Maximo

 View Only
  • 1.  Maximo 7.6.1 Behind a Reverse Proxy (Mixed Content Issues)

    Posted Wed May 10, 2023 11:21 AM

    I have a Maximo application running in a secure environment isolated from the internet on the standard port 80, non-ssl.

    We have an external server proxying that Maximo environment exposing it to the internet, that is configured with the domain and is using HTTPS, port 443, etc. When we get logged in to Maximo, the links for the .css/.js/etc files on the page are loaded as http:// (see below,) which is causing mixed content warnings and those assets not loading properly. 

    <link rel="stylesheet" type="text/css" href="http://<our-domain>/maximo/webclient/javascript/dojo-20230315-1850/dojo/resources/dojo.css">

    There is a forced redirect so these files do resolve if fetched on their own, however the browser doesn't like the mix of http and https.

    Is there a way around this, system property, HTTP header, or otherwise that I can get Maximo to point to https:// or do I need to move the application over to https behind the scene and Proxy in that way?



    ------------------------------
    Andrew Weaver
    ------------------------------


  • 2.  RE: Maximo 7.6.1 Behind a Reverse Proxy (Mixed Content Issues)

    Posted Wed May 10, 2023 11:28 AM

    Andrew,

    I'd look at this from the reverse proxy side. From my experience they typically offer features to redirect embedded URLs.



    ------------------------------
    Tim Ferrill
    Solutions Consultant
    Intelligent Technology Solutions
    tferrill@webuildits.com
    www.webuildits.com
    @tferrill/@webuildits
    ------------------------------



  • 3.  RE: Maximo 7.6.1 Behind a Reverse Proxy (Mixed Content Issues)

    Posted Thu May 11, 2023 08:55 AM

    You should be able to rewrite it using the load balancer/proxy. 

    You can look at setting the maximo_extended_host, maximo_extended_host_port, & maximo_extended_host_protocol system properties to force Maximo to use something different than what it sees. But it would force it for everyone all the time and would apply to all interactions (even if you manually tried to access a specific JVM for example).

    Getting your Maximo environment to support SSL on the internal network is probably your best bet to support all scenarios.  



    ------------------------------
    Steven Shull
    ------------------------------



  • 4.  RE: Maximo 7.6.1 Behind a Reverse Proxy (Mixed Content Issues)

    Posted Fri May 12, 2023 10:29 AM

    we've a somehow similar setup internally (not exposed to public but internally) where we use Netscaler with SSL offload. Behind Netscaler we've a set of two VMs, both run an IBM HTTP server and on each of the VM are two JVMs. 

    so its somehow like this:



    As you mentioned, we've added a HTTP header in Netscaler (HTTP_X_FORWARDED_PROTO) which is appended to each package sent to HTTP Servers. The property is also added to WebSphere Config:

    Servers > Server Types > WebSphere application servers > (JVM1-x) > Web Container Settings > Web Container > Additional Properties > Custom Properties > New…

    httpsIndicatorHeader
    HTTP_X_FORWARDED_PROTO
    Detect if SSL Offloading is present


    And of course, within SSL config in WebSphere we've to import the Certificate which the SSL Offloaded uses to have a functional key chain.

    WebSphere Admin Console > Security > SSL certificate and key management > Key Stores and certificates
    Select "CellDefaultTrustStore" > Additional Properties > Signer Certificates > Retrieve from port > add your host/port > OK / Save



    ------------------------------
    Klaus Schmidinger
    Teamlead IT4IT
    Julius Blum GmbH
    ------------------------------