Skip to main content

I have developed a website using WEBSVC and port 8180.  After much trial and error, I have it working and continue to add to the site.  Now I am trying to get SSL (https) working.  Apache is serving my login page (does not use WEBSVC and port 8180).  When the user logs in, now WEBSVC comes into action.  Since WEBSVC is running, it starts a phantom that servers 8180.  From the $COMO file, this is what I am getting when trying to connect.

$COMO PH173_050924_095317
4 line(s)
----: P
0001: COMO file activated to PH173_050924_095317
0002: Phantom 173 started at 09:53:17  05 SEP 2024
0003: HTTP/1.1 500 Internal server error 1 [7013, 2]
0004: Phantom 173 terminated at 09:53:47  5 SEP 2024
Bottom at line 4

This is how I am initially starting the WEBSVC phantom.

PHANTOM WEBSVC S.WEBSVC-14 DEBUGGING PORT 8180

Is there something I need to do to now tell WEBSVC that https is being used?

Thanks for any ideas or help,

Ted Hurlbut



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

I have developed a website using WEBSVC and port 8180.  After much trial and error, I have it working and continue to add to the site.  Now I am trying to get SSL (https) working.  Apache is serving my login page (does not use WEBSVC and port 8180).  When the user logs in, now WEBSVC comes into action.  Since WEBSVC is running, it starts a phantom that servers 8180.  From the $COMO file, this is what I am getting when trying to connect.

$COMO PH173_050924_095317
4 line(s)
----: P
0001: COMO file activated to PH173_050924_095317
0002: Phantom 173 started at 09:53:17  05 SEP 2024
0003: HTTP/1.1 500 Internal server error 1 [7013, 2]
0004: Phantom 173 terminated at 09:53:47  5 SEP 2024
Bottom at line 4

This is how I am initially starting the WEBSVC phantom.

PHANTOM WEBSVC S.WEBSVC-14 DEBUGGING PORT 8180

Is there something I need to do to now tell WEBSVC that https is being used?

Thanks for any ideas or help,

Ted Hurlbut



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

I'm not familiar with WEBSVC but I'm curious what you see if you try using curl:

$ curl -v https://<your url>



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

I'm not familiar with WEBSVC but I'm curious what you see if you try using curl:

$ curl -v https://<your url>



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

Peter,

Here is without https.

[root@qm-cloud2 ~]# curl  -v http://nvisionworks.com:8180
* Rebuilt URL to: http://nvisionworks.com:8180/
*   Trying 35.223.27.32...
* TCP_NODELAY set
* Connected to nvisionworks.com (35.223.27.32) port 8180 (#0)
> GET / HTTP/1.1
> Host: nvisionworks.com:8180
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: QM/4.0.9.0
< Date: Thu 05, Sep 2024 13:04:54 EDT
< Connection: close
<
* Closing connection 0
[root@qm-cloud2 ~]#

Here is with https

[root@qm-cloud2 ~]# curl  -v https://nvisionworks.com:8180
* Rebuilt URL to: https://nvisionworks.com:8180/
*   Trying 35.223.27.32...
* TCP_NODELAY set
* Connected to nvisionworks.com (35.223.27.32) port 8180 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
[root@qm-cloud2 ~]#

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

Peter,

Here is without https.

[root@qm-cloud2 ~]# curl  -v http://nvisionworks.com:8180
* Rebuilt URL to: http://nvisionworks.com:8180/
*   Trying 35.223.27.32...
* TCP_NODELAY set
* Connected to nvisionworks.com (35.223.27.32) port 8180 (#0)
> GET / HTTP/1.1
> Host: nvisionworks.com:8180
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: QM/4.0.9.0
< Date: Thu 05, Sep 2024 13:04:54 EDT
< Connection: close
<
* Closing connection 0
[root@qm-cloud2 ~]#

Here is with https

[root@qm-cloud2 ~]# curl  -v https://nvisionworks.com:8180
* Rebuilt URL to: https://nvisionworks.com:8180/
*   Trying 35.223.27.32...
* TCP_NODELAY set
* Connected to nvisionworks.com (35.223.27.32) port 8180 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
[root@qm-cloud2 ~]#

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

I'm also not an apache expert but have you looked into and modified your apache configuration to handle ssl? (port 443)

There could be other causes. You should search for "SSL routines:ssl3_get_record:wrong version number"



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

I'm also not an apache expert but have you looked into and modified your apache configuration to handle ssl? (port 443)

There could be other causes. You should search for "SSL routines:ssl3_get_record:wrong version number"



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

When I first started all this, I was under the impression that once I got away from just the initial website for logging in (no port 8180), Apache was still being used.  But I do not believe Apache has anything to do with it if you are communicating now on port 8180.  The default port is 80 for Apache (no SSL).  Since I am now working on SSL, the Apache port is 443.  But, once past that, we should be talking only on port 8180.  I hope this makes some sense.  It was all new to me.  Getting this far by trial and error.



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

When I first started all this, I was under the impression that once I got away from just the initial website for logging in (no port 8180), Apache was still being used.  But I do not believe Apache has anything to do with it if you are communicating now on port 8180.  The default port is 80 for Apache (no SSL).  Since I am now working on SSL, the Apache port is 443.  But, once past that, we should be talking only on port 8180.  I hope this makes some sense.  It was all new to me.  Getting this far by trial and error.



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

Peter,

The OpenQM documentation says this:

https://docs.rocketsoftware.com/bundle/openqm_ref_4/page/uvf1652705993578.html

Secure Web Services

"QM does not currently have SSL support internally. Where HTTPS style secure web services are required, an external third party tunnel program such as Stunnel must be used."

I am trying to use a third party (SSL) to communicate.

My version of OpenQM has just been upgraded to: 

QM 4.0.9.0  

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

Peter,

The OpenQM documentation says this:

https://docs.rocketsoftware.com/bundle/openqm_ref_4/page/uvf1652705993578.html

Secure Web Services

"QM does not currently have SSL support internally. Where HTTPS style secure web services are required, an external third party tunnel program such as Stunnel must be used."

I am trying to use a third party (SSL) to communicate.

My version of OpenQM has just been upgraded to: 

QM 4.0.9.0  

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

This is out of my area of expertise.



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

This is out of my area of expertise.



------------------------------
Peter Falson
Rocket Internal - All Brands
------------------------------

Peter,

Thanks for your input.  I appreciate it.

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

I have developed a website using WEBSVC and port 8180.  After much trial and error, I have it working and continue to add to the site.  Now I am trying to get SSL (https) working.  Apache is serving my login page (does not use WEBSVC and port 8180).  When the user logs in, now WEBSVC comes into action.  Since WEBSVC is running, it starts a phantom that servers 8180.  From the $COMO file, this is what I am getting when trying to connect.

$COMO PH173_050924_095317
4 line(s)
----: P
0001: COMO file activated to PH173_050924_095317
0002: Phantom 173 started at 09:53:17  05 SEP 2024
0003: HTTP/1.1 500 Internal server error 1 [7013, 2]
0004: Phantom 173 terminated at 09:53:47  5 SEP 2024
Bottom at line 4

This is how I am initially starting the WEBSVC phantom.

PHANTOM WEBSVC S.WEBSVC-14 DEBUGGING PORT 8180

Is there something I need to do to now tell WEBSVC that https is being used?

Thanks for any ideas or help,

Ted Hurlbut



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

I'm a bit late here, but hopefully this will help.

We have a web system that uses PHP to provide the basic structure of each web page. If the initial page requires stuff from QM, then we make a call to http://localhost:8180 within the PHP to get that stuff.

All the PHP web pages can go through https without any issues - but note that the internal request to QM is strictly http. This is because all the PHP is evaluated on the server so the connection is strictly local.

The pages also contain dynamic content where we need the page to call QM for data. At this point, the call to QM is NOT local. The connection is https but we need to use http for the QM connection - and we can't mix the two because that fails cross-origin scripting tests (and defeats the purpose of using https).

What we do there is we get the web page to call a PHP script on the web server. So, the call there looks like this:

    var url = 'https://servername/path/scriptname.php';
    $.post(url,
      $('#formname').serialize(),
      function(data, status) {
        var js = JSON.parse(data);
        Do something here with returned js data
      }
    );

And the relevant part of 'scriptname.php' is:

  if($_SERVER["REQUEST_METHOD"] == "POST") {
    $ok = true;
    $ch = curl_init();
    $url = 'http://localhost:8180';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    $json = curl_exec($ch);

    Check for errors here

    echo $json;
  }

What happens here is the call to 'scriptname.php' is encrypted by the https connection, while the real call to the database goes through the standard http client (without encryption).

I hope that helps - or gives you some ideas.

Brian



------------------------------
Brian Speirs
Senior Analyst - Information Systems
Rush Flat Ltd
Wellington NZ
------------------------------

I'm a bit late here, but hopefully this will help.

We have a web system that uses PHP to provide the basic structure of each web page. If the initial page requires stuff from QM, then we make a call to http://localhost:8180 within the PHP to get that stuff.

All the PHP web pages can go through https without any issues - but note that the internal request to QM is strictly http. This is because all the PHP is evaluated on the server so the connection is strictly local.

The pages also contain dynamic content where we need the page to call QM for data. At this point, the call to QM is NOT local. The connection is https but we need to use http for the QM connection - and we can't mix the two because that fails cross-origin scripting tests (and defeats the purpose of using https).

What we do there is we get the web page to call a PHP script on the web server. So, the call there looks like this:

    var url = 'https://servername/path/scriptname.php';
    $.post(url,
      $('#formname').serialize(),
      function(data, status) {
        var js = JSON.parse(data);
        Do something here with returned js data
      }
    );

And the relevant part of 'scriptname.php' is:

  if($_SERVER["REQUEST_METHOD"] == "POST") {
    $ok = true;
    $ch = curl_init();
    $url = 'http://localhost:8180';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    $json = curl_exec($ch);

    Check for errors here

    echo $json;
  }

What happens here is the call to 'scriptname.php' is encrypted by the https connection, while the real call to the database goes through the standard http client (without encryption).

I hope that helps - or gives you some ideas.

Brian



------------------------------
Brian Speirs
Senior Analyst - Information Systems
Rush Flat Ltd
Wellington NZ
------------------------------

Sorry for the late reply, I have been traveling.

The solution to your problem if you wish to have ssl to OpenQM (or any other web server without https) is to establish a reverse proxy, the proxy service will serve up your https and proxy your requests to your http server.  You can do this on the same box as QM and reverse proxy via localhost:8180 which is internally secure.  You can also do this within your datacenter from another box.  This is not a redirection, the proxy server takes the initial request (and handles https) and then does it's own call to the next server, the response is then returned to the proxy server and back via https to the client.  This is a very common process and there are many tools to do this (most free).

Overall explanation: What is the difference between proxy and reverse proxy? (designgurus.io)

Apache Docs: Reverse Proxy Guide - Apache HTTP Server Version 2.4

Nginx Docs: NGINX Reverse Proxy | NGINX Documentation

IIS: Reverse Proxy with URL Rewrite v2 and Application Request Routing | Microsoft Learn

You will have to read up on that platforms rules and exactly how you wish to configure this.  Most of the time we are exposing api endpoints and I typically specifiy a URL such as /api and redirect that to my Qm/jBASE/Universe/etc box.  Keep in mind the MV box will think the call is coming from the proxy device and all these tools have options to add additional headers to get the original client information.

In addition, all of these tools have excellent https support including automated LetsEncrypt cert management.  If you are in AWS or Azure they offer similiar tools.

If you are calling your api endpoints from a server language such as PHP or Python then the https is to that server and that server which should be inside your server datacenter can make http calls to your MV server if your security model allows it.  If you must have https even internally then putting Apache/IIS/Nginx/Haproxy on your MV server and then follow the above rules.  If you are exposing your MV server directly to the internet I then highly recommend you look at api gateways such as Kong or azure/aws api gateways to assist in protecting your endpoints.  

GitHub - Kong/kong: 🦍 The Cloud-Native API Gateway and AI Gateway.



------------------------------
Patrick Payne
Chief Software Architect
Rocket Internal - All Brands
------------------------------


I'm a bit late here, but hopefully this will help.

We have a web system that uses PHP to provide the basic structure of each web page. If the initial page requires stuff from QM, then we make a call to http://localhost:8180 within the PHP to get that stuff.

All the PHP web pages can go through https without any issues - but note that the internal request to QM is strictly http. This is because all the PHP is evaluated on the server so the connection is strictly local.

The pages also contain dynamic content where we need the page to call QM for data. At this point, the call to QM is NOT local. The connection is https but we need to use http for the QM connection - and we can't mix the two because that fails cross-origin scripting tests (and defeats the purpose of using https).

What we do there is we get the web page to call a PHP script on the web server. So, the call there looks like this:

    var url = 'https://servername/path/scriptname.php';
    $.post(url,
      $('#formname').serialize(),
      function(data, status) {
        var js = JSON.parse(data);
        Do something here with returned js data
      }
    );

And the relevant part of 'scriptname.php' is:

  if($_SERVER["REQUEST_METHOD"] == "POST") {
    $ok = true;
    $ch = curl_init();
    $url = 'http://localhost:8180';
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($_POST));
    $json = curl_exec($ch);

    Check for errors here

    echo $json;
  }

What happens here is the call to 'scriptname.php' is encrypted by the https connection, while the real call to the database goes through the standard http client (without encryption).

I hope that helps - or gives you some ideas.

Brian



------------------------------
Brian Speirs
Senior Analyst - Information Systems
Rush Flat Ltd
Wellington NZ
------------------------------

Brian,

Thanks for reminding me that I may need to do a redirect to localhost in Apache or some PHP code.  Except for the initial index.html where one starts, all traffic is currently being redirected to port 8180.  All logic is handled through WEBSVC and then returns the RESPONSE.BODY.

My main question that I hope someone can answer is that when coming from the internet using port 8180 and SSL, can QMs WEBSVC handle the SSL?  If it can't, then I will need to do what you or Patrick suggested.  

Thanks,

Ted Hurlbut



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------

Sorry for the late reply, I have been traveling.

The solution to your problem if you wish to have ssl to OpenQM (or any other web server without https) is to establish a reverse proxy, the proxy service will serve up your https and proxy your requests to your http server.  You can do this on the same box as QM and reverse proxy via localhost:8180 which is internally secure.  You can also do this within your datacenter from another box.  This is not a redirection, the proxy server takes the initial request (and handles https) and then does it's own call to the next server, the response is then returned to the proxy server and back via https to the client.  This is a very common process and there are many tools to do this (most free).

Overall explanation: What is the difference between proxy and reverse proxy? (designgurus.io)

Apache Docs: Reverse Proxy Guide - Apache HTTP Server Version 2.4

Nginx Docs: NGINX Reverse Proxy | NGINX Documentation

IIS: Reverse Proxy with URL Rewrite v2 and Application Request Routing | Microsoft Learn

You will have to read up on that platforms rules and exactly how you wish to configure this.  Most of the time we are exposing api endpoints and I typically specifiy a URL such as /api and redirect that to my Qm/jBASE/Universe/etc box.  Keep in mind the MV box will think the call is coming from the proxy device and all these tools have options to add additional headers to get the original client information.

In addition, all of these tools have excellent https support including automated LetsEncrypt cert management.  If you are in AWS or Azure they offer similiar tools.

If you are calling your api endpoints from a server language such as PHP or Python then the https is to that server and that server which should be inside your server datacenter can make http calls to your MV server if your security model allows it.  If you must have https even internally then putting Apache/IIS/Nginx/Haproxy on your MV server and then follow the above rules.  If you are exposing your MV server directly to the internet I then highly recommend you look at api gateways such as Kong or azure/aws api gateways to assist in protecting your endpoints.  

GitHub - Kong/kong: 🦍 The Cloud-Native API Gateway and AI Gateway.



------------------------------
Patrick Payne
Chief Software Architect
Rocket Internal - All Brands
------------------------------

Patrick,

Thank you for the update.  See my post to Brian.  I need someone to say definitely that WEBSVC cannot handle SSL.  Then I will need to continue with another option.

Thanks,

Ted



------------------------------
Tedmund Hurlbut
Self Registered
Simpsonville SC US
------------------------------