ebaseAdmin isn't accessible

Post any questions regarding Installing or Upgrading Ebase, including problems starting up the Ebase Xi Server or Designer

Moderators: Jon, Steve, Ian, Dave

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

ebaseAdmin isn't accessible

#1

Postby Segi » Tue Mar 06, 2018 9:51 pm

As the title says, I cannot access the Ebase admin app on the server itself or outside of my server.

As soon as I visit the url https://oursite.ourdomain.com/ufs/ebaseAdmin.eb I get the error

com.ebasetech.ufs.runtime.events.rhinojavascript.RhinoScriptException: REST service failed: javax.net.ssl.SSLPeerUnverifiedException: Host name '127.0.0.1' does not match the certificate subject provided by the peer (CN=oursite.ourdomain.com, OU=Domain Control Validated)Not Authorized (SYSADMIN_AUTHORIZATION_CHECK#41)
0 x

Jon
Moderator
Moderator
Posts: 1342
Joined: Wed Sep 12, 2007 12:49 pm

Re: ebaseAdmin isn't accessible

#2

Postby Jon » Wed Mar 07, 2018 9:31 am

Both this and the designer connection problems are issues with SSL connection. Now you've got SSL working with Apache you should return the Tomcat configuration to just Http - take out the security constraint(s) and anything else that is forcing http -> https.

This particular problem with the server admin app is because this app is making a REST web service call to the same host using 127.0.0.1 and this fails when it's forced to https.
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#3

Postby Segi » Wed Mar 07, 2018 4:01 pm

Jon,

There are 2 things that relate to https in the Tomcat config files as far as I know:

1. <Context useHttpOnly="true"> in context.xml

2. The Port 443 connector defined in server.xml which is also where I load the SSL certificate by loading the keystore.

Do I only need to remove the useHttpOnly="true" in Context.xml ? I still want Tomcat to load the SSL cert so that the pages run over https.

The Apache server that I set up is only for redirection purposes (I.E http -> https)
0 x

Jon
Moderator
Moderator
Posts: 1342
Joined: Wed Sep 12, 2007 12:49 pm

Re: ebaseAdmin isn't accessible

#4

Postby Jon » Wed Mar 07, 2018 4:42 pm

Segi,

We think the best way to do this is to have Apache handle the Https including certificates. The Server Admin app should work in this configuration.

I don't think the designer will work with an Https server (though I'm not 100% on this). If you need to connect the designer to an Https server then you will need to configure it to connect directly to Tomcat (i.e. not going through Apache and therefore not using Https). But preferably don't connect a designer to an Https server at all! Why do you want to do this? In V5.3 you have the ability to run a form on any server configured as a deployment target. And you can deploy to any server.

Jon
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#5

Postby Segi » Wed Mar 07, 2018 5:03 pm

Jon,

I am not trying to second guess you but this doesn't really make sense. Right up until I upgraded VerjIO to 5.3.2, I had Tomcat be responsible for loading the SSL certificates and forcing https over http and the admin console and test server worked perfectly.

I still have a copy of my production VerjIO instance that is on 5.2 and I'm certain that if I shut down the 5.3.2 instance and load up the 5.2 instance, these things would resume to work normally.

I feel that I'm moving further and further away from Tomcat being the main web server and I would really prefer to fix the problem properly rather than having a setup that gets increasingly more complicated with 2 different web servers.

I would like to get back to my original set up which is 1 server which is our production server running Tomcat only without Apache and another server (Dev server) which is also running Tomcat only.
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#6

Postby Steve » Thu Mar 08, 2018 10:24 am

Hi Segi,

Can you send me the log files to support@ebasetech.com :

<ebase-install-dir>\UfsClient\error.log
<ebase-install-dir>\UfsClient\logs\ebase-designer.log

So I can see where we are experiencing problems.

Hopefully from here we can come up with a solution.

Did you remove the useHttpOnly="true" and try this? I would assume that you'd be able to connect to the standard HTTP port if this was removed.

Kind regards

Steve Upton
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#7

Postby Steve » Thu Mar 08, 2018 5:13 pm

Hi Segi,

We know that the Ebase admin does not work when using SSL. We are looking into a fix for that.

Have you created you own self signed SSL certificate? If you have then you could add localhost and 127.0.0.1 to the alt names in your configuration (.cnf file).

Or something like this using keytool:

keytool -genkeypair \
-keystore keystore.jks \
-dname "CN=mysite.com, OU=Sun, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" \
-keypass changeit \
-storepass changeit \
-keyalg RSA \
-keysize 2048 \
-alias default \
-ext SAN=DNS:localhost,IP:127.0.0.1 \
-validity 9999

Kind regards

Steve
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#8

Postby Segi » Fri Mar 09, 2018 3:48 pm

Steve,

We're not using a self signed SSL cert. We purchased an official SSL cert from GogDaddy which I imported into my tomcat key store which gets loaded in the SSL connector in server.xml.
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#9

Postby Steve » Mon Mar 12, 2018 9:15 am

Hi Segi,

OK, you will have to enable a non SSL port on Tomcat as well for the moment and configure the designer to use the non SSL port.

If you could send me your logs anyway, that would be helpful. I have added a bug to our database and we will try and fix this for the next service pack.

Kind regards

Steve Upton
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#10

Postby Segi » Mon Mar 12, 2018 2:47 pm

Steve,

Can you please give me an example of the non-SSL connectorthat you mentioned ?

Which log do you want ? The one from UFSClient\Logs on my workstation or the logs from the server ?
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#11

Postby Steve » Mon Mar 12, 2018 3:38 pm

I would like the client logs please.

This document gives you instructions on how to configure Ebase to work with SSL and non SSL ports.

Kind regards

Steve
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#12

Postby Segi » Wed Mar 14, 2018 3:40 pm

Steve,

I followed these steps on my test instance of Ebase with 1 minor change. Since I am using SSL which runs on port 443, I changed the line

Code: Select all

<Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort=[b]"8443"[/b] />
to

Code: Select all

<Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort=[b]"443"[/b] />
since there's nothing bound to port 8443 and using that port generates an error since that port isn't accessible. After making all of these changes outlined in the Word doc and restarting my test instance of Ebase, I am still getting an error when trying to access the admin on the server itself (to avoid any port issues initially)

The error is

Code: Select all

com.ebasetech.ufs.runtime.events.rhinojavascript.RhinoScriptException: REST service failed: javax.net.ssl.SSLPeerUnverifiedException: Host name '127.0.0.1' does not match the certificate subject provided by the peer (CN=intranet.gms4sbc.com, OU=Domain Control Validated)Not Authorized (SYSADMIN_AUTHORIZATION_CHECK#41)
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#13

Postby Steve » Wed Mar 14, 2018 4:41 pm

Hi Segi,

You do not want to change the port to:

Code: Select all

<Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort=[b]"443"[/b] />
but leave it as:

Code: Select all

<Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort=[b]"8443"[/b] />
The redirect port is just a port that Tomcat creates to redirect its request to. 443 is an SSL port and should be directed to that.

Once configured, you should be able to invoke the server admin by calling:

http://oursite.ourdomain.com:3030/ufs/ebaseAdmin.eb

(Note that the URL above does not use HTTPS but it is using HTTP)

Also you'll need to configure the designer to point to the server port 3030 also.

Kind regards

Steve Upton
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#14

Postby Segi » Wed Mar 14, 2018 4:53 pm

Steve,

After changing 443 to 8443 and restarting Ebase when I visit http://localhost:3030/ufs/ebaseAdmin.eb the page times out. This is why I changed the port from 8443 to 443.

Obviously, I am trying to access the admin page on the server itself for now.

I am starting Ebase using start_ebase_server.bat which looks like this:

Code: Select all

REM Run this command to start the EBASE environment

REM To run : open a DOS command window, cd to this directory, then issue the command start_ebase_server

REM Start the tomcat application server


set JRE_HOME=%~dsp0..\jre

set CATALINA_HOME=%~dsp0\tomcat

set BASEDIR=%~dsp0\tomcat

set JAVA_OPTS=-Xmx1024m -server -Djava.net.preferIPv4Stack=true -Dderby.system.home=%~dsp0/DB -Dhttp.nonProxyHosts="localhost|127.0.0.1"

cd tomcat\bin

startup

cd ..\..
Edit: These are the connectors defined in server.xml:

Code: Select all

 <Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" 
    enableLookups="true" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false"  keystoreFile="C:\VerjIO\tomcat.keystore" keystorePass="mypassword" />

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
               
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" tomcatAuthentication="false"/>
In Designer (on the server itself) I'm using external server with the address localhost, port 3030 on ufs

UFSClient/Logs has only 1 file ebase-designer.log which is empty

Running netstat shows that port 3030 is bound to localhost address while 443 is bound to my local ip. I don't think that that's right but i'm not 100% sure

I am running the designer by running the exe not the batch file
0 x

User avatar
jcoulson
Ebase User
Posts: 30
Joined: Tue Sep 24, 2013 10:18 am
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#15

Postby jcoulson » Thu Mar 15, 2018 9:48 am

Hi Segi,

Steve has asked me to look into this for you.

It appears your server.xml config has a redirect loop, please see my slightly amended version with changes to the 8009 connector port below:

Code: Select all

 <Connector port="3030" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" 
		   SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="true" 
		   disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" 
		   clientAuth="false"  keystoreFile="C:\VerjIO\tomcat.keystore" keystorePass="mypassword" />

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Everything else seems ok so please alter the above and restart the server.

If you still have issues, please send to the email Steve mentioned earlier, your server logs.
Depending on your configuration these should be in UfsServer/tomcat/logs and have stderr, ebase-server or catalina in the name.
The server logs will show us any issues when the server starts up and may highlight any problems with your configuration.

Kind Regards,

Jordan
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#16

Postby Segi » Thu Mar 15, 2018 3:25 pm

I made the changes that you suggested but I still can't access the admin app.

I checked the server logs by doing the following

Stopped the server
Moved all of the previous server logs to a sub folder
Started server by running start_ebase_server.bat
Went into Designer and started server admin app

Result: Fails to connect. The message is "Firefox can’t establish a connection to the server at localhost:8443." netstat doesn't show that port 8443 is open either. The URL that it attempts to access the admin app at is https://localhost:8443/ufs/ebaseAdmin.eb

I stopped the server at this point to collect the server logs

catalina.log: https://pastebin.com/737NHpk1

Ebase Server:

Code: Select all

Thu Mar 15 08:06:43:  ************************************************************
Thu Mar 15 08:06:43:  ***  Starting Ebase Xi Server version 5.3.2, Build 20180105
Thu Mar 15 08:06:43:  ************************************************************
Thu Mar 15 08:06:50:  Ebase Xi Designer server component initialised successfully
Thu Mar 15 08:06:50:  Workflow servlet component initialised successfully
Thu Mar 15 08:06:50:  FormCacheLoader: start
Thu Mar 15 08:06:50:  FormCacheLoader: end
Thu Mar 15 08:06:50:  ******************************************************************
Thu Mar 15 08:06:50:  ***  Ebase Xi Server V5.3.2 successfully initialized in 6 seconds
Thu Mar 15 08:06:50:  ***  Using workspace C:\VerjIO\Workspace
Thu Mar 15 08:06:50:  ******************************************************************
host-manager.log: empty
localhost.log: empty

localhost_access.log

Code: Select all

127.0.0.1 - - [15/Mar/2018:08:06:51 -0700] "POST /ufs/designer HTTP/1.1" 200 19
127.0.0.1 - - [15/Mar/2018:08:06:51 -0700] "POST /ufs/designer HTTP/1.1" 200 357
127.0.0.1 - - [15/Mar/2018:08:06:53 -0700] "POST /ufs/designer HTTP/1.1" 200 19
127.0.0.1 - - [15/Mar/2018:08:06:54 -0700] "POST /ufs/designer HTTP/1.1" 200 19
127.0.0.1 - - [15/Mar/2018:08:06:54 -0700] "POST /ufs/designer HTTP/1.1" 200 19
127.0.0.1 - - [15/Mar/2018:08:06:54 -0700] "GET /ufs/ebaseAdmin.eb HTTP/1.1" 302 -
127.0.0.1 - - [15/Mar/2018:08:06:56 -0700] "POST /ufs/designer HTTP/1.1" 200 19
manager.log: empty

server.xml: https://pastebin.com/AvV0Rc6P
0 x

User avatar
jcoulson
Ebase User
Posts: 30
Joined: Tue Sep 24, 2013 10:18 am
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#17

Postby jcoulson » Thu Mar 15, 2018 4:20 pm

Hi Segi,

Have you tried accessing the admin app via this url: http://localhost:3030/ufs/ebaseAdmin.eb

If this doesn't work I think it is down to your server.xml if the pastebin link is exactly the same as what you are using then it is missing to 3030 connector.

This should look like this:

Code: Select all

<!-- Designer only connection to port 3030 -->
	<Connector port="3030" protocol="HTTP/1.1"
               connectionTimeout="20000" 
			   redirectPort="8443" />
If this is missing please insert this and restart again an let me know if any further problems.

Kind Regards,

Jordan
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#18

Postby Segi » Thu Mar 15, 2018 4:24 pm

Jordan,

If I try to load that URL, it redirects to the URL I provided which runs on https but still has port 8443 in the URL.

The connector to 3030 is already in server.xml. I pasted server.xml into a new document and removed some of the sensitive info before pasting it and must have removed the 3030 connector line by accident but its there on the server.xml in use. I just double checked

Thanks,

Segi
0 x

User avatar
jcoulson
Ebase User
Posts: 30
Joined: Tue Sep 24, 2013 10:18 am
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#19

Postby jcoulson » Thu Mar 15, 2018 4:32 pm

Segi wrote:
Thu Mar 15, 2018 4:24 pm
Jordan,

that URL on port 3030 running on http redirects to https on 8443

The connector to 3030 is already in server.xml. I pasted server.xml into a new document and removed some of the sensitive info before pasting it and must have removed the 3030 connector line by accident but its there on the server.xml in use. I just double checked

Thanks,

Segi
Hi Segi,

Thanks for your quick reply, that's good that the connector is there.
I see early on in this thread that you setup an apache server to do the redirects.
By any chance is this still running?
It should not be needed now so it should be stopped.
Make sure it is and restart the ebase server and test again if you could.

Many thanks,

Jordan
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#20

Postby Segi » Thu Mar 15, 2018 4:55 pm

Jordan

I need to explain my set up to you. I have a production instance of Ebase and a dev instance of Ebase, each running in separate VMs on our network. These 2 instance are identical in every way except that the production instance is accessed internally using https://intranet.ourdomain.com while my dev server is running on https://intranetdev.ourdomain.com. When I need to make heavy modifications to an app, I develop it on dev first (Ignoring the SSL warning since my Godaddy cert was purchased for our Intranet domain, not intranetdev) and this has been fine right up until I tried upgrading to 5.3.2.

I am still running Apache on my production server because it still doesn't redirect http to https but I don't have Apache installed on my dev server.

Both servers are experiencing the exact same issue but I have been trying this fixes on the Intranetdev server. Without Apache, Ebase refuses to redirect http traffic to https on both servers even now with all of the changes that you have asked me to make (which I have been doing on Intranetdev).

This set up worked fine until I tried upgrading Ebase from 5.2 to Verj 5.3.2 on Intranet and Intranetdev when everything went horribly wrong. After the upgrade, I started getting errors related to UFS (Please see viewtopic.php?f=3&t=1419 this post for a full explanation of everything that went wrong). I somehow manage to cobble together a sem-working instance of Ebase 5.3.2 for both servers although I still have these issues:

In designer on my workstation, I cannot deploy to production server
In designer on my workstation, I can't select a database connection
Admin app isn't accessible from inside or outside of the server
Only runs on https (eventually times out if you try a URL that begins with http)

Not to complicate things further, but I just checked and Apache wasn't set to auto start after a reboot on our production server (Intranet) and since our server rebooted last night, Apache is not in fact running at the moment. Ebase on Intranet runs over https just fine (minus the issues highlighted above) as long as the URL uses https not http
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#21

Postby Segi » Thu Mar 15, 2018 11:23 pm

I have been adjusting my server connector settings and I think I've fixed all of my problems.

I uninstalled Apache from my production server and am not using it at all any more.

I changed my connector settings a little bit. I removed the port 3030 connector and changed the AJP connector on 8009 to redirect to 443 instead of 8443.

In web.xml, I removed the security constraints that forced SSL for everything except designer

In context.xml, I removed useHttpOnly="true"

Pages don't seem to redirect automatically over http so http://intranet.ourdomain.com/ufs/LOGIN.eb will time out but https://intranet.ourdomain.com/ufs/LOGIN.eb works perfectly. I recently emailed all of our users to remind them that they must use https to connect to Ebase so I don't see this as being an issue.

I can now connect the test server to my external server on our production server and connect to the admin app over http only from within the server or from my workstation outside of the server. Every other page besides the admin app doesn't work unless you specify https.
0 x

User avatar
jcoulson
Ebase User
Posts: 30
Joined: Tue Sep 24, 2013 10:18 am
Location: Sandy, UK
Contact:

Re: ebaseAdmin isn't accessible

#22

Postby jcoulson » Fri Mar 16, 2018 9:31 am

Segi wrote:
Thu Mar 15, 2018 11:23 pm
I have been adjusting my server connector settings and I think I've fixed all of my problems.

I uninstalled Apache from my production server and am not using it at all any more.

I changed my connector settings a little bit. I removed the port 3030 connector and changed the AJP connector on 8009 to redirect to 443 instead of 8443.

In web.xml, I removed the security constraints that forced SSL for everything except designer

In context.xml, I removed useHttpOnly="true"

Pages don't seem to redirect automatically over http so http://intranet.ourdomain.com/ufs/LOGIN.eb will time out but https://intranet.ourdomain.com/ufs/LOGIN.eb works perfectly. I recently emailed all of our users to remind them that they must use https to connect to Ebase so I don't see this as being an issue.

I can now connect the test server to my external server on our production server and connect to the admin app over http only from within the server or from my workstation outside of the server. Every other page besides the admin app doesn't work unless you specify https.
That's great news Segi.

Glad that you have got it to work.

Please let us know if there is anything else you require help with.

Kind Regards,

Jordan
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: ebaseAdmin isn't accessible

#23

Postby Segi » Fri Mar 16, 2018 2:55 pm

Thank you very much for all of your help Jordan, Steve and Jon.
0 x


Who is online

Users browsing this forum: Google [Bot] and 8 guests