Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, January 24, 2018

webui-service (7)


webui-service - Oracle Solaris WebUI service




The WebUI SMF service is an Apache instance that runs a WSGI application called the coordinator over HTTPS on port 6787 by default.

Port 443 is redirected to port 6787 if the configuration property redirect_from_https is set to true. See Example 1 in the Examples section below.

Self signed certificates are automatically generated at start time. Certificates can also be delivered during deployment. See Example 2 for an example of setting up SSL certificates.

The coordinator is a minimal web application middleware that provides the following services for web applications:

  • User authentication

  • User session and RAD token protection

  • RAD-Rest request redirection

  • Authenticated file serving

These services are available through the REST API using the following namespace:


Reserved for the WebUI framework and all its applications. If the user is authenticated, it redirects to the dashboard application, otherwise, it redirects to the login page


REST API used for user authentication

POST request

A POST request containing in its body the following JSON payload

"username": "<username>"
"inactivity_timeout":  <timeout in minutes>

Will initiate a new PAM authentication conversation for the provided username. This is processed through the RAD authentication module. It is possible to omit the <username>, and in that case PAM will likely prompt you for the username, depending on its configuration. The username is a normal Oracle Solaris username, and is optional. The inactivity_timeout is optional and the default is 24h.

Upon success, a JSON payload is returned along with an auth-token cookie in its header.

The user session token validity is dependent on:

  • The session inactivity timeout specified in the request body

  • The absolute timeout that can be modified through the coordinator/absolute_timeout SMF property

  • The associated hidden RAD token validity

This cookie can be reused to subsequently access RAD REST interfaces using the WebUI, and it also serves as a user session for the WebUI framework.

The returned JSON body has the following components:


Will have one of the following values:


You have successfully completed authentication


You are in the middle of an authentication conversation, and more information is needed to continue

At this point, you need to process the messages fields appropriately


There was some unexpected error in the RAD/REST Authentication module


This is a list of JSON objects containing messages to be presented to the user interface. Messages have two elements, the message to be printed, and the style, which can be one of the following and require specific behavior as outlined below:


Gather input from the user, enabling echoing of the response, for example, when PAM needs to know the username


Gather input from the user, disabling echoing of the response, for example, asking for the password


Displays information to the user. Whether you need to acknowledge this or not depends on the UI being presented


Displays an error to the user. Whether you need to acknowledge this or not depends on the UI being presented

An example of what the messages look like is shown below:

  "state": "CONTINUE",
  "messages": [
      "style": "PROMPT_ECHO_OFF",
      "message": "Password: "

Upon failure, a HTTP Unauthorized (401) error is returned.

PUT request

A PUT request is used to continue the conversation that was initiated with the POST request, and feed back updates to the WebUI server.

The body of the request must contain at least the gathered responses data, and looks like:

  "responses": [

If there were no responses you may replace the array with a NULL value in the JSON (as in the POST example above)

This may be the case if there were no prompts for data, for example, if it was just a TEXT_INFO message, not requiring a response.

Note -  There must be exactly as many items in the 'responses' list as there were PROMPT_ECHO_ON and PROMPT_ECHO_OFF messages.

On a successful submission of the responses, you will get a JSON payload that is like the case of the POST above, with a state and more messages if any more prompting is required.

On a successful completion, you will get a state value of SUCCESS. In this case you will get additional values in the payload as outlined in GET request below.

On a failed authentication, you will get a HTTP error code of 401 (Unauthorized).

GET request

A GET request containing a auth-token cookie in its header will return a JSON payload if the cookie is valid

If you are in the middle of a PAM authentication conversation, you will receive the same payload as you would from a POST or PUT when the state has a value of CONTINUE.

If you have a valid session, that has been fully authenticated, then you will get a payload with the state value set to SUCCESS, and there will be some additional values in the JSON:


The username that is authenticated

A HTTP Unauthorized (401) error is returned if the cookie is invalid.

DELETE request

A DELETE request containing a auth-token cookie in its header will attempt to delete both the user session and its associated RAD connection. Upon success, a JSON payload { username: <username>} is returned.

On failure, a HTTP Bad request 400 error is returned.


RAD/Rest URL access point. Allows you to process RAD query using REST over HTTPS.

POST request

Redirects a RAD-REST request with its JSON body payload to the internal rad-http daemon for processing.

For additional payload format information, see RAD REST Developer Guide.


Dashboard application landing page


Analytics application landing page


Unauthenticated directory used to store js framework files (JET)

The rest of the namespace can be used by other WSGI applications (for example, /horizon for OpenStack).


The following configurations are available as SMF properties are part of the conf property group:


List of ip:port strings conforming to Apache Listen directive format. If no value is specified, the web server will listen on all available IP addresses using the default port


The default Certificate file location


The default Certificate Key file location


The default CA Certificate path location


Value to be used as ServerName in the Apache configuration that the server uses to identify itself


Absolute maximum user session duration in minutes.


String containing the relative namespace a user will be redirected to when requesting https://<host>:6787/


Boolean value to determine if Apache should redirect the root URL (/) to the Solaris Dashboard application


Boolean value to determine if service should listen on 443 and then redirect requests to port 6787


Ciphers used by Apache


Security protocols used by Apache


The webui/server SMF service will import specifically formatted files in to the preferences system on startup and refresh. These files are defined by the applications installed, for example the analytics(7) WebUI application provides an import format document in analytics(5).

If the import fails for any reason the webui/server SMF service will enter a degraded state to flag that the import failed. Further details on the failure may be found in webui/server SMF logs.


Example 1 Turn off Listening on Port 443
svccfg -s webui/server:default setprop \
svcadm refresh webui/server
svcadm restart webui/server
Example 2 Setting up SSL certificates

In order to properly configure the SSL certificate chain, a password-less certificate key will be needed. The password can be removed from a certificate key through:

openssl rsa -in original.key -out server.key

After removing the password, the SSL certificate chain can be built by concatenating the certificates, sorted from leaf to root:

cat server.crt Oracle.crt root.crt > server.crt

The resulting certificate chain and key can be placed at the paths defined by the corresponding SMF properties. Default paths are server.crt and server.key under /var/webui/conf/authdb/server/.

See Also

sstore(1), libsstore(3LIB), analytics(5), analytics(7), attributes(7), ssid(7), sstore(7), sstoreadm(1), svcadm(8)


Use the svcadm command to perform administrative actions on the sstored service, such as enabling, disabling, or restarting the service.