ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

Force NetSight to use HTTPS

davidj.coglianese

davidj.coglianese03-18-2016 17:04

  • 1.  Force NetSight to use HTTPS

    Posted 12-02-2015 09:38
    Hopefully this is an easy one.....

    Is there anyway to force the use of HTTPS directly via the NetSight application. As an example when I delete port 8080 from the 'Web Server' options it forces me to put a port number in, or a simple radio button somewhere that disables it?

    Many thanks in advance.


  • 2.  RE: Force NetSight to use HTTPS

    Posted 12-02-2015 12:25
    You can change the ports using Tools->Options->Web Server

    For certain you want to do this only on Netsight Server appliances only, that don't use other ports for the proposed ones.

    So this means not using in with Netsight Server than runs on the Windows Server Platform, where we have seen interference issues.

    Be sure to test it, before assuming it will work in full deployment for your sight.


  • 3.  RE: Force NetSight to use HTTPS

    Posted 12-02-2015 12:38
    Thanks for posting back.

    Apologise if my description my not have been clear.

    Just trying to understand your solution, which sounds like to just change the port number for http. This I don't understand, as for example if I changed it to 9090 you would still be able to http in port 9090 instead of 8080, thereby still making it vulnerable.

    I was wondering if there is a why in NetSight to disable http (via any port) or redirect all http traffic to https.

    Many thanks.



  • 4.  RE: Force NetSight to use HTTPS

    Posted 12-02-2015 13:22
    No, there is no way to restrict this via Netsight itself.
    If you open a case requesting that as a feature request, we can have it surveyed as a potential feature.


  • 5.  RE: Force NetSight to use HTTPS

    Posted 01-13-2016 19:45
    Managed to workout an option for this.

    If you go to your ../NetSight/appdata/ folder and edit the file NSJBoss.properties you can comment out the following line by putting a # in front of it:

    enterasys.tomcat.http.port=8080[/code]Then the browser is no longer be able to reach NetSight on that port number, thereby forcing the user to use HTTPS.

    There might be a way in the same file to redirect anyone trying port 8080 to go to https:8443 instead?



  • 6.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 15:53
    Has any progress been made on this issue. I have a customer asking to disable http and would like to be able to give them a timeline if this will be available soon.

    Thanks,


  • 7.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 16:13
    Hi David, the answer is above in editing the NSJBoss file. If you comment out the line given you will no longer be able to connect to NetSight using http. Thanks


  • 8.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 16:39
    Is that on your machine or on the server? I cannot find an appdata directory on the server and making the change on one machine does not seem to really solve the problem.

    Thanks,


  • 9.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 16:59
    It would be on the server. Is your server linux or windows?


  • 10.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 17:04
    linux





  • 11.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 17:07
    Just thought I would post the path in either situation :)

    Windows Server:

    NetSight_Install_path (probably Program Files)\Extreme Networks\NetSight\appdata\[/code]

    Linux Server:

    /usr/local/Extreme_Networks/NetSight/appdata/[/code]



  • 12.  RE: Force NetSight to use HTTPS

    Posted 03-18-2016 17:13
    Depending on the version/age of the server it might also possibly be in /usr/local/Enterasys_Networks/NetSight/appdata



  • 13.  RE: Force NetSight to use HTTPS

    Posted 03-19-2016 10:53
    Frank, That is where my file was. Thanks for the assistance everyone.


  • 14.  RE: Force NetSight to use HTTPS

    Posted 04-21-2016 17:59
    Ok,

    So I found this commented it out and all was well. Then I upgraded to NetSight 7 and the legacy links default to http which fails.

    Are there plans for a more official way to disable http?


  • 15.  RE: Force NetSight to use HTTPS

    Posted 08-29-2018 07:38
    Hi, just follow up.

    Purpose of this comment is to share a knowledge how to get more user friendly configuration of Extreme Management Center.

    Start position:
    - fresh install of ExtremeManagementControl (EMC) on RHEL (v7) or Centos server (v7)
    - available on port https://example.com:8443 only.

    Final position:
    - availabe on example.com
    - Apache witch rewrite rule
    - JBoss and Tomacat works on encpryted line
    - everything works like a charm
    - Simple communication scheme:

    ---80|443--->[Apache]---8443--->[Tomcat/JBOSS]
    [pc]------------------------------------------------------------------
    ---8443<---[Apache]<---8443---[Tomcat/JBOSS]

    Steps:
    1) After a fresh install EMC is available on: https://example.com:8443
    2) Install httpd
    put to this to file: /ect/httpd/conf.d/emc.conf:

    ServerName emc.example.com:80
    ErrorLog "logs/error-ssl.log"
    CustomLog "logs/access-ssl.log" common

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%25%7Bhttp_host%7D%25%7Brequest_uri%7D/ [R,L]


    Require all granted


    3) Edit file /usr/local/Extreme_Networks/NetSight/appdata/NSJBoss.properties like this:
    -------------------------------------------------
    log4j.configuration=file\:./log4j.properties
    enterasys.mysqlrealm.rpt.password=enterasys
    java.security.manager=
    enterasys.embeddednac.enable=false
    jboss.bind.address.management=127.0.0.1
    oneView.flexreport.capacityplanning.limit=2000
    enterasys.datasource.connectionurl=jdbc\:mysql\://127.0.0.1\:4589/netsight?jdbcCompliantTruncation\=false&useUnicode\=true&characterEncoding\=UTF-8&useSSL\=false
    jboss.http.port=8080
    enterasys.mysqlrealm.rpt.username=netsight
    username=root
    USE_IPV6=true
    oneView.responsetime.app.redline=1000
    jboss.https.port=443
    java.security.policy=../server/default/conf/server.policy
    dashboard.cache.time=2
    enterasys.tomcat.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256
    enterasys.webservices.queryendsystems=true
    ANTLR_USE_DIRECT_CLASS_LOADING=true
    oneView.responsetime.tcp.redline=1000
    enterasys.mysqlrealm.password=enterasys
    nmsMobile.demoMode=false
    enterasys.mysqlrealm.username=netsight
    OneView.DisplayNacConfigurationTab=true
    enterasys.tomcat.https.port=8443
    oneView.maxImageSize=3000x2000
    enterasys.jboss.log4j.logfile=../../appdata/logs/server.log
    jboss.bind.address=YOUR_IP_ADDRESS
    domain=example.com
    jboss.server.log.dir=../../appdata/logs
    enterasys.datasource.rpt.connectionurl=jdbc\:mysql\://127.0.0.1\:4589/netsightrpt?jdbcCompliantTruncation\=false&useUnicode\=true&characterEncoding\=UTF-8&useSSL\=false[/code]
    -------------------------------------------------

    Most important lines:
    jboss.http.port=8080
    jboss.https.port=443
    enterasys.tomcat.https.port=8443
    jboss.bind.address=YOUR_IP_ADDRESS
    domain=example.com[/code]
    -------------------------------------------------

    File /var/Extreme_Networks/.netsight you can left as it is.

    4) Now issue this commands:

    systemctl restart httpd to restart httpd service
    ./usr/local/Extreme_Networks/NetSight/scripts/stopserver.sh && /usr/local/Extreme_Networks/NetSight/scripts/startserver.sh to restart JBOSS service.

    5) Now you can access with your http browser your own instanace easily with emc.example.com and will be forwarded to https://emc.example.com:8443. Since this time any communication will be encrypted by default.

    Best regards.