Access Manager: Multiple Published DNS Names for the Same Resource

Access Manager: Multiple Published DNS Names for the Same Resource

There is often a need to access a certain resource protected by Access Manager by using more than one possible name. One example could be merging of two separate web sites into one, with some users used-to access the content with one name, and others with a different name.



Access Manager normally requires that you to set the "Published DNS Name" field in a Proxy Service configuration, so this Proxy Service only accepts requests for this one specific "official" DNS name. You can, however change this behaviour by unchecking the "Error on DNS Mismatch" check box, which tells Access Manager to allow access to the content behind this Proxy Server using any DNS name you want.



However, in a Domain based Multi-Homing configuration, the setting of "Error on DNS Mismatch" is not really effective, since Access Manager needs to KNOW what DNS name you are referring to in order to fetch the correct content via this Multi-Homed service.



This means that if we want to allow access using multiple DNS names to the same resource, we should create a proxy service for each of the desired DNS names.



However, if you need to be able to use multiple DNS names for the same web site, there are some shortcuts you can take.



For example, suppose you need access to the same web site using all of these possible names:




  • mySite.ecma.com

  • myNewSite.ecma.com

  • myOtherName.ecma.com

  • myNewSite



Let's first look at the first three alternatives; The easiest way to allow access to the same resource using all possible names is:



Create a Proxy Service with a Published DNS name of mySite.ecma.com.

Treat that Proxy Service as the only Proxy Service for this web site, and as such, create all relevant policies under this Proxy Service (Authorization, Form Fill, Identity Injection, etc.)



Now, create an additional Proxy Service for each of the other two names (myNewSite.ecma.com, myOtherName.ecma.com). The only reason we want these Proxy Services is that Access Manager will:



recognize the DNS name as a valid name

redirect the user to our "main" Proxy Service (mySite.ecma.com in this example)



So for each of these new Proxy Services, the only things you really need to fill in are:



  • Published DNS Name

  • Web Server List (fill in the exact list of back-end web servers you used in the "main" Proxy Service)

  • A "dummy" protected resource with Public access



The "dummy" protected resource is just our mechanism for redirecting the user to the "main" Proxy Service.


Do that using an Authorization Policy that does (general form pseudo-code):


If URL Host equals "myNewSite.ecma.com"

Then Redirect to URL: "https://mySite.ecma.com"



That's the first part...



Next, we had another requirement in the above list of possible names, and that was "myNewSite". Just like that, without a proper DNS suffix.



There is a "limitation" with Access Manager, in that it enforces properly formatted DNS names for the Published DNS Name of a Proxy Service... This means we cannot take the path we took above in this case.



If we try to access one of the above Proxy Services using this name ("myNewSite"), Access Manager will return the famous 403 error with the "Host name received is not for this web site" description.



The remainder of our solution is to use a small JavaScript code that we'll inject into the NAM error page. This code will detect a host name that is not in a proper DNS format, and redirect the user to a properly formatted name, based on the name the user provided.


For example: if the user browsed to http://myNewSite, this code will redirect the browser to:

http://myNewSite.ecma.com



Here's how:



On the LAG server, go to the following directory:


/var/novell/errorpagesconfig/current



First - backup the file we are about to modify:

ErrorPageTemplate.htm.en


Now edit the this file, and add the following code just below the <head> tag:




<script language="JavaScript">
<!--
var hostStr=location.protocol+"//"+location.hostname;
var domainSuffix=".ecma.com";
if ( hostStr.indexOf(".")== -1)
{
window.location = hostStr+domainSuffix;
}
-->
</script>





Change the value of the domainSuffix variable to match the desired domain name.



Save the file, and restart the relevant NAM services:


/etc/init.d/novell-vmc stop
/etc/init.d/novell-vmc start





Some final notes:



  • It is possible that future Access Manager Service Packs will install new or updated error page template files, like the one we have just edited. However, the current mechanism for installing patches on LAG, first backs-up the existing files under /var/novell/errorpagesconfig/current (it copies them to the /var/novell/errorpagesconfig/.backup directory) - so you can see and copy from the backup to the new error page templates.

  • This solution applies to NAM 3.0 SP3 and above. Note that versions prior to SP3 did not use Error page HTML templates, so this solution does not apply in such cases.


Labels (1)
Tags (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:08
Updated by:
Absent Member.
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.