Configuring HTTP connection handlers
HTTP connection handlers are responsible for managing the communication with HTTP clients and invoking servlets to process requests from those clients. HTTP connection handlers can be used to host web applications on the server.
Each HTTP connection handler should be configured with one or more HTTP servlet extensions and zero or more HTTP operation log publishers.
If the HTTP Connection Handler cannot be started (for example, if its associated HTTP Servlet Extension fails to initialize), then this does not prevent the entire directory server from starting. The server’s start-server
tool outputs any errors to the error log. This allows the server to continue serving LDAP requests even with a bad servlet extension.
The configuration properties available for use with an HTTP connection handler include the following:
- listen-address
-
Specifies the address on which the connection handler listens for requests from clients. If not specified, then requests are accepted on all addresses bound to the system.
- listen-port
-
Specifies the port on which the connection handler listens for requests from clients. Required.
- use-ssl
-
Indicates whether the connection handler uses SSL/TLS to secure communications with clients, such as whether it uses HTTPS rather than HTTP. If SSL is enabled, then
key-manager-provider
andtrust-manager-provider
values must also be specified. - http-servlet-extension
-
Specifies the set of servlet extensions that are enabled for use with the connection handler. You can have multiple HTTP connection handlers listening on different address/port combinations with identical or different sets of servlet extensions. You must configure at least one servlet extension.
- http-operation-log-publisher
-
Specifies the set of HTTP operation log publishers that should be used with the connection handler. By default, no HTTP operation log publishers are used.
- key-manager-provider
-
Specifies the key manager provider that is used to obtain the certificate presented to clients if SSL is enabled.
- trust-manager-provider
-
Specifies the trust manager provider that is used to determine whether to accept any client certificates presented to the server.
- num-request-handlers
-
Specifies the number of threads that should be used to process requests from HTTP clients. These threads are separate from the worker threads used to process other kinds of requests. The default value of zero means the number of threads are automatically selected based on the number of CPUs available to the Java virtual machine (JVM).
- web-application-extension
-
Specifies the web applications hosted by the server.
Configuring an HTTP connection handler
About this task
An HTTP connection handler has two dependent configuration objects:
-
One or more HTTP servlet extensions
-
An HTTP log publisher
The log publisher is optional, but in most cases, you should configure one or more logs to troubleshoot any issues with your HTTP connection.
You must configure the HTTP servlet extension and log publisher before configuring the HTTP connection handler. |
Steps
-
To configure your HTTP servlet extensions, use the
create-http-servlet-extension
option withdsconfig
.Example:
This example uses the
ExampleHTTPServletExtension
example in the Server SDK.$ bin/dsconfig create-http-servlet-extension \ --extension-name "Hello World Servlet" \ --type third-party \ --set "extension-class:com.unboundid.directory.sdk.examples.ExampleHTTPServletExtension" \ --set "extension-argument:path=/" \ --set "extension-argument:name=example-servlet"
-
To configure one or more HTTP log publishers, use the
create-log-publisher
option withdsconfig
.Example:
This example configures two log publishers: one for common access and one for detailed access. Both log publishers use the default configuration settings for log rotation and retention.
$ bin/dsconfig create-log-publisher \ --publisher-name "HTTP Common Access Logger" \ --type common-log-file-http-operation \ --set enabled:true \ --set log-file:logs/http-common-access \ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \ --set "rotation-policy:Size Limit Rotation Policy" \ --set "retention-policy:File Count Retention Policy" \ --set "retention-policy:Free Disk Space Retention Policy" $ bin/dsconfig create-log-publisher \ --publisher-name "HTTP Detailed Access Logger" \ --type detailed-http-operation \ --set enabled:true \ --set log-file:logs/http-detailed-access \ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \ --set "rotation-policy:Size Limit Rotation Policy" \ --set "retention-policy:File Count Retention Policy" \ --set "retention-policy:Free Disk Space Retention Policy"
-
To configure the HTTP connection handler, specify the HTTP servlet extension and log publishers using the
create-connection-handler
option withdsconfig
.You can update some configuration properties later as needed, but for others, like
listen-port
, you must disable and then re-enable the HTTP Connection Handler for the change to take effect.Example:
$ bin/dsconfig create-connection-handler \ --handler-name "Hello World HTTP Connection Handler" \ --type http \ --set enabled:true \ --set listen-port:8443 \ --set use-ssl:true \ --set "http-servlet-extension:Hello World Servlet" \ --set "http-operation-log-publisher:HTTP Common Access Logger" \ --set "http-operation-log-publisher:HTTP Detailed Access Logger" \ --set "key-manager-provider:JKS" \ --set "trust-manager-provider:JKS"
-
To monitor the connection handler, use the
ldapsearch
tool.By default, the HTTP connection handler has an advanced monitor entry property,
keep-stats
, that is set toTRUE
by default.Example:
$ bin/ldapsearch --baseDN "cn=monitor" \ "(objectClass=ds-http-connection-handler-statistics-monitor-entry)"
Configuring an HTTP connection handler for web applications
About this task
To host web applications on the server, use HTTP connection handlers.
Steps
-
To create the web application servlet extension, use the
create-web-application-extension
option withdsconfig
.Example:
$ bin/dsconfig create-web-application-extension \ --extension-name "Hello Web Application" \ --set "base-context-path:/hello-app" \ --set "document-root-directory:/opt/hello-web-app"
-
To monitor the connection handler, use the
ldapsearch
tool.By default, the HTTP connection handler has an advanced monitor entry property,
keep-stats
, that is set toTRUE
.Example:
$ bin/ldapsearch --baseDN "cn=monitor" \ "(objectClass=ds-http-connection-handler-statistics-monitor-entry)"
HTTP correlation IDs
Correlation IDs make it easier to track log messages across a software system request that passes through multiple subsystems.
Scattered and intermingled log messages create challenges for tracing the request flow on distributed systems. A correlation ID can be assigned to a request and added to all associated operations as the request is processed. A correlation ID allows related log messages to be easily located and grouped. The server supports correlation IDs for all HTTP requests received through its HTTP or HTTPS Connection Handler.
When an HTTP request is received, it is automatically assigned a correlation ID. This ID can be used to correlate HTTP responses with messages recorded to the HTTP Detailed Operation log and the trace log. For specific web APIs, the correlation ID might also be passed to the LDAP subsystem.
The correlation ID appears with associated requests in LDAP logs in the correlationID
key for the following REST APIs:
-
SCIM 1
-
Delegated admin
-
Consent
-
Directory
The correlation ID is used as the default client request ID value in intermediate client request controls used by the following REST APIs:
-
SCIM 2
-
Consent
-
Directory
Values related to the intermediate client request control appear in the LDAP logs in the via
key and are forwarded to downstream LDAP servers when received by PingDirectoryProxy server. The correlation ID header is also added to requests forwarded by the PingDirectory gateway.
For Server SDK extensions that have access to the current HttpServletRequest
, the current correlation ID can be retrieved as a string through the HttpServletRequest
com.pingidentity.pingdata.correlation_id
attribute, as shown.
(String) request.getAttribute("com.pingidentity.pingdata.correlation_id");