Configuration required on self hosted SN APP server to allow HTTPS

bkw · ‎08-30-2017

This is for an interface with SNOW appliance which uses HTTPS only. SN instance is self hosted Eureka instance on Redhat. SNOW interface section has been deployed, just require details on how to configure the SN APP server to use HTTPS. Currently user access is on HTTP. Previously tried configuring glide.properties but no joy with HTTPS access.

tim210 · ‎08-30-2017

Hi Bill,

By default the ServiceNow app nodes will only be setup for HTTP connections. The reason for this is that it allows the load-balancer (which is a recommended part of the deployment and which handles HTTPS on behalf of the instance) to persist connections without any special configuration.

We do have a KB article describing how to set the node to allow HTTPS. Unfortunately it's marked internal so I can't give you the whole article, but I've tested on a test instance and these are the necessary steps:

- created a JKS keystore and generate a self-signed RSA key in it as the HTTPS cert (replace this with importing your existing HTTPS cert if you have a valid one): keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 365 -keystore /glide/nodes/<instance_port>/conf/<instance>.keystore

(set the password on the new keystore file when prompted, keep the password for the generated RSA key pair as the same as the keystore - just press enter)

- shutdown the node

- create the file /glide/nodes/<instance_port>/conf/overrides.d/02-https.properties with these contents (change the last 2 properties to match your setup):

tomcat.connector.main.redirectPort=8443

tomcat.connector.secure.port=8443

tomcat.connector.secure.scheme=https

tomcat.connector.secure.secure=true

tomcat.connector.secure.SSLEnabled=true

tomcat.connector.secure.clientAuth=false

tomcat.connector.secure.sslProtocol=TLS

tomcat.connector.secure.keystoreFile=../conf/<instance>.keystore

tomcat.connector.secure.keystorePass=<password>

- start the node back up, it should be accessible at https://<hostname>:8443

Let me know how you go with this

mohamedg_almosl · ‎11-01-2017

Hello Tim Edward,

I followed all steps, but i wasn't able to open in HTTPS https://10.xx.xx.xx:8443/

PS:my service-now portal is 10.xx.xx.xx:16000 , what should i try ?

tim210 · ‎11-01-2017

Hi Mohamed,

What's the error you get in the browser when going to https://10.xx.xx.xx:8443

Can you confirm that Tomcat is listening on that port? (On a Linux server run netstat -nlp | grep tomcat)

mohamedg_almosl · ‎11-02-2017

Hi Tom,

I tried the netstat command , but nothing is listening

Kindly check the below output and advice (i'm not a Linux expert)

[root@eecsaruh2hor285 ~]# netstat -nlp |grep tomcat

[root@eecsaruh2hor285 ~]#

[root@eecsaruh2hor285 ~]# service tomcat status

Redirecting to /bin/systemctl status tomcat.service

â—� tomcat.service - Apache Tomcat Web Application Container

Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)

Active: inactive (dead)

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: at java.lang.Thread.run(Thread.java:748)

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol stop

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Stopping ProtocolHandler ["http-bio-8080"]

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol destroy

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Destroying ProtocolHandler ["http-bio-8080"]

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol stop

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Stopping ProtocolHandler ["ajp-bio-8009"]

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: Nov 01, 2017 4:09:37 PM org.apache.coyote.AbstractProtocol destroy

Nov 01 16:09:37 eecsaruh2hor285 server[5080]: INFO: Destroying ProtocolHandler ["ajp-bio-8009"]

[root@eecsaruh2hor285 ~]# ps aux |grep tomcat

service+ 7347 11.2 3.7 2853092 1217644 ? Sl Nov01 160:50 /glide/java/bin/java -Dglide.orbit.bootstrap.class.path=../lib/orbit:../lib/contrib -Dglide.home.dist=.. -Djava.util.logging.config.file=../conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=../lib/endorsed -Djava.io.tmpdir=../tmp -Dfile.encoding=UTF-8 -Dglide.node.id.dir=app1_16000 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -XX:OnOutOfMemoryError=../scripts/kill_jvm_only.sh -server -XX:+UseConcMarkSweepGC -XX:GCTimeRatio=5 -Xms128m -Xmx2048m -XX:MaxPermSize=256m -Djava.library.path=../lib/jsw -classpath ../lib/jsw/wrapper.jar:../lib/jsw/orbit-bootstrap-7.2.0.jar:../lib/jsw/orbit-bootstrap-commons-lang-7.2.0.jar:../lib/jsw/tomcat-juli-7.0.64.jar -Dwrapper.key=Cv01OFSKFnCkhFWk -Dwrapper.port=32001 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=7316 -Dwrapper.version=3.2.3.SNC.1 -Dwrapper.native_library=wrapper -Dwrapper.ignore_signals=TRUE -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=2 com.glide.orbit.bootstrap.jsw.GlideOrbitJSW

root 12777 0.0 0.0 112664 980 pts/1 S+ 16:24 0:00 grep --color=auto tomcat

service+ 26182 2.9 3.5 2817392 1180108 ? Sl Sep27 1547:38 /glide/java/bin/java -Dglide.orbit.bootstrap.class.path=../lib/orbit:../lib/contrib -Dglide.home.dist=.. -Djava.util.logging.config.file=../conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=../lib/endorsed -Djava.io.tmpdir=../tmp -Dfile.encoding=UTF-8 -Dglide.node.id.dir=app2_16001 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -XX:OnOutOfMemoryError=../scripts/kill_jvm_only.sh -server -XX:+UseConcMarkSweepGC -XX:GCTimeRatio=5 -Xms128m -Xmx2048m -XX:MaxPermSize=256m -Djava.library.path=../lib/jsw -classpath ../lib/jsw/wrapper.jar:../lib/jsw/orbit-bootstrap-7.2.0.jar:../lib/jsw/orbit-bootstrap-commons-lang-7.2.0.jar:../lib/jsw/tomcat-juli-7.0.64.jar -Dwrapper.key=HtiAvPmmPCdMilSV -Dwrapper.port=32002 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=26157 -Dwrapper.version=3.2.3.SNC.1 -Dwrapper.native_library=wrapper -Dwrapper.ignore_signals=TRUE -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=2 com.glide.orbit.bootstrap.jsw.GlideOrbitJSW

avp 30829 0.0 0.6 10948692 224284 ? Sl Oct09 25:28 /glide/avp/java/bin/java -Djava.util.logging.config.file=/glide/avp/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/glide/avp/tomcat/endorsed -classpath /glide/avp/tomcat/bin/bootstrap.jar -Dcatalina.base=/glide/avp/tomcat -Dcatalina.home=/glide/avp/tomcat -Djava.io.tmpdir=/glide/avp/tomcat/temp org.apache.catalina.startup.Bootstrap start

avp 30862 0.0 0.1 2099628 45524 ? Sl Oct09 4:54 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7777

avp 30877 0.0 0.1 2099584 43148 ? Sl Oct09 4:51 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7778

avp 30892 0.0 0.1 2099516 45432 ? Sl Oct09 4:39 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7779

avp 30924 0.0 0.1 2099884 41460 ? Sl Oct09 4:40 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 7781

avp 31024 0.0 0.0 2098580 31808 ? Sl Oct09 5:11 /glide/avp/bin/phantomjs /glide/avp/tomcat/temp/export2908334316466610516/phantomjs/highcharts-convert.js -host 127.0.0.1 -port 77