much closer now because when attempting to access via http:/....:7080 it does redirect to http:/....7443 and then prompts me for a certificate (using IE8). When using FIrefox I get a "This connection is untrusted" message and gives me options to end the session, technical details, or I understand the risks. I am able to select "I understand the risks" and get redirected into the HTTPS signon page using Firefox. IE is still a problem for now. We thought there may be a way to config Tomcat to allow an ignore or the client cert connections since it appears to use accept only. I know that IIS allows this option but not so certain about Tomcat.
So your changes did work after we undid what we had "fixed" trying to make it work. Thank You very much for your time and help with this issue. It was very much appreciated.