OneClick Console won't launch after enabling ModSecurity in SSL mode

Document ID : KB000046402
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

You have enabled ModSecurity in SSL and configured httpd (Apache Web Server) to only listen on TCP/433, i.e. removed (commented) the following in $SPECROOT/apache/conf/httpd.conf

Listen 80

ProxyPreserveHost On
ProxyPass /spectrum http://localhost:8080/spectrum
ProxyPassReverse /spectrum http://localhost:8080/spectrum

and have the following configuration in $SPECROOT/apache/conf/extra/httpd-ssl.conf

<VirtualHost *:443>
  ProxyPreserveHost On
  ProxyPass /spectrum http://localhost:8080/spectrum
  ProxyPassReverse /spectrum http://localhost:8080/spectrum

    (other attributes here)


</VirtualHost>

OneClick Web Admin page is accessible via HTTPS (TCP/443) but when you click the "Start Console" link, OneClick Console won't launch. "Unable to launch the application" dialog error is shown. The following java exceptions occurred.

com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://<hostname>/spectrum/oneclick.jnlp
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Environment:

Spectrum 10.1 and later on any platforms

Cause:

The problem happened because ModSecurity on httpd (Apache Web Server) has been configured in SSL mode but Tomcat is not in SSL mode. Tomcat should be configured in SSL mode too to avoid this problem.

Resolution:

1. Configure Tomcat in SSL mode. For example you can use the following Connector configuration in $SPECROOT/tomcat/conf/server.xml file.

   <Connector
      address="127.0.0.1"
      port="8444"
      enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
      acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
      clientAuth="false" sslProtocol="TLS"
      ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
      keystoreFile="C:/win32app/Spectrum/custom/keystore/cacerts"
      keystorePass="changeit">
   </Connector>

   Note:
     Specifying 'address="127.0.0.1"' in the Connector configuration above will block external direct access to TCP/8444.
     You should also comment out the HTTP Connector configuration in server.xml file so that Tomcat is only running in SSL mode.

2. While configuring Modsecurity in SSL mode, replace the Virtual Host configuration in $SPECROOT/apache/conf/extra/httpd-ssl.conf file with the following:

   <VirtualHost *:443>
      ProxyPreserveHost on
      SSLEngine on
      SSLProxyEngine on
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyPass /spectrum https://localhost:8443/spectrum
      ProxyPassReverse /spectrum https://localhost:8443/spectrum

            (other attributes here)

   </VirtualHost>

This configuration indicates that ModSecurity on httpd (Apache Web Server) is running in SSL mode on port TCP/443 and Tomcat is running in SSL mode on port TCP/8444 locally.

Additional Information:

Configure OneClick for Secure Sockets Layer

Enable ModSecurity Web Application Firewall in SSL Mode