Protect Access Manager Admin Console When Installed on the Same Machine as the Identity Server


Sometimes, for various reasons, it is required or desired to install Access Manager with both Admin Console and Identity Server sharing the same physical (or virtual) machine. In this case, since the Identity provider needs to be accessible, and if the services provided by Access Manager need to be available (read: open) to the Internet, arises the problem of securing the Admin Console, so it will not be accessible from the greater Internet.

Novell's official stand is that the supported way to secure the Admin Console for the above scenario is to separate it from the Identity Server. However, sometimes this is not possible, so the below solution addresses this.

Edit /var/opt/novell/tomcat5/conf/server.xml (remember to make a copy of it first).

Look for the end of the <Host> block.

Before the last line (aka before </Host>), insert the following:

        <Context path="/nps">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="xxx.yyy.zzz.www" />

The syntax for the allow directive (which can be changed to a deny directive as well) is a comma separated IP regular expressions list (Perl regex format). A simple example would be:


This would mean: allow,,

The official documentation of the Valve IP based filter can be viewed in the Apache Tomcat official documentation site.


How To-Best Practice
Comment List