It's all about the answers!

Ask a question

WebSeal and IHS implementation


vowner owner (25834) | asked Jul 31 '18, 12:17 a.m.
edited Jul 31 '18, 2:14 a.m. by Ralph Schoon (63.5k33646)

 



Hi Team,

We hare setting us IBM CLM 6.05 application with websphere liberty. But our environment have webseal and we should need to install the application behind this.
we are aware that we wont get support from IBM for clm applications with Webseal as reverse proxy. But we have to deploy our clm applications on an environment where webseal is already using as a reverse proxy.

So we came into a decision that, we will configure clm applications with IHS as reverse proxy and then will make this to run behind webseal.

So our architecture plan is like

Webseal --> IHS ---> CLM appications with Liberty

Now we have setup the IHS and installed CLM applications, Infra team created a junction in webseal to make communication between Webseal and IHS, 

Now when we are registering our application with the webseal url, we are geetting the error as 

"The identity of remote server could not be fetched from https://vv-xxxxx.wam-sso.xxxx.com/jts/serverId because the server responded with an error code 302. Check the error log for the remote server to diagnose the cause of the failure.ID CRJAZ2177E

whats the root cause and how we can rectift this ?

Also when we put a dummy host entry in jts server ( as ip address of IHs with Webseal DNS entry) its getting fine. But its not the proper way as we are not giving the correct host entry .

So do we have any alternate way to pass this through webseal itself through IHS


Webseal -> IHS -> JTS -> RM ->.

We dont want to skip the communication through webseal or IHS and needed the traffic in the same way above. 

Any suggestions highly appreciated.

3 answers



permanent link
Ralph Schoon (63.5k33646) | answered Jul 31 '18, 2:18 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

You have asked the question before and the answer was that this is a custom setup and Webseal is not supported.
Webseal seems to be a web server and as such does not belong into the communication chain and the image above does not seem to make sense. If it was supported Webseal would replace WebSphere Liberty Profile. Since it is not, it will not.


Comments
vowner owner commented Aug 02 '18, 12:18 a.m.

 Hi Ralph,


Thanks for your reply. I agree that the Webseal with IBM CLM is an custom setup and we wont get any help from support team,

But here i was asking the possible ways to bring normal distributed CLM setup with  IHS  behind a webseal environment.

So what i understood from your words, this cant be done and correct me if i am wrong with my assumption.


permanent link
Davyd Norris (2.7k217) | answered Jul 31 '18, 7:03 p.m.
WebSEAL doesn't actually replace Liberty, it replaces IHS.

You need to properly configure WebSEAL as a reverse proxy - right now it appears it's just set up to redirect rather than perform as a proxy. While this is not an officially supported configuration, it should be fairly simple to set up if you know WebSEAL and its use is documented here in the Jazz Wiki:


Comments
vowner owner commented Aug 02 '18, 12:32 a.m.

 Hello Davyd,Yes, but here we have to setup the CLM with IHS setup to an environment behind a webseal . Now we have setup the IHS and installed CLM applications, Infra team created a junction in webseal to make communication between Webseal and IHS, Now when we are registering our application with the webseal url, we are geetting the error as "The identity of remote server could not be fetched from https://vv-xxx.wam-sso.xxxx.com/jts/serverId because the server responded with an error code 302. Check the error log for the remote server to diagnose the cause of the failure.ID CRJAZ2177E. Also when we put a dummy host entry in jts server ( as ip address of IHS with WebSeal DNS entry) its getting fine. But its not the proper way as we are not giving the correct host entry .


Davyd Norris commented Aug 02 '18, 12:42 a.m.
Why do you need IHS? The role of IHS in your setup is to act as the Reverse Proxy and now WebSEAL is going to do that. You do not need IHS if you are single server, or if you are going to use another Reverse Proxy such as in your case.

Also did you actually read the link I put in my comment above? There is quite a bit of setup on the WebSEAL side because you have to tell it about the various cookies and tell it not to rename them. You also need to change how WebSEAL handles JavaScript injection if you're using DOORS NG.

In short, you can't just set up a junction. You need to replace IHS and you need to configure WebSEAL to play nicely with CLM.

vowner owner commented Aug 27 '18, 1:21 a.m.

 Hi Norris,


Please find the answer to your question below..


permanent link
vowner owner (25834) | answered Aug 27 '18, 1:19 a.m.

  Hello Norris,


Ya, we are aware that, both webseal and IHS is a reverse proxy. But here why we need both because, we need to implement the ALM solution in customer infra where there security is prohibited with webseal two level authentication so we have to implemet the solution behind their webseal setup. Also as per our discussion with IBM support, we wont get any support from IBM, if we are using Webseal for clm, and they will support only for IHS.

So since we are going to use a highly distributed and critical ALM solution for clustomer, we cant ignore IBM support in future requirements related to application.

So we came to a conclusion that we will impplement ALM solution as IBM recommending with IHS. and make the clm application along with IHS behind webseal reverse proxy..

So we are succeeded in setting up the application in the below way in our staging environment

1) We setup ALM applications ( JTS, CCM distributed method) and IHS as IBM recommended.

Ex: suppose the IHS url is -  htps://mydemo.com
                           JTS url   -  https://mydemo.com/jts         
                           CCM url -  https://mydemo.com/ccm
2) We have given this IHS url to our Webseal team and they have created junction and provided us webseal url for the application as  - https://mydemowebseal.com.
but here even though JTS application was accessible by the webseal url, but it had a lot of diagnostic error as the application registered url was with IHs and webseal url was different and application couldnt identify the new url.

4) So we thought to re  setup the scenario by registering the application with webseal url instead of ihs url and we made the public uri of jts as webseal url( this was ihs url before).

5) After all there we are able to acces our application over webseal url, but when we are accesing jts/setup or diagnostic page , or when we are trying to access RM from jts home page we are getting the error as explained above. 

"The identity of remote server could not be fetched from https://vv-xxxxx.wam-sso.xxxx.com/jts/serverId because the server responded with an error code 302. Check the error log for the remote server to diagnose the cause of the failure.ID CRJAZ2177E

5) As a work around we just made a fake entry in IHS server Host file with the below configuration 

IHS IP --------------Webseal dns name

So the issue got resolved. But when we remove this host entry from IHS server, its not able to access.

Since we are in a production environment we cant go ahead with a fake entry in hots file of IHS server  ( now we are simply telling a fake point as ihs server ip is resolved to webseal dns)

. So here we need a soluton, which wont affect the application functionality, but we can remove the fake entry from the IHS server and the entire application should work as expected.

Could you please help us here

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.