CDD 6.9 does not work on IE and firefox on some systems

Document ID : KB000127062
Last Modified Date : 21/02/2019
Show Technical Document Details
Acronyms: (Acronym used or referred in document)
  • CDD: Continuous Delivery Director

When trying to access the CDD 6.9 via IE and Firefox on some systems, post log in throws error  "something went wrong".
Continuous Delivery Director: 6.9 ( also valid for higher versions)
In our analysis we observed below errors in cdd-server.log file
2019-02-13 13:41:23.803 [http-nio-8443-exec-11] ERROR c.c.r.w.f.OriginVerificationFilter - Failed request based on its origin. You may clear the JSESSIONID cookie request header or logout from the related CDD session Accessing '/cdd/login.jsp' is forbidden from 'https://<cdd-server>:8443/cdd/login.jsp', verified by referer header

Trouble shoot steps
  1. Please check the file located under tomcat host, under directory <USER-HOME>/.cdd/conf
  2. Check for below configuration in
    • cdd.url.schema = https
    • cdd.url.port = 8443
    • cdd.url.virtual_ip = hostname
  3. Check if the hostname (short name or FQDN) is getting resolved via DNS
  4. Check the URL in use to access CDD
With 6.9, we have handled a potential security issue which now validates that the Origin and Referer, will match. There might be a mismatch between what you have defined in file for the cdd.url.virtual_ip and what the browser is sending.

Some observed behavior of browsers
  • Chrome is adding the Origin HTTP header to its requests.
  • IE and Firefox are NOT adding the Origin HTTP header to their requests.
  • IE and Firefox are adding the Referer HTTP header instead - which is using different format and different values.

The CDD behavior is consistent and in our analysis we identified that in file the hostname is having value as short-name of server and the CDD URL is been accessed via short-name, but as the IE and Firefox are passing the Referer HTTP headers, which is using FQDN hence a mismatch resulting in the error.

Solution: Access the CDD URL with FQDN of server instead of short-name for IE and Firefox

Additional Information:

It is advised to access CDD using the exact same server address that was used for executing the CDD Installer. CDD is verifying that any incoming cliet request is coming from a page that was downloaded from CDD itself ( same HTTP schema, same server name and same server port )
For example, if the customer was using for executing CDD Installer, it should also use https:/// for executibg CDD service ( and not https:///test:443 )