Jump to content
  • Securing WebFOCUS Container Edition (CE) setup with NGINX ingress controller

    Pranay Shah

     In this demo, we begin with the default setup of WebFOCUS CE 1.2.0 (WF 9.2), and proceed to assign a Fully Qualified Domain Name (FQDN) to the host running this WF-CE setup. We then install an ingress controller to allow access to the Application Server via standard port 80, rather than the default port 31080. The video concludes with installing an SSL Certificate to secure the Application Server's endpoint with TLS.


    High-level steps : 

    1. - Begin by deploying the standard configuration of WebFOCUS CE as provided.
    2. - Ensure that the setup is accessible via Port 31080, which is the default port.
    3. - Deploy an Ingress controller and create an Ingress resource within the webfocus namespace to facilitate access over Port 80.
    4. - Incorporate a secret containing a TLS/SSL certificate into the webfocus namespace and modify the Ingress resource to utilize this secret for secure connections.
    5. - Access the WebFOCUS configuration securely over HTTPS (Port 443).
    6. - (Optional) Consider deactivating Port 31080 to prevent access through the unsecured port.

    • This topic delves into advanced aspects of WebFOCUS CE.
    • The content presupposes that you possess a moderate level of familiarity with Kubernetes and its core components.
    • The procedures outlined are applicable to any service available within Kubernetes, not exclusively to the WebFOCUS Service.
    • There are few diffrent options to deploy NGINX ingress controller - for more information follow this page https://www.nginx.com/products/nginx-ingress-controller/


    Out-of-the-box setup : 

    Once the WebFOCUS CE setup completes deploying all components - you should be able to access the WF App server using port 31080



    You can also use "nc" command to see if you can acces port 31080 or not like 

    :~/ingress$ nc -zv 31080
    Connection to 31080 port [tcp/*] succeeded!

    In this example WF CE is installed on machine that has IP address of

    If the above succeeds, you can also access the WebFOCUS App server GUI over the browser by going to the URL: http://x.1.10.96:31080 
    Install NGINX ingress controller.

    In the previous topic, we saw we have to access WebFOCUS using port 31080; what if we want to just access it over port 80 or not provide a port at all? 

    For that, we need to install an Ingress controller in the K8s cluster; in this case, we will use NGINX.  

    Let's install the Ingress controller in the kubernetes cluster - you can use the commands below. 

    # Lable all Nodes to allow Ingress controller to run 
    kubectl label nodes --all ingress-ready=true
    # Install NGINX Ingress controller that will attach Controller POD to port 80 and 443 on Node 
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
    # Wait for all Ingress controller pods to come up 
    kubectl wait --namespace ingress-nginx   --for=condition=ready pod   --selector=app.kubernetes.io/component=controller   --timeout=90s

    After the Ingress controller is running, if you run the nc  command again to see if Port 80 is open or not 

    nc -zv x.1.10.96 80 

    If the above command succeeds, we know NGINX ingress is running fine on port 80 - now the next thing we need to do is create an Ingress Object in the webfocus namespace so we can access WebFOCUS on port 80 


    Now onwards, we're going to access the above Machine with its FQDN name - in this example, it is wfce02.ibi.systems  - we assume you have something similar in your case; if not, ask your system admin to configure FQDN for your VM/Machine.

    So, in our case, if I re-run the above command as 

    # Use nc to check if port 80 is open now 
    nc -zv wfce02.ibi.systems 80
    >> Connection to wfce02.ibi.systems (x.241.1.29) 80 port [tcp/http] succeeded!

    In the above, we assume the FQDN name "wfce02.ibi.systems" points to the correct IP of the machine where WF CE is running ( in this case, IP x.241.1.29) 

    If the "nc" command returns with success, we are good to go to the next step 

    Create Ingress Object in webfocus namespace 


    Save the text below as an "appserver-ingress.yaml" file; as you can see, we are now using the FQDN of wfce02.ibi.systems to set up Ingress rules.

    This file also assumes your WF-CE setup is running in Namespace "webfocus." 

    Note: make changes as needed before you apply it 

    apiVersion: networking.k8s.io/v1
    kind: Ingress
        kubernetes.io/ingress.class: nginx
        meta.helm.sh/release-name: appserver
        meta.helm.sh/release-namespace: webfocus
        nginx.ingress.kubernetes.io/affinity: cookie
        nginx.ingress.kubernetes.io/affinity-mode: persistent
        nginx.ingress.kubernetes.io/app-root: /webfocus
        nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
        nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
        nginx.ingress.kubernetes.io/proxy-body-size: 200m
        nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
        nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
        nginx.ingress.kubernetes.io/rewrite-target: /
        nginx.ingress.kubernetes.io/session-cookie-change-on-failure: "true"
        nginx.ingress.kubernetes.io/session-cookie-expires: "28800"
        nginx.ingress.kubernetes.io/session-cookie-max-age: "28800"
        nginx.ingress.kubernetes.io/session-cookie-name: sticknesscookie
        app.kubernetes.io/instance: appserver
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: appserver
        app.kubernetes.io/version: "1.0"
        helm.sh/chart: appserver-0.1.0
      name: appserver
      namespace: webfocus
      - host: wfce02.ibi.systems
          - backend:
                name: appserver
                  name: port8080
            path: /
            pathType: ImplementationSpecific

    Apply the above file to the step 


    kubectl apply -f appserver-ingress.yaml 

    This should create an Ingress rule in the ingress controller that sends any HTTP request incoming on port 80 with the HTTP Host header set to "wfce02.ibi.systems" - I will forward that request to the kubernetes service named "appserver" over port 8080. 

    Now you should be able to access the WebFOCUS App server GUI via the URL: http://wfce02.ibi.systems 


    Securing endpoint with SSL 

    As you can see, the above URL is http://  that is not secure - we want to enable SSL so that we can access WebFOCUS GUI over SSL  - such as URLs starting with https://  

    For this, we need to get certificates generated for our FQDN - in the above case  'wfce02.ibi.systems'; typically, you will get two PEM files - one named "privkey.pem" and the other "fullchain.pem"

    You can inspect the "fullchain.pem" file to see if it is indeed issued for the FQDN you use (a wild card is also okay). For this, you will need the OpenSSL tool installed on your machine. 

    # Command is openssl x509 -in fullchain.pem -text -noout | grep -E "Subject:|DNS:"
    :~/ingress$ openssl x509 -in fullchain.pem -text -noout | grep -E "Subject:|DNS:"
            Subject: CN = wfce02.ibi.systems


    You will need two files—one with the key file and the other with a certificate file. First, we create a Kubernetes secret with these two files in the same 'webfocus' namespace.  


    kubectl create secret tls wfce02-ibi-tls --cert=fullchain.pem --key=privkey.pem -n webfocus

    Once the secret has been created, the only thing left to do is to update the Ingress object in the webfocus namespace to use this secret to enable TLS/SSL. 
    Now, let's update the appserver-ingress.yaml  file to use this secret (wfce02-ibi-tls ) that we created above 

    Add the below lines at the end. 


      - hosts:
        - wfce02.ibi.systems
        secretName: wfce02-ibi-tls

    Re-apply this file to the cluster - this will update the ingress object to now support SSL (port 443) 


    kubectl apply -f appserver-ingress.yaml 

    If all goes as expected - now you should be able to access WebFOCUS over HTTPS -  https://wfce02.ibi.systems

    (Optional) Disable Port 31080 port 

    Since we now have a secure way to access the WebFOCUS App server over SSL - we don't need to access the App server over port 31080 - so edit the service for the App server and change it from NodePort to Cluster IP type of service. 

    At the beginning of this demo, we saw that we could access the WebFOCUS App server GUI over port 31080 - but now that is unnecessary as we can access the App server over secure port 443.

    So it makes sense to disable port 31080 - for that, we need to change appserver - Service (svc) to type ClusterIP from NodePort - below command to do that.


    # List appserver service before we change
    :~/ingress$ kubectl get svc -n webfocus appserver
    NAME        TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
    appserver   NodePort   <none>        8080:31080/TCP   19h
    # Change appserver service from NodePort to ClusterIP
    :~/ingress$ kubectl patch svc appserver -n webfocus -p '{"spec": {"type": "ClusterIP", "nodePort": null}}'
    service/appserver patched
    # List appserver service again to see it is of type ClusterIP and port 31080 is gone
    :~/ingress$ kubectl get svc -n webfocus appserver
    NAME        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
    appserver   ClusterIP   <none>        8080/TCP   19h


    • Like 1

    User Feedback

    Recommended Comments

    There are no comments to display.

  • Create New...