UWC - works perfectly, how switch to SSL mode ?
Hi,
I just installed UWC + ME + AM + calendar. Works perfectly, but not secure
(http instead of https). I've managed to configure all single services to use
SSL - on single host - I mean messenger express (https - 8443, http 8080),
web server with UWC deployed (https 443, http 80), calendar (http 3080,
https 3443).
now my question is how can I switch UWC to use everything in secure way?
Is ther some "howto" ?
I was following varios docs I found on the net, but always something was
wrong.
best regards
# 1
so, you have configured uwc to respond to https. what else is it you wish to configure to ssl mode? It sounds like you've already configured all the pieces.
# 2
well, problem is that somewhere (I don't know *where*) software is
using 'old' http request - when I point browser to https://hostname/uwc/,
it warns me that request (logging in) will use non secure connection to
post data.
I've modified uwcauth.properties to use ssl URL-s, but it still use
non secure ones.
# 3
UWC typically "talks" to old HTTP interface. Is that what you're running into?
# 4
I would like to have secure UWC site - but I don't care about internal
(local) connections like clear LDAP 389 - but all outside have to be secure.
As I wrote before - I've managed to configure UWC partially to use SSL,
but first thing to fix is security warning generated by browser while
logging in, second is that UWC still somewhere inside has old 'http'
links instead of https. As a result afrer looging through https:// after timeout
browser displays 'old' http:// link, and to log on succesfully I have to change it
manyally to https.
# 5
here is my configutil | grep sso output:
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = https://mailhost:443/amserver/namingservice
local.webmail.sso.enable = 0
local.webmail.sso.singlesignoff = 1
local.webmail.sso.uwccontexturi = uwc
local.webmail.sso.uwcenabled = 1
local.webmail.sso.uwchome = https://mailhost/uwc
local.webmail.sso.uwclogouturl = https://mailhost:443/uwc/base/UWCMain?op=logout
local.webmail.sso.uwcport = 443
uwcauth.properties:
(now it can contain errors because I was trying a lot pf possible settings)
defaultdomain = domain
defaultlocale = en
virtualdomain.mode = n
uwcauth.ssl.enabled=true
uwcauth.ssl.authonly=false
ldapusersession.defaultugfilter = uid=%U
ldapusersession.ldaphost = mailhost.domain
ldapusersession.ldapport = 389
ldapusersession.ldapbinddn = cn=Directory Manager
ldapusersession.ldapbindcred = ****
ldapusersession.dcroot = o=isp
ldapusersession.domainfilter = (|(objectclass=inetDomain)(objectclass=inetDomainAlias))
ldapusersession.ldappoolmin =30
ldapusersession.ldappoolmax = 100
ldapusersession.ldappooltimeout =30
ldapusersession.enablessl = false
uwcauth.sessioncookie = JSESSIONID
uwcauth.appprefix = iPlanetDirectory
uwcauth.appid = uwc
messagingsso.appid = ims
uwcauth.cookiedomain = .domain
uwcauth.messagingsso.enable = true
uwcauth.messagingsso.cookiepath = /
messagingsso.ims.url = http://mail.domain:8443/VerifySSO?
messagingsso.uwc.url = http://mail.domain:443/uwc/VerifySSO?
messagingsso.ipsecurity = true
uwcauth.identity.enabled=true
uwcauth.identity.login.url=https:///mail.domain:443/amserver/UI/Login
uwcauth.identity.binddn=uid=amadmin,ou=people,o=isp
uwcauth.identity.bindcred=****
uwcauth.identity.cookiename=iPlanetDirectoryPro
uwcauth.http.port=443
uwcauth.https.port=443
uwcauth.identitysso.cookiepath = /
identitysso.singlesignoff = true
identitysso.portalurl = http://www.sun.com
pab_mig_required = true
# 6
uwcauth.http.port=443uwcauth.https.port=443This is clearly incorrect, and not possible. Other than this, I'm not convinced I know all the answers.
# 7
I have the same issue, I open a support ticket for this, if you have an answer please post it.Ram
# 8
Hi,
I understand that you are ahving AM SSO.then you also need to edit AMConfig.properties (present in /etc/opt/SUNWam/config) to use SSL(https).
com.iplanet.am.server.protocol=https
com.iplanet.am.naming.url=https:/hostname:port/amserver/namingservice
com.iplanet.am.notification.url=https://hostname:port/amserver/notificationserv ice
Thanks
Ramya
# 9
thanks - it looks like this was missing part of configuration.
but after changing config to secure when I start web server I can see:
failure: WebModule[/amserver]: WEB2783: Servlet /amserver threw load() exception
javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:352 8)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3810)
at com.iplanet.ias.web.WebModule.start(WebModule.java:257)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
-- Root Cause --
java.lang.NullPointerException
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.j ava:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:352 8)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3810)
at com.iplanet.ias.web.WebModule.start(WebModule.java:257)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
# 10
Can you check by accessing thru the URL if you are able to access AM :https://hostname:port/amserver or https://hostname:port/amconsole.If yes then can you aslo cross-check if Webcontainer is pointing to the correct URL(https).thanksRamya
# 11
after this changes I see: Authentication Service is not initialized.what can be wrong ?
# 12
when I switch back ptotocol to http in AMConfig.propertiesweb server start normally (without exception) and then /amserverand /amconsole works fine...
# 13
Do you mean to say you are not able to login to amconsole in https mode?
Then, Identity server does'nt seem to be configured for SSL .
You could try to do this but it does not work very consistently.
Make sure IS is deployed on SSL port of WS, by modifying the amsamplesilent file. The ports need to be given the SSL port of webserver
Then, DEPLOY_LEVEL=1& SERVER_PROTOCOL=https
- Then, execute the /opt/SUNWam/bin/amconfig -s amsamplesilent
- Restart Web Server.
Thanks
Ramya
# 14
well I did it exactly as you wrote, but still web server display java exceptionduring startup, and that's the reason AM is not working.is there some documentation describing step by step how toinstall/configure UWC with AM in secure way ?thanks for your help
# 15
Just a note:
I spent a lot of time attempting to get SSL working on JES. It was an akward config to say the least and I never did get it working completely. When talking to sun about it, they advised me to not try to do it on the JES itself, but use an ssl proxy instead to encrypt the traffic out to the world before hitting the jes pieces in the background. I was able to get uwc working fine with SSL on my test network, but never did getting it working in the production network with the exact same config. I am currently looking at the SSL proxy solution. I would also like any advice on setting up ssl on jes (uwc/portal) as it seems to be a very akward and buggy configuration. If you get it working, please let me know.
Thanks,
Darren
# 16
Im using the documentation in:
http://docs.sun.com/app/docs/doc/819-2661/6n4uetjsh?a=view
and
http://docs.sun.com/app/docs/doc/819-2661/6n4uetjs3?a=view#abzbz
In order to use Communications Express in the SSL mode. I cant get the configuration working fine, I only have the same problem as
Aleksander.
In fact if you use the documentation you get an error in UWC in this step
local.webmail.sso.uwcport=SSL port-number of the webserver in which communications express is deployed
Ram
# 17
Probably this would help, http://docs.sun.com/app/docs/doc/819-2661/6n4uetjs7?a=viewthanksRamya
# 18
To set the UWC SSL port you have set the parameter as :./configutil -o local.webmail.sso.uwcsslport -v SSL portand not ./configutil -o local.webmail.sso.uwcport -v NON-SSL port.Hope this helps.ThanksRamya
# 19
well, it looks like problem with access manager and SSL.
when I change AMconfig.properies to secure
:
com.iplanet.am.server.protocol=https
web server is not starting properly and AM is not initialized.
I was trying to deploy AM again, but it's still the same problem.
I was trying to do 'full uninstall (code 11)' and 'full install' witch amsilent,
but it messed up web serwer completely.
fortunately JES is installed in zone, so I have working backup but
without SSL.
any ideas what to do next - how put UWC tu work in SSL mode ?
# 20
I found that the configuration path in /opt/SUNWuwc/WEB-INF/config are linked to the directory /var/opt/SUNWuwc/staging/WEB-INF/config and the files for the configuration are in /var/opt/SUNWuwc/WEB-INF/config
Please check the files under this directory in order to configure the service...
I still have not configured yet the uwc over ssl but this could help
Ram
