Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1



I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.

Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: 
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237:
Unable to load metadata for Embedded Service Provider:,
error: Connection refused </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237:
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE,
error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: :
Embedded Provider failed to load Identity Provider metadata </amLogEntry>


Here's how you resolve the issue ...

1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.

2. Search for the 8443 and 8080 strings to locate the identity server connector information.

Here's an example connector from a setup that only listens on IP address

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" 
minProcessors="5" maxProcessors="200" enableLookups="false"
redirectPort="8443" acceptCount="0" debug="0"
useURIValidationHack="false "disableUploadTimeout="true"
address="" URIEncoding="utf-8" useBody
EncodingURI="false" />

3. Remove the "address=" string. This will force tomcat to listen on all interfaces.
Make sure that you do this for both the connectors on 8080 and 8443.

4. Save the file and restart Tomcat:

/etc/init.d/novell-tomcat4 restart

This is the output of netstat to test for change results:

linuxlab5:/ # netstat -patune|grep -i listen|grep 443

tcp 0 0* LISTEN 0 13446 7420/stunnel
tcp 0 0 :::* LISTEN 0 14759 6644/java
tcp 0 0 :::8443 :::* LISTEN 100 17071 9056/java

What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:

tcp	0	0 :::8443	:::*	LISTEN	100	17071		9056/java

In the case where we specifically listen out on a single IP address, you will see this:

tcp	0	0*	LISTEN 100 17071  9056/java


How To-Best Practice
Comment List