8 Replies · Latest reply on Dec 6, 2017 1:58 PM by Sam Wong

    Configuration required on self hosted SN APP server to allow HTTPS

      This is for an interface with SNOW appliance which uses HTTPS only. SN instance is self hosted Eureka instance on Redhat. SNOW interface section has been deployed, just require details on how to configure the SN APP server to use HTTPS. Currently user access is on HTTP. Previously tried configuring glide.properties but no joy with HTTPS access.

        • Re: Configuration required on self hosted SN APP server to allow HTTPS
          Tim Edwards

          Hi Bill,

           

          By default the ServiceNow app nodes will only be setup for HTTP connections. The reason for this is that it allows the load-balancer (which is a recommended part of the deployment and which handles HTTPS on behalf of the instance) to persist connections without any special configuration.

           

          We do have a KB article describing how to set the node to allow HTTPS. Unfortunately it's marked internal so I can't give you the whole article, but I've tested on a test instance and these are the necessary steps:

          - created a JKS keystore and generate a self-signed RSA key in it as the HTTPS cert (replace this with importing your existing HTTPS cert if you have a valid one): keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 365 -keystore /glide/nodes/<instance_port>/conf/<instance>.keystore

          (set the password on the new keystore file when prompted, keep the password for the generated RSA key pair as the same as the keystore - just press enter)

           

          - shutdown the node

           

          - create the file /glide/nodes/<instance_port>/conf/overrides.d/02-https.properties with these contents (change the last 2 properties to match your setup):

          tomcat.connector.main.redirectPort=8443

          tomcat.connector.secure.port=8443

          tomcat.connector.secure.scheme=https

          tomcat.connector.secure.secure=true

          tomcat.connector.secure.SSLEnabled=true

          tomcat.connector.secure.clientAuth=false

          tomcat.connector.secure.sslProtocol=TLS

          tomcat.connector.secure.keystoreFile=../conf/<instance>.keystore

          tomcat.connector.secure.keystorePass=<password>

           

          - start the node back up, it should be accessible at https://<hostname>:8443

           

          Let me know how you go with this

          1 of 1 people found this helpful

          -----
          If this post assisted you, please consider marking it correct, helpful, or liking it

            • Re: Configuration required on self hosted SN APP server to allow HTTPS
              Mohamed Almoslamany

              Hello Tim Edward,

               

              I followed all steps, but i wasn't able to open in HTTPS https://10.xx.xx.xx:8443/

              PS:my service-now portal is 10.xx.xx.xx:16000 , what should i try  ?

                • Re: Configuration required on self hosted SN APP server to allow HTTPS
                  Tim Edwards

                  Hi Mohamed,

                   

                  What's the error you get in the browser when going to https://10.xx.xx.xx:8443

                   

                  Can you confirm that Tomcat is listening on that port? (On a Linux server run netstat -nlp | grep tomcat)

                  -----
                  If this post assisted you, please consider marking it correct, helpful, or liking it

                    • Re: Configuration required on self hosted SN APP server to allow HTTPS
                      Mohamed Almoslamany

                      Hi Tom,

                      I tried the netstat command , but nothing is listening

                       

                      Kindly check the below output and advice (i'm not a Linux expert)

                       

                      [root@eecsaruh2hor285 ~]# netstat -nlp |grep tomcat

                      [root@eecsaruh2hor285 ~]#

                      [root@eecsaruh2hor285 ~]# service tomcat status

                      Redirecting to /bin/systemctl status tomcat.service

                      ‚óŹ tomcat.service - Apache Tomcat Web Application Container

                         Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)

                         Active: inactive (dead)

                       

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: at java.lang.Thread.run(Thread.java:748)

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol stop

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Stopping ProtocolHandler ["http-bio-8080"]

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol destroy

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Destroying ProtocolHandler ["http-bio-8080"]

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol stop

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"]

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol destroy

                      Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"]

                       

                      [root@eecsaruh2hor285 ~]# ps aux |grep tomcat

                      service+  7347 11.2  3.7 2853092 1217644 ?     Sl   Nov01 160:50 /glide/java/bin/java -Dglide.orbit.bootstrap.class.path=../lib/orbit:../lib/contrib -Dglide.home.dist=.. -Djava.util.logging.config.file=../conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=../lib/endorsed -Djava.io.tmpdir=../tmp -Dfile.encoding=UTF-8 -Dglide.node.id.dir=app1_16000 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -XX:OnOutOfMemoryError=../scripts/kill_jvm_only.sh -server -XX:+UseConcMarkSweepGC -XX:GCTimeRatio=5 -Xms128m -Xmx2048m -XX:MaxPermSize=256m -Djava.library.path=../lib/jsw -classpath ../lib/jsw/wrapper.jar:../lib/jsw/orbit-bootstrap-7.2.0.jar:../lib/jsw/orbit-bootstrap-commons-lang-7.2.0.jar:../lib/jsw/tomcat-juli-7.0.64.jar -Dwrapper.key=Cv01OFSKFnCkhFWk -Dwrapper.port=32001 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=7316 -Dwrapper.version=3.2.3.SNC.1 -Dwrapper.native_library=wrapper -Dwrapper.ignore_signals=TRUE -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=2 com.glide.orbit.bootstrap.jsw.GlideOrbitJSW

                      root     12777  0.0  0.0 112664   980 pts/1    S+   16:24 0:00 grep --color=auto tomcat

                      service+ 26182  2.9  3.5 2817392 1180108 ?     Sl   Sep27 1547:38 /glide/java/bin/java -Dglide.orbit.bootstrap.class.path=../lib/orbit:../lib/contrib -Dglide.home.dist=.. -Djava.util.logging.config.file=../conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=../lib/endorsed -Djava.io.tmpdir=../tmp -Dfile.encoding=UTF-8 -Dglide.node.id.dir=app2_16001 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -XX:OnOutOfMemoryError=../scripts/kill_jvm_only.sh -server -XX:+UseConcMarkSweepGC -XX:GCTimeRatio=5 -Xms128m -Xmx2048m -XX:MaxPermSize=256m -Djava.library.path=../lib/jsw -classpath ../lib/jsw/wrapper.jar:../lib/jsw/orbit-bootstrap-7.2.0.jar:../lib/jsw/orbit-bootstrap-commons-lang-7.2.0.jar:../lib/jsw/tomcat-juli-7.0.64.jar -Dwrapper.key=HtiAvPmmPCdMilSV -Dwrapper.port=32002 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=26157 -Dwrapper.version=3.2.3.SNC.1 -Dwrapper.native_library=wrapper -Dwrapper.ignore_signals=TRUE -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=2 com.glide.orbit.bootstrap.jsw.GlideOrbitJSW

                      avp      30829  0.0  0.6 10948692 224284 ?     Sl   Oct09  25:28 /glide/avp/java/bin/java -Djava.util.logging.config.file=/glide/avp/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/glide/avp/tomcat/endorsed -classpath /glide/avp/tomcat/bin/bootstrap.jar -Dcatalina.base=/glide/avp/tomcat -Dcatalina.home=/glide/avp/tomcat -Djava.io.tmpdir=/glide/avp/tomcat/temp org.apache.catalina.startup.Bootstrap start

                      avp      30862  0.0  0.1 2099628 45524 ?       Sl Oct09   4:54 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7777

                      avp      30877  0.0  0.1 2099584 43148 ?       Sl Oct09   4:51 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7778

                      avp      30892  0.0  0.1 2099516 45432 ?       Sl   Oct09 4:39 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7779

                      avp      30924  0.0  0.1 2099884 41460 ?       Sl Oct09   4:40 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7781

                      avp      31024  0.0  0.0 2098580 31808 ?       Sl Oct09   5:11 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 77

                • Re: Configuration required on self hosted SN APP server to allow HTTPS
                  Sam Wong

                  I went through the same thought process...

                   

                  In the end, your SSL termination point should be at the load balancer.  Not the application server(s).

                   

                  That way you can examine headers and reverse proxy etc.

                   

                  Suggest you go with that.