I am using Service Bus 11gR1
I have created a proxy service
I can view it's WSDL if I point my browser to:
https://wlsdev.mydomain.com/osb/RJMTest/XXIC_ErrorQueryAsync_Proxy?wsdl
When I look at the returned WSDL I can see the binding element lists the actual host rather than the load balancer:
</WL5G3N0:binding>
<WL5G3N0:service name="query_ptBindingQSService">
<WL5G3N0:port binding="WL5G3N2:query_ptBinding" name="query_ptBindingQSPort">
<WL5G3N3:address location="http://internalserver.com:8010/osb/RJMTest/XXIC_ErrorQueryAsync_Proxy"/>
</WL5G3N0:port>
</WL5G3N0:service>
My question is what setting in OSB do I need to change to alter what the SOAP wsdl is using to generate the WSDL?
(In SOA there was a ServerURL setting)
You will have to update the cluster http frontend host to the load balancer address. This will need to be done on WebLogic Admin console
Login to http://{host}:{port}/console
Clicked on Lock and Edit button
Select Cluster
Click on HTTP
Configure Front End Host address to the pool name of load balancer
Configure http and https port where managed servers listen to
Click Save.
You will need to restart the managed servers.
Related
Place the internet facing load balancer in the public area and it is sent to React. Then react calls the backend connected to the internal alb. In other words, internal alb can be called in frontend. And by applying the address of internal alb to private route 53, 'example.local' could be created. And I tried to connect this in react, but it was sent as an http request, and the react homepage was in https, causing a mixed content error.
Is there a way to solve this?
Backend and frontend are serviced by different clusters through ecs target.
If you are getting a mixed content error, then that means your requests to the backend are coming from the web browser, not a back-end server. Since you are using React, which is a front-end JavaScript framework, requests to your backend are coming from each user's laptop/desktop computer, not from your front-end web server. This means the backend API cannot be behind an internal load balancer, because then it wouldn't be accessible from the user's web browser.
I have setup a GCP load balancer following the steps as displayed on https://cloud.google.com/load-balancing/docs/https/ext-http-lb-tf-module-examples#with_a_backend . I have create an A record at my dns provider and I am succesfully able to reach my service through the domain name. I have also created a http to https redirecting load balancer, which only redirects when visiting the domain name.
However my problem is that I can also still directly access my load balancers ip adress over http, which in turn redirects to my backend service thus allowing insecure access to my service. I am not sure what steps there are to debug my configurations or if anyone has experienced something similar.
The simplest method is to redirect HTTP to HTTPS at your backend. That method provides you with more options and control.
Tip: if the client arrives at an IP address, you most likely want to discard that traffic. That traffic is typically hackers, trolls, etc.
You can also set up a redirect in the load balancer:
Set up an HTTP-to-HTTPS redirect for global external HTTP(S) load balancer
I have a backend service i'm running in Fargate. I need this service to have an SSL cert on its load balancer so that it can talk to other HTTPS services. I've created the load balancer and it gives me an AWS domain (my-cool-app.us-east-1.elb.amazonaws.com).
Now, when I try to request a certificate through acm, it fails and says "Additional verification required". So i'm not sure if it's possible to add an SSL cert to this load balancer without registering a custom domain?
Also, this is a Django app and I haven't done anything other than keep it as runserver which I know isn't good for production but I just need to start by making it work as a dev environment. Do I need to change the way Django runs in order for SSL to work? Or is the load balancer sufficient?
To use an SSL for a domain you need to have control over that domain. For the AWS managed certificate service (ACM) you can verify through either DNS validation or email validation both of which you must essentially have domain control to validate.
As you're trying to use ACM for a AWS owned domain, someone from AWS would need to approve the SSL (which they won't).
Regarding your second point what you're describing is SSL offloading, in which the load balancer will serve HTTPS and then terminate encryption in transit. It will then forward the request to the Fargate container using the protocol and port defined in the target group.
The only thing you want to consider is how you display to the user, for example ensure that all CSS, JS ans links on your site are HTTPS. You can detect whether the incoming request used HTTPS at the load balancer by inspecting the X-Forwarded-Proto header in your application.
I have an AWS Amplify instance to launch a REACT app I have. It also has an SSL Certificate, so I can access the app on the browser by entering:
https://myreactapp.com (not my real app url, just an example)
I have a web servlet running on an Elastic Beanstalk instance that doesn't have SSL certificate, and my REACT app interfaces to it with this code snippet I have:
var myObject = {
data1: this.state.data1,
data2: this.state.data2
}
$.ajax({
type: "POST",
url: 'http://<my-backend-webservices-app>.us-east-1.elasticbeanstalk.com/doSomething', // works only from React app when running on local machine (http://localhost:3000), not from https url
contentType: 'application/x-www-form-urlencoded; charset=utf-8',
data: myObject,
success: function(response) {
console.log('success -- ' + response);
},
function(errMsg) {
alert('Major Error');
}
});
This code works fine and I get a response from my my-backend-webservices-app when I run my React App locally on my machine. Since when I use it locally the react app is on http://localhost:3000 (notice its not an https) and its talking to the Elastic Beanstalk instance which is also on http.
But when I run my React app from the AWS Amplify with SSL certificate it complains that a RESTFul request from HTTPS can't communicate to http url. Here's the error from the browser:
jquery.js:8676 Mixed Content: The page at
'https://master.<.....>.amplify<...>.com/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint
'http://.us-east-1.elasticbeanstalk.com/doSomething'.
This request has been blocked; the content must be served over HTTPS.
So my thought to resolve this is to add a SSL Certificate to my ElasticBeanStalk instance. So first I created a subdomain services.myreactapp.com where the main domain is myreactapp.com I then assigned my ElasticBeanstalk instance (where my my-backend-webservices-app is) to that services.myreactapp.com subdomain.
I then went to the Certificate Manager service page of aws and requested a public certificate that is assigned to the services.myreactapp.com subdomain.
So now I updated the URL of the code snippet above to have https instead of http:
url: 'https://<my-backend-webservices-app>.us-east-1.elasticbeanstalk.com/doSomething',
But now whenever my React app from https makes the request to the back end servlet, it just hangs.
Any thoughts at what I'm missing?
Few things to highlight here.
about ACM issued Certificates
First of all, if you request a certificate from the certificate manager, it won't be applied to any of your applications automatically, you need to apply the certificate to your applications.
using ACM issued Certificate with Elasticbeanstalk
You can apply the certificate obtained from ACM to the elasticbeanstalk only if you are using a load balancer. In this case You can simply select your certificate from your elasticbeanstalk configuration page.
Reference:
configure ssl for elasticbeanstalk load balancer - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
If you are not using load balancer (Single instance)
You have to apply the certificate to the application running inside elasticbeanstalk or its proxy (for e.g nginx). You can use .ebextensions to achieve this.
Reference:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html
https://medium.com/#hzburki.hzb/configure-ssl-certificate-elastic-beanstalk-single-instance-a2846211851b
Pointing subdomain.example.com to elasticbeanstalk's DNS name
Once you have enabled SSL on your loadbalancer or configured your single instance to serve your application over ssl, you can create an A record to point services.myreactapp.com to your elasticbeanstalk dns name. make sure to to select Alias Yes when you create the A record.
Using the new dns name from your frontend app
finally you can use subdomain.mydomain.com from your frontend app instead of the elasticbeanstalk dns name.
Hope this helps, good luck.
I was able to get it working thanks to https://stackoverflow.com/a/59540740/4722577 #Arun K's response above.
The link I used was:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
In short, through the Configuration -> Load Balancer -> Modify button I had to configure my Elastic Beanstalk EC2 instance to use Load Balancing with a listener. Then associate the existing SSL Certificate I have with this listener.
However, when I tried to do that at first that modify button didn't exist (notice it says that Load balancing is not available in my configuration).
Part of the aws link mentions this if you get that message:
Note If the Load balancer configuration category doesn't have a Modify
button, your environment doesn't have a load balancer.
The way forward is to select Configuration -> Capacity -> Modify on the screenshot above, then select "Load Balanced" instead of "Single Instance" in the Environment Type drop down box.
After you apply those changes, a "modify" button is enabled for Configuration -> Load Balancer sub panel. I continued the steps in the AWS link above and am now able to communicate from my https://myreactapp.com to my my-backend-webservices-app
Go to AWS route 53, In DNS management create a CNAM DNS record which points to your beanstalk url, like -
services.myreactapp.com -> xyz.us-east-1.elasticbeanstalk.com
then use services.myreactapp.com in your react app as url. Also before doing that make sure that you are able to access your backend at https://services.myreactapp.com, you can check you health API if any to test that. Note - This might take sometime to get services.myreactapp.com to come in action.
I've created a web service using this example:
http://www.albeesonline.com/blog/2008/07/27/creating-a-webservice-using-rad-7/
When I call the web service to get the WSDL, I use a URL like this:
http://acme.com/storefront/services/InventoryInquiry?wsdl
And WebSphere responds with a WSDL page with a URL like this:
http://acme.com:9082/storefront/services/InventoryInquiry/wsdl/InventoryInquiry.wsdl
What I'd like is for WebSphere to respond using SSL and port 443, and not the WebSphere default host port.
I tried modifying the "Provide HTTP endpoint URL information" page in WebSphere console for the application to use "https://acme.com:443" for the "HTTP URL prefix", but WebSphere doesn't use this, even after restarting WebSphere.
How do I configure WebSphere so that it doesn't use its default ports when responding to web service requests?
I'm using WebSphere 6.1.
Some background information:
The service is included in a J2EE application that uses Struts for its design pattern. The struts-config.xml is configured to serve the app on ports 80 and 443. The WAS server where the app runs is fronted by an Apache web server, which is redirecting requests to the app via a load balancer.
The AWS load balander config is directing requests among four separate WAS servers, each serving a copy of the application. Each WAS server is configured to deliver a unique server ID string back to the user. AWS uses this string to determine which WAS server will handle subsequent requests made by the user. This all works fine for the parts of the J2EE app that are handled by Struts, but the web service exists outside of that context. This seems to be why the web service responds using the WAS default secure port, and not the port defined in Struts.
I can't change the WAS default secure port to 443, because I can't have two instances of WAS on the same server both listening to port 443.
In general you have two choices:
1. You can install IBM Http Server (IHS) and WebSphere Plugin to route requests to WebSphere. IHS uses by default 80 and 443 ports.
2. Change default SSL port in WebSphere - In Server > Ports change the WC_defaulthost_secure from 944x to 443.
There is second issue in your question - do you want to protect using SSL whole service or just WSDL?
To configure it you will either need to define security constraints to protect selected URIs or configure HTTP server to only allow SSL access to the service.
UPDATE
If you have Apache Web server in front, then install and configure WebSphere Plugin (if you currently use mod_proxy or something else). WebSphere Plugin is available for Apache and will do dispatching and load balancing across multiple WAS instances (if they are clustered then you can generate plugin automatically from Deployment Manager, if you have many standalone instances - you will need to merge plugin, there is a tool for that).
It doesn't matter that your app is using Struts, your wsdl can still be served via Http server and plugin.
For redirection to HTTPS you need to solve that issue from your other post - security-constraint in web.xml is not enforced as I assume it is the same environment.