Securing WebFOCUS Container Edition (CE) setup with NGINX ingress controller

 In this demo, we begin with the default setup of WebFOCUS CE 1.2.0 (WF 9.2), and proceed to assign a Fully Qualified Domain Name (FQDN) to the host running this WF-CE setup. We then install an ingress controller to allow access to the Application Server via standard port 80, rather than the default port 31080. The video concludes with installing an SSL Certificate to secure the Application Server's endpoint with TLS.

High-level steps : 

1. - Begin by deploying the standard configuration of WebFOCUS CE as provided.
2. - Ensure that the setup is accessible via Port 31080, which is the default port.
3. - Deploy an Ingress controller and create an Ingress resource within the webfocus namespace to facilitate access over Port 80.
4. - Incorporate a secret containing a TLS/SSL certificate into the webfocus namespace and modify the Ingress resource to utilize this secret for secure connections.
5. - Access the WebFOCUS configuration securely over HTTPS (Port 443).
6. - (Optional) Consider deactivating Port 31080 to prevent access through the unsecured port.
   
    

Quote

• This topic delves into advanced aspects of WebFOCUS CE.
• The content presupposes that you possess a moderate level of familiarity with Kubernetes and its core components.
• The procedures outlined are applicable to any service available within Kubernetes, not exclusively to the WebFOCUS Service.
• There are few diffrent options to deploy NGINX ingress controller - for more information follow this page https://www.nginx.com/products/nginx-ingress-controller/

Out-of-the-box setup : 

Once the WebFOCUS CE setup completes deploying all components - you should be able to access the WF App server using port 31080

Quote

You can also use "nc" command to see if you can acces port 31080 or not like 

:~/ingress$ nc -zv 10.241.1.29 31080
Connection to 10.241.1.29 31080 port [tcp/*] succeeded!

In this example WF CE is installed on machine that has IP address of 10.241.1.29

If the above succeeds, you can also access the WebFOCUS App server GUI over the browser by going to the URL: http://x.1.10.96:31080 
Install NGINX ingress controller.

In the previous topic, we saw we have to access WebFOCUS using port 31080; what if we want to just access it over port 80 or not provide a port at all? 

For that, we need to install an Ingress controller in the K8s cluster; in this case, we will use NGINX.  

Let's install the Ingress controller in the kubernetes cluster - you can use the commands below. 

# Lable all Nodes to allow Ingress controller to run 
kubectl label nodes --all ingress-ready=true

# Install NGINX Ingress controller that will attach Controller POD to port 80 and 443 on Node 
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml

# Wait for all Ingress controller pods to come up 
kubectl wait --namespace ingress-nginx   --for=condition=ready pod   --selector=app.kubernetes.io/component=controller   --timeout=90s

After the Ingress controller is running, if you run the nc  command again to see if Port 80 is open or not 

nc -zv x.1.10.96 80 

If the above command succeeds, we know NGINX ingress is running fine on port 80 - now the next thing we need to do is create an Ingress Object in the webfocus namespace so we can access WebFOCUS on port 80 

Now onwards, we're going to access the above Machine with its FQDN name - in this example, it is wfce02.ibi.systems  - we assume you have something similar in your case; if not, ask your system admin to configure FQDN for your VM/Machine.

So, in our case, if I re-run the above command as 

# Use nc to check if port 80 is open now 
nc -zv wfce02.ibi.systems 80
>> Connection to wfce02.ibi.systems (x.241.1.29) 80 port [tcp/http] succeeded!

In the above, we assume the FQDN name "wfce02.ibi.systems" points to the correct IP of the machine where WF CE is running ( in this case, IP x.241.1.29) 

If the "nc" command returns with success, we are good to go to the next step 

Create Ingress Object in webfocus namespace 

Save the text below as an "appserver-ingress.yaml" file; as you can see, we are now using the FQDN of wfce02.ibi.systems to set up Ingress rules.

This file also assumes your WF-CE setup is running in Namespace "webfocus." 

Note: make changes as needed before you apply it 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    meta.helm.sh/release-name: appserver
    meta.helm.sh/release-namespace: webfocus
    nginx.ingress.kubernetes.io/affinity: cookie
    nginx.ingress.kubernetes.io/affinity-mode: persistent
    nginx.ingress.kubernetes.io/app-root: /webfocus
    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: 200m
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true"
    nginx.ingress.kubernetes.io/session-cookie-expires: "28800"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "28800"
    nginx.ingress.kubernetes.io/session-cookie-name: sticknesscookie
    nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
  labels:
    app.kubernetes.io/instance: appserver
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: appserver
    app.kubernetes.io/version: "1.0"
    helm.sh/chart: appserver-0.1.0
  name: appserver
  namespace: webfocus
spec:
  rules:
  - host: wfce02.ibi.systems
    http:
      paths:
      - backend:
          service:
            name: appserver
            port:
              name: port8080
        path: /
        pathType: ImplementationSpecific

Apply the above file to the step 

Quote

kubectl apply -f appserver-ingress.yaml 

This should create an Ingress rule in the ingress controller that sends any HTTP request incoming on port 80 with the HTTP Host header set to "wfce02.ibi.systems" - I will forward that request to the kubernetes service named "appserver" over port 8080. 

Now you should be able to access the WebFOCUS App server GUI via the URL: http://wfce02.ibi.systems 

Securing endpoint with SSL 

As you can see, the above URL is http://  that is not secure - we want to enable SSL so that we can access WebFOCUS GUI over SSL  - such as URLs starting with https://  

For this, we need to get certificates generated for our FQDN - in the above case  'wfce02.ibi.systems'; typically, you will get two PEM files - one named "privkey.pem" and the other "fullchain.pem"

You can inspect the "fullchain.pem" file to see if it is indeed issued for the FQDN you use (a wild card is also okay). For this, you will need the OpenSSL tool installed on your machine. 

Quote

# Command is openssl x509 -in fullchain.pem -text -noout | grep -E "Subject:|DNS:"

 

:~/ingress$ openssl x509 -in fullchain.pem -text -noout | grep -E "Subject:|DNS:"

        Subject: CN = wfce02.ibi.systems

                DNS:wfce02.ibi.systems

You will need two files—one with the key file and the other with a certificate file. First, we create a Kubernetes secret with these two files in the same 'webfocus' namespace.  

Quote

kubectl create secret tls wfce02-ibi-tls --cert=fullchain.pem --key=privkey.pem -n webfocus

Once the secret has been created, the only thing left to do is to update the Ingress object in the webfocus namespace to use this secret to enable TLS/SSL. 
Now, let's update the appserver-ingress.yaml  file to use this secret (wfce02-ibi-tls ) that we created above 

Add the below lines at the end. 

Quote

  tls:
  - hosts:
    - wfce02.ibi.systems
    secretName: wfce02-ibi-tls

Re-apply this file to the cluster - this will update the ingress object to now support SSL (port 443) 

Quote

kubectl apply -f appserver-ingress.yaml 

If all goes as expected - now you should be able to access WebFOCUS over HTTPS -  https://wfce02.ibi.systems

(Optional) Disable Port 31080 port 

Since we now have a secure way to access the WebFOCUS App server over SSL - we don't need to access the App server over port 31080 - so edit the service for the App server and change it from NodePort to Cluster IP type of service. 

At the beginning of this demo, we saw that we could access the WebFOCUS App server GUI over port 31080 - but now that is unnecessary as we can access the App server over secure port 443.

So it makes sense to disable port 31080 - for that, we need to change appserver - Service (svc) to type ClusterIP from NodePort - below command to do that.

Quote

# List appserver service before we change

:~/ingress$ kubectl get svc -n webfocus appserver

NAME        TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE

appserver   NodePort   10.110.175.224   <none>        8080:31080/TCP   19h

 

# Change appserver service from NodePort to ClusterIP

:~/ingress$ kubectl patch svc appserver -n webfocus -p '{"spec": {"type": "ClusterIP", "nodePort": null}}'

service/appserver patched

 

# List appserver service again to see it is of type ClusterIP and port 31080 is gone

:~/ingress$ kubectl get svc -n webfocus appserver

NAME        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE

appserver   ClusterIP   10.110.175.224   <none>        8080/TCP   19h