Disable HTTP access in Applications Manager

Disable HTTP access in Applications Manager

Overview

This article describes configuring a secure connection between Applications Manager server and the browser/client.
Applications Manager can be accessed through any of the following URLs:
  1. For HTTP  -> http://[hostname/ip-address]:[http-port]
  2. For HTTPS -> https://[hostname/ip-address]:[https-port] 
where 9090 and 8443, by default, are the port numbers of HTTP and HTTPS respectively unless changed.
You can verify the ports used in AMServer.properties file (located in <Applications Manager Home>/conf/ directory) under the following keys:
  1. am.webserver.port = [HTTP port number]
  2. am.ssl.port = [HTTPS port number]
Applications Manager comes with a self-signed SSL certificate for HTTPS to work. To apply your own CA signed SSL certificate, see Use your own SSL certificates for the Application Manager.
Note : Below changes are not meant to/does not affect the connection(s) between your Applications Manager and monitoring resources.

HTTP Port settings and options

Running Applications Manager with HTTP enabled may leave your instance exposed to vulnerabilities, such as Man in the middle or DNS Rebinding attacks.
We recommend that you disable HTTP on your instance.

Disable HTTP access

Note: For Applications Manager Plugin users, enable HTTPS in OpManager before disabling HTTP in Applications Manager. For more information, see Enabling HTTPS Configuration in OPM
Steps to disable HTTP port and use only HTTPS port in Applications Manager : 
  1. v15250 or above:
    Can be done directly from Applications Manager web console by enabling the below option:
    Disable HTTP port in Applications Manager under Admin -> Product Settings -> Security Settings.
  2. v14680 to v15240:
    Can be done directly from Applications Manager web console by disabling the below option:
    Enable HTTP port in Applications Manager under Admin -> Global Settings.
  3. v14670 and below: 
    Follow the steps given below :
    1. Open server.xml file located under <Applications Manager Home>/working/apache/tomcat/conf/backup/ directory with a text editor.
    2. Search for the key port="WEBSERVER_PORT", comment out the entire <Connector ... /> tag and save the file.
  4. Restart the Applications Manager once for the changes to take effect.
Now, Applications Manager can only be accessed via HTTPS port i.e https://[hostname/ip-address]:[https-port]/

Redirect HTTP to HTTPS

Note: Disabling HTTP port and using only HTTPS port to access Applications Manager is preferred compared to redirecting HTTP traffic to HTTPS.
If the HTTP port is already disabled then no need for HTTP to HTTPS redirection.
Steps to redirect HTTP to HTTPS in Applications Manager:
  1. For the redirection to work, the HTTP port must not be disabled in the product. 
  2. Verify if the HTTP URL of Applications Manager is accessible using the below URL :
    http://[hostname/ip-address]:[http-port] 
  3. Open web.xml file located under <AppManagerHome>/working/WEB-INF/backup/  directory with a text editor.
  4. Add the following code under the </session-config> tag line.
<security-constraint>
           <web-resource-collection>
                  <web-resource-name>ApplicationsManager</web-resource-name>
                  <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
            </security-constraint>
      5. Save the file and restart the Applications Manager for the changes to take effect.
Now, All HTTP urls of Applications Manager will automatically redirect to HTTPS url.

General notes 

  1. If you are manually editing a file always take a backup of that file and use it to replace it back in case of any issues.
  2. Disabling HTTP port is preferred compared to redirecting HTTP traffic to HTTPS.
  3. Check supported TLS protocols and ciphers using nmap in command terminal.
    nmap --script ssl-enum-ciphers -p [https-port] [hostname/ip-address]
  4. Currently, TLSv1.3 is not supported in Applications Manager.

Feel free to contact appmanager-support@manageengine.com in case of further questions.


                  New to ADSelfService Plus?

                    • Related Articles

                    • Authentication Methods in Applications Manager

                      Authentication involves validating an incoming user to facilitate the access to a specific resource. There are various authentication methods that you can use - based on the requirements and usage. In recent times, numerous organizations are ...
                    • Self monitor Applications Manager using Real User Monitoring

                      We can monitor the Applications Manager using Real User Monitoring with a Java Script injection and this can be used to measure the Applications Manager's performance continuously. All you need is to install and setup the Real User Monitoring (RUM) ...
                    • Applications Manager is not collecting data from Tomcat Server.

                      If the proxy settings are configured wrong, then Tomcat Data collection will not happen correctly as Applications Manager uses HTTP requests for data collection from Tomcat Server. Check if you are able to access the Tomcat Server from browser in ...
                    • Failover support in Applications Manager

                      Failover is an alternate Application High availability (HA) mode that facilitates automatic switching to a secondary/ backup server, database, or network when the primary system breaks down, or is unavailable due to maintenance. Configuring failover ...
                    • Installing Applications Manager in AWS

                      Applications Manager can be installed in EC2 instances in both Windows and Linux platforms.  Applications Manager comes with bundled PostgreSQL. Installing Applications Manager in EC2 for Windows Go to EC2 console and launch an "Windows" instance ...