Identity Manager Applications, PAT, and Firewall

1 Likes
over 5 years ago

Consider this common scenario:

  • The Identity Manager applications (IDMProv, osp, dash, landing, sspr) all running on the one instance of Tomcat
  • You want to PAT (Port Address Translation) from 80/443 to 8080/8443 so you utilise common URLs without ports
  • Tomcat needs to run as novlua and therefore can not bind as 80 or 443

This presents a challenge, especially if you wish to use the SuSEfirewall2.

If you correctly edit the /etc/sysconfig/SuSEfirewall2 file and add the FW_REDIRECT="0/0,0/0,tcp,80,8080 0/0,0/0,tcp,443,8443", the client access appears to fine until you authenticate, at which point you receive this error:

IDMApps_Error.png

Turning on debugging in OSP (/opt/netiq/idm/apps/tomcat/bin/setenv.sh changing -Dcom.netiq.idm.osp.logging.level=INFO to -Dcom.netiq.idm.osp.logging.level=DEBUG) does not help as its purely a network communication issue and as a result there is no useful output.

The FW_REDIRECT only sets the PREROUTING table entries, but even manually setting the OUTPUT table entries (see below) doesn't help as SuSEfirewall2 mangles it completely.

The reason for this is the apps will communicate with each other to validate issued tokens and, when this occurs, the SuSEfirewall2 treats this as "internal" communications therefore does not go through the SuSEfirewall2 (which is a wrapper for iptables).

IDMApps_firewall.png

There are few options to work around this issue.

  1. Turn off the SuSEfirewall2 and use just iptables. This will require setting both the PREROUTING and OUTPUT tables:
    iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
    iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443

    IDMApps_iptables.png

  2. Use a VIP or Access Gateway in front of the tomcat server so that all traffic is forced out the network layer before coming back in.

Labels:

Support Tip
Comment List
Anonymous
  • These commands will suffice as the port redirect can return packets:

    iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
    iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

    Actually you must never route all outgoing 80 / 443 ports or you'll end up having no updates with yum/zypper/other. And no web connections to anywhere for that matter.
  • I am running IDM APPS 4.6.2.1 and osp 6.1.6 on a SLES 11.4 server.
    In this configuration the PAT is not working by 100% as descruped here - neither through SuseFierewall nor IPTables :-(

    The problem is, that all local requests are not affected by the PAT!
  • I'm no F5 expert....I'm not sure if it is capable of doing PAT at the L4 level... I suggest, if you have a support contract with F5, ask them if you can do PAT with L4 Load Balancing...

    Your other option is to ask the forum, I've seen others post with F5 configuration issues, so someone might have the answer.
  • Great article! I recently had the problem and we were actually fronting a VIP/F5 in front of it as well (443 incoming, F5 converted to 8443 to app)....is there a way for F5 to work this way without the iptable commands? I have a sneaking suspicion there's something missing in F5 config.
Related Discussions
Recommended