OneClick-Console "Heartbeat" is affected when enable Apache ModSecurity Firewall

Document ID : KB000008691
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

CA Spectrum Oneclick-Conole R10.1(++) application at workstation is not showing "red-framed" console in case the OC-server is not reachable or not available anymore. This is seen when the CA Spectrum Apache ModSecurity firewall is enabled. This may cause seeing a OC-Console up and running even the connection to OC-server is lost (or OC-server is down) - and not indicating by "red-framed" OC-Console then.

Environment:
CA Spectrum Oneclick-Web-Server R10.1(++) for all platforms / OS when enabled ModSecurity Web Application firewall.
Cause:

When for a CA Spectrum R10.1(or hgiher) Oneclick-Server the ModSecurity Web Application firwall is enabled (see default setup procedure per CA Spectrum R10.1++ documentation :  https://docops.ca.com/ca-spectrum/10-2-2/en/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall ) then the OC-Console related "Heartbeat" function is blocked. This then will not cause a "red-framed" (status disconnected) OC-Console applcation view anymore when connection from OC-Console to OC-server/service is lost.

Background here is, that between OC-Console and OC-server a heartbeat logic is checking every minute for active communication. 

As a result the OC-Console may look fine but there is no update or communication from OC-server to the OC-Console or versa (i.e. when using / clicking to objects in the OC-Console).

Resolution:

To resolve this Apache Modsecurity application firewall setup problem, the Apache ModSecurity configuration setup needs to be modified. 

The reconfiguration requires to update/modify files:

./apache/modsecurity-crs/activated_rules/whitelist.conf
./apache/modsecurity-crs/modsecurity_crs_10_setup.conf
./apache/modsecurity-crs/base_rules/modsecurity_crs_50_outbound.conf
./apache/modsecurity-crs/base_rules/modsecurity_crs_60_correclation.conf  

 

Find attached document coverning the edits in detail:  Modsecurity_R10.1_enable_heartbeat.pdf

File Attachments:
TEC1621063.zip