IBM Sametime HTTPS redirection

Redirection of HTTP to HTTPS for Sametime is made possible by deploying a WebSphere proxy in front of Sametime Proxy or a Meeting server. Once configured you can use a routing rule to redirect a specific URL to another specific URL. What if you want every possible permutation to be directed to HTTPS?

1

It is well documented in http://blog.msbiro.net/2014/02/redir-htp-https-websphere-proxy-sametime-server.html and http://www-10.lotus.com/ldd/stwiki.nsf/dx/Forcing_Sametime_8.5.2_WebSphere_Application_server_to_use_HTTPS_TLS_encryption how to achieve this.

I have used the above method successfully for a while but it got me thinking how I would control a user accessing a meeting room directly as opposed to going to the meeting center which would be captured by the routing rule.

I raised a PMR after testing many scenarios with a WebSphere proxy fronting a Sametime Proxy and Meeting server and IBM told me that it is not possible with a WebSphere proxy but suggested I use IHS. Not his fault, he wasn’t a Sametime guy. But he did suggest that I take a look at using <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html describes how to achieve this. If you Google <transport-guarantee>CONFIDENTIAL</transport-guarantee> you will find a number of IBM docs on this which helps.

What I wasn’t sure of is whether to make the change in multiple places ie each war’s web.xml where there is a “<security-constraint>” stanza. It may be only appropriate to make the change on the login page and thus the war that relates to it but what if people went directly to a specific page bypassing the login page’s war.

I made the following changes on the SSC and then issued a full sync and restarted the STProxy. I also ensured that I had disabled the WebSphere proxies rule so that it didn’t step in.

[root@st9ssc ~]# cd /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications
[root@st9ssc applications]# cp -r ./SametimeProxy.ear/ /tmp/SametimeProxy.ear.backup

[root@st9ssc applications]# cd /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy
[root@st9ssc SametimeProxy]# ll
total 56
drwxr-xr-x 4 root root 4096 Jan  6  2014 autoaway.war
-rw-r–r– 1 root root 5208 Jun 15 11:49 deployment.xml
drwxr-xr-x 2 root root 4096 Oct 24  2013 META-INF
drwxr-xr-x 4 root root 4096 May 26 17:42 proxyutils.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 screencapture.war
drwxr-xr-x 4 root root 4096 Jan  6  2014 stmobileweb.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxybase.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxymobile.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyredirect.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyservlet.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stproxyweb.war
drwxr-xr-x 4 root root 4096 Oct 24  2013 stwebav.war
drwxr-xr-x 4 root root 4096 Jan  6  2014 workclasses

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stmobileweb.war/WEB-INF/web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxybase.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxymobile.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Mobile installation</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyredirect.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Sametime Proxy Server</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyservlet.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>rtc4web based WebApp and GUI</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>File Share methods</web-resource-name>
<url-pattern>/ajaxproxy/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<description>All users, registered and unregistered</description>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SametimeProxy methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>All users, registered and unregistered</description>
<role-name>AllAuthenticatedUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[root@st9ssc SametimeProxy]# vi /opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stwebav.war/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>WebAV Binaries Install Update</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>AllUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Full sync.

[7/24/15 16:52:50:087 BST] 00000072 FileRepositor A   ADMR0012I: The repository epoch is refreshed.
[7/24/15 16:52:50:123 BST] 00000072 FileRepositor A   Repository epoch refresh
[7/24/15 16:52:54:307 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/web.xml.
[7/24/15 16:52:54:329 BST] 00000664 FileRepositor A   ADMR0017I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent deleted document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyweb.war/WEB-INF/.web.xml.swp.
[7/24/15 16:52:54:362 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stwebav.war/WEB-INF/web.xml.
[7/24/15 16:52:54:416 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyredirect.war/WEB-INF/web.xml.
[7/24/15 16:52:54:456 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxymobile.war/WEB-INF/web.xml.
[7/24/15 16:52:54:497 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stmobileweb.war/WEB-INF/web.xml.
[7/24/15 16:52:54:534 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxyservlet.war/WEB-INF/web.xml.
[7/24/15 16:52:54:609 BST] 00000664 FileRepositor A   ADMR0016I: User ldap.collaborationben.com:389/server:st9sscSSCCell_st9proxySTPNode1_nodeagent modified document cells/st9sscSSCCell/applications/SametimeProxy.ear/deployments/SametimeProxy/stproxybase.war/WEB-INF/web.xml.
[7/24/15 16:52:55:856 BST] 00000664 NodeSyncTask  A   ADMS0003I: The configuration synchronization completed successfully.
[7/24/15 16:52:56:612 BST] 0000066c AppBinaryProc I   ADMA7021I: Distribution of application SametimeProxy completed successfully.

I still have the WebSphere proxy in front of STProxy which isn’t needed now but when ever I hit the STProxy or WebSphere proxy on their unsecured ports (WC_defaulthost or PROXY_HTTP_ADDRESS) I am redirected to the secure port of the application server (WC_defaulthost_secure).

Early testing looks good. I haven’t tested integration with Meetings, AV or mobile but I will do in time. Mobile may be a bit tricky as this is asking the client to redirect but I would have hoped the mobile app would have been configured to use HTTPS anyway.

One problem would be that each time the STProxy is updated from a fix from fix Central or IBM support these changes will be overwritten and will need to be made again. Also, this would do away with the need for a WebSphere proxy if it is being used solely for redirection to SSL. If you have a cluster of Meeting servers then you will still need WebSphere proxies.

In the circumstance of clustered WebSphere proxies the problem I see arising is that the redirection uses the secure port listed in the virtual host for the application server and not that of the WebSphere proxy. This means that unless the WebSphere proxy is on another host or bound to port 443 on a second NIC on the same node as the Meeting application server then you will not be able to redirect to 443 properly. You can’t have two things listening on 443 on the same host using the same NIC.

Nevertheless, without being able to use Apache or IHS this provides a useful alternative.