Skip to main content
Answer

Tomcat redirect from 9006 to 8443?

  • January 6, 2012
  • 9 replies
  • 41 views
R
Forum|alt.badge.img+12

So in the interest of buttoning a few things up over here I got the LDAP lookups setup with our CA cert so that it is done over SSL. I also got a public wildcard cert installed and setup in Tomcat so I can now goto:

https://host.glenbrook225.org:8443

and get no cert errors and passwords are no longer sent in the clear. :)

Now I want to redirect everything so you have to login over SSL.

Basically I want an Apache/Server Admin "RedirectMatch / https://host.glenbrook225.org" to the site running on the secure port so that you are always forced to login over SSL etc.

At present visiting https://i.p.ad.dy:8443 results in a cert error as does https://host:8443.

And despite the fact that this entry

<Connector executor="tomcatThreadPool"
    port="9006" protocol="HTTP/1.1"
    connectionTimeout="20000"
    maxPostSize="8388608"
    redirectPort="8443" />

Already exists in /Library/JSS/Tomcat/conf/server.xml it does NOT, in fact, redirect :9006 to :8443.

Has anyone done this? How do I get it to work? Do I need to clarify better?

Thanks,
~Ryan

Best answer by rmanly

I discovered the answer yesterday but I needed to read it a little more carefully before I grok'd it. The shortened link points to a post on the Apache mailing list from 2001.

http://goo.gl/LZFu4

So I got all the Management Framework settings correct, CMD + OPT launched Admin and Remote and changed where they were pointing to, tested a few things on a client machine and everything was working as I hoped.

Then I swam to the deep end. ;)

The key thing I wasn't getting on the first pass was this part, "In the deployment descriptor for your web app (/WEB-INF/web.xml)"

After I thought for a second I dug down and found the file here:

/Library/JSS/Tomcat/webapps/ROOT/WEB-INF/web.xml

A quick copy of the web.xml file.

$ cp web.xml{,.bak}

And then I opened the file up in vim and pasted the following after <web-app> and before the first <listener>

<security-constraint>
          <web-resource-collection>
                  <web-resource-name>JSS</web-resource-name>
                  <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           </user-data-constraint>
     </security-constraint>

et voilĂ 

Hitting the JSS via web browser on 9006 always redirects you to 8443.

Because it isn't taking you to the FQDN like the Apache trick above the cert still throws an exception if you goto the IP addy or just the hostname but at least it is encrypted. :D

Also, I thoroughly tested policies, Remote, and Self Service after making this change and so far there are no issues. Having said that, you should proceed at your own risk, IANAL, etc. etc., and be wary of the Global Device Management page re: SCEP

Cheers,
Ryan

    9 replies

    D
    Forum|alt.badge.img+7
    • davelb20
    • Contributor
    • January 6, 2012

    Ryan,

    I'm not sure if this is what you are interested in, but if you login to your JSS, and go to Settings->Global Management Framework Settings there will be two fields there. One field will have the 8443 port and the other with a title of "JSS URL (HTTP)" will have a default value of http://jss.mycompany.com:9006/. If you just delete that value out of the "JSS URL (HTTP)" and leave it blank it will force all traffic over port 8443. You then do not have to edit the server.xml file manually.

    Dave

    R
    Forum|alt.badge.img+12
    • rmanly
    • Author
    • Contributor
    • January 6, 2012

    I did need to do fix those settings as well so thanks for the reminder but that is not exactly what I mean.

    I am not really talking about the computer -> JSS communication right now, I will take care of that as soon as I get this licked.

    Here is an example of what I am looking to accomplish.

    We use AD and several years ago I set up an internal wiki for posting training items, procedures etc. Now Apple recommends you to use SSL to auth an AD user to the wiki (http://support.apple.com/kb/ts1619). So one thing that I did was tell Apache via Server Admin to redirect all traffic to the site running on 443.

    The result of this is no matter if you browse to

    http://wiki.domain.org
    http://wiki
    http://192.168.1.1
    https://wiki
    https://192.168.1.1

    You always end up at

    https://wiki.domain.org

    So all the traffic is always done over SSL with no cert errors.

    What I want is if my boss goes to http://jss.domain.org:9006, which we have been using since setting Casper up for the first time, to generate a report of some kind Tomcat redirects his browser to the secure connection on 8443.

    Or if I just type in "jss" in the browser bar and let DNS handle getting me there I get redirected to https://jss.domain.org so that I do not get a cert error because https://jss:8443 is not the FQDN in the cert. This applies to the IP addy as well.

    R
    Forum|alt.badge.img+12
    • rmanly
    • Author
    • Contributor
    • January 6, 2012

    To clarify further I NEVER, EVER want to see this in Wireshark again.

    0000  00 1f fe 87 a5 00 34 15  9e 3c 79 fa 08 00 45 00   ......4. .<y...E.
0010  00 64 1a d4 40 00 40 06  00 00 0a 03 2b fa 0a 01   .d..@.@. ....+...
0020  4b 84 ca 9a 23 2e d1 68  13 56 01 33 0f 84 80 18   K...#..h .V.3....
0030  82 18 8b d8 00 00 01 01  08 0a 9f a2 38 f9 41 7a   ........ ....8.Az
0040  c9 b4 75 73 65 72 6e 61  6d 65 3d 72 6d 61 6e 6c   ..userna me=rmanl
0050  79 26 70 61 73 73 77 6f  72 64 3d 73 69 6c 6c 79   y&passwo rd=silly
0060  70 61 73 73 31 26 73 75  62 6d 69 74 3d 4c 6f 67   pass1&su bmit=Log
0070  69 6e                                              in
    R
    Forum|alt.badge.img+12
    • rmanly
    • Author
    • Contributor
    • Answer
    • January 6, 2012

    I discovered the answer yesterday but I needed to read it a little more carefully before I grok'd it. The shortened link points to a post on the Apache mailing list from 2001.

    http://goo.gl/LZFu4

    So I got all the Management Framework settings correct, CMD + OPT launched Admin and Remote and changed where they were pointing to, tested a few things on a client machine and everything was working as I hoped.

    Then I swam to the deep end. ;)

    The key thing I wasn't getting on the first pass was this part, "In the deployment descriptor for your web app (/WEB-INF/web.xml)"

    After I thought for a second I dug down and found the file here:

    /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/web.xml

    A quick copy of the web.xml file.

    $ cp web.xml{,.bak}

    And then I opened the file up in vim and pasted the following after <web-app> and before the first <listener>

    <security-constraint>
          <web-resource-collection>
                  <web-resource-name>JSS</web-resource-name>
                  <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           </user-data-constraint>
     </security-constraint>

    et voilĂ 

    Hitting the JSS via web browser on 9006 always redirects you to 8443.

    Because it isn't taking you to the FQDN like the Apache trick above the cert still throws an exception if you goto the IP addy or just the hostname but at least it is encrypted. :D

    Also, I thoroughly tested policies, Remote, and Self Service after making this change and so far there are no issues. Having said that, you should proceed at your own risk, IANAL, etc. etc., and be wary of the Global Device Management page re: SCEP

    Cheers,
    Ryan

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • January 6, 2012

    Would using an Apache virtual host redirect you to the FQDN?

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • January 9, 2012

    Why not just block port 9006 at the server's firewall?

    R
    Forum|alt.badge.img+12
    • rmanly
    • Author
    • Contributor
    • January 9, 2012

    I didn't see the forest for the trees as I don't know a lot about Apache, Tomcat etc. So I assumed the solution had to be done via Tomcat.

    bentoms is correct. I created a VirtualHost via Server Admin to do the RedirectMatch I talked about so that all traffice arriving on 9006 is redirected to

    https://host.domain.org:8443

    and it is working beautifully.

    I knew how to do that as you can see from my initial post but I wrongly assumed that it would not work or it would break something in Tomcat so I didn't even try.

    Thanks for the tip bentoms. I learned a LOT about how Apache works this morning and even more about what Server Admin does to all of its conf files.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • January 9, 2012

    Np.

    Took me ages to figure it out on Lion server as Apple have removed most of the options from the GUI. :(

    http://macmule.com/2011/09/20/how-to-enable-virtual-hosts-on-lion-server/

    R
    Forum|alt.badge.img+12
    • rmanly
    • Author
    • Contributor
    • January 10, 2012

    FYI just found out this morning setting up the Virtual Host / RedirectMatch on 9006 to 8443 prevents the old machines from self-updating the settings and getting the cert when the management framework runs...so no go on there. :(

    Terms & ConditionsCookie settingsAccessibility statement