DX Application Performance Management

I'm developing  one app which connects in the APM Command Center to get informations by the APM Command Center API. The problem is:

If i have instaled my App in one server different from the server which the AP Command Center is installed, i get the following error:

XMLHttpRequest cannot load http://******:8082/apm/acc/agent. Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://******:8082' that is not equal to the supplied origin. Origin 'http://yyyyyy:8088' is therefore not allowed access.

So the ACC API is not allowing requests from other origins! How can i fix that?

Obs:

The http://xxxxxxx is the IP of the APM Command Center Configuratio Server

The http://yyyyyyy is the IP of my web appliction who is calling the Command Center API

Hi Diego,

Thx for contacting us about this issue, we’re currently looking at your problem and should come up with an answer within the next 24 hours.

I believe this comes from some cross-site scripting detection that we’ve put in place in the ACC Server, but we’ll give you a more useful answer.

In the meantime, can I ask you what kind of data you’re trying to get out of ACC and to what purpose? We have this nice API, but we would really like to know what our users are using it for!

Thx,

Florian.

Hello,

Thanks for reply! i'm using this app to manage my APM projects. I have a lot of customers using APM and I'm develoment one unic interface to lead with the information of each customer. So i'll register the IP of ACC and your token to each customer project.

That’s interesting, and what kind of data will you be presenting to them? If it’s fine with you, I would really like you to show me your application and talk about what you’re doing in more details.

Hi Diego,

We have started looking into the problem, and it seems indeed to be a security feature of the product aimed to protect it against cross site forgery requests.

This is all documented here:

https://docops.ca.com/ca-apm/10-2/en/administrating/ca-apm-command-center/appendix/security-considerations

To solve this issue can you:

1.    Open the APMCommandCenterServer/config/apmccsrv.properties file.

2.    Add the following lines:

1. Trusted aliases that can be used as HTTP Referer

com.ca.apm.acc.security.csrf.authorizedAliases=

3.    Set the values of the property.

The value is a trusted alias or aliases. It can be an array, with values separated by commas, for example: 127.0.0.1,localhost,accdemo.

o    An asterisk/star means that cross-site request forgery protection is disabled - any alias is permitted. This is the default setting.

o    An empty string means that no alias is trusted.

And let me know if that works? If it does not, we’ll try more exotic things ☺

Regards,

Florian.

Hi Florian,

This tip dosen't work :/. I have put this properties in the apmccsrv.properties:

##### ACC CROSS ORIGIN

com.ca.apm.acc.security.csrf.authorizedAliases=<IP OF THE APP SERVER>,localhost

And get the same error:

XMLHttpRequest cannot load http://<ACC IP>:8088/apm/acc/agent. Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://<ACC IP>:8088' that is not equal to the supplied origin. Origin 'http://<IP OF THE APP SERVER>:8088' is therefore not allowed access.

I'll try the APP Server port to test if it'll work.

it did not work!

Florian,

Thanks for all... here is the solution:

"Hi Diego,

My team suggests to modify

1. com.ca.apm.acc.security.cors.allowedOrigins=http://******:8088,http://yyyy:8088

in ‘apmccsrv.properties’

more info on it:

By default, Ajax calls are allowed only from web apps hosted under the same scheme://host:port as the API itself (e.g. http://10.200.7.103:8088 ). If you want to integrate from websites hosted under other URLs, you need to use com.ca.apm.acc.security.cors.allowedOrigins as noted by Matt.

A more drastic (but less secure) configuration is to completely disable the CORS filter using: com.ca.apm.acc.security.cors.allowUnknownOrigins=true. This sets the response of the pre-flight request to Access-Control-Allow-Origin: <referer-URL>

FYI, the property com.ca.apm.acc.security.csrf.authorizedAliases is used for different purpose (as an anti-CSRF) but it's disabled by default due to the nature of the ACC app  which for the time-being is immune to CSRF attacks."

Hope it helps. Please let me know whether it did or not so I can maybe raise a kb article on it. Thanks~!

Hi Diego,

Glad that it worked, it seems like we should probably document that property!

Thx for working with us,

Florian.