Problem

Internal Host / IP address information is disclosed in JSESSIONID and DeploymentNode cookies.

Resolution

Complete the following steps on MN and UI nodes to resolve this problem:

1. Configure DNS to resolve a domain to an internal MN IP address. This domain must be resolved to an internal MN IP address from MN and UI nodes.

2. Collect current values of a host for EJB Remote connections:

   The host for pau-remote-ejb0:

   sh /usr/local/pem/wildfly-21.0.1.Final/bin/jboss-cli.sh -c --command='/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=pau-remote-ejb0:read-attribute(name=host)'

   Note: The exact wildfly version in the path may differ.
   
   Output:

   {
       "outcome" => "success",
       "result" => "10.26.165.38"
   }

   where the value for "result" is the host IP address for pau-remote-ejb0.

   The host for pau-remote-ejb1:

   sh /usr/local/pem/wildfly-21.0.1.Final/bin/jboss-cli.sh -c --command='/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=pau-remote-ejb1:read-attribute(name=host)'

   Output:

   {
       "outcome" => "success",
       "result" => "10.26.165.38"
   }

   where the value for "result" is the host IP address for pau-remote-ejb1.

3. Create the bash script "remove-ips-from-cookies.sh" with the following content:

   #!/bin/bash
   HOSTNAME=$1
   MN_HOSTNAME=$2
   
   sh /usr/local/pem/wildfly-21.0.1.Final/bin/jboss-cli.sh --connect <<EOF
   batch
   /system-property=jboss.node.name:write-attribute(name=value, value=$HOSTNAME)
   /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=pau-remote-ejb0:write-attribute(name=host, value=$MN_HOSTNAME)
   /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=pau-remote-ejb1:write-attribute(name=host, value=$MN_HOSTNAME)
   run-batch
   exit
   EOF

4. Run the created bash script:

   sh remove-ips-from-cookies.sh <hostname> <mn-domain>

   where
   <hostname>: the hostname of the MN or UI node (depends on where the script is run)
   <mn-domain>: the domain that resolves to the internal IP address of the MN

   Example:

   sh remove-ips-from-cookies.sh branding mn.internal.hostname

5. Restart the pau service:

   service pau restart

6. Clear cookies in your browser and check that JSESSIONID and DeploymentNode cookies do not contain IP addresses.

Troublesooting

If you cannot open the log-in form or control panel:

1. Check that there is the error "no available remote endpoint found to process request" in pui.log.
2. Check that the domain specified as the second argument of the command resolves to the internal IP address of the MN from the MN and UI nodes.

3. Fix resolving this domain to the internal IP address of the MN or rollback the previous changes:

   sh remove-ips-from-cookies.sh <hostname> <mn-domain> 

   where
   <hostname>: the hostname of the MN or UI node (depends on where the script is run)
   <mn-domain>: the host for pau-remote-ejb0 (the value from Step 2)

   Example:

   sh remove-ips-from-cookies.sh branding 10.26.165.38