Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1

Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1


I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.

Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: 
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237:
Unable to load metadata for Embedded Service Provider:,
error: Connection refused </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237:
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE,
error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: :
Embedded Provider failed to load Identity Provider metadata </amLogEntry>


Here's how you resolve the issue ...

1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.

2. Search for the 8443 and 8080 strings to locate the identity server connector information.

Here's an example connector from a setup that only listens on IP address

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" 
minProcessors="5" maxProcessors="200" enableLookups="false"
redirectPort="8443" acceptCount="0" debug="0"
useURIValidationHack="false "disableUploadTimeout="true"
address="" URIEncoding="utf-8" useBody
EncodingURI="false" />

3. Remove the "address=" string. This will force tomcat to listen on all interfaces.
Make sure that you do this for both the connectors on 8080 and 8443.

4. Save the file and restart Tomcat:

/etc/init.d/novell-tomcat4 restart

This is the output of netstat to test for change results:

linuxlab5:/ # netstat -patune|grep -i listen|grep 443

tcp 0 0* LISTEN 0 13446 7420/stunnel
tcp 0 0 :::* LISTEN 0 14759 6644/java
tcp 0 0 :::8443 :::* LISTEN 100 17071 9056/java

What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:

tcp	0	0 :::8443	:::*	LISTEN	100	17071		9056/java

In the case where we specifically listen out on a single IP address, you will see this:

tcp	0	0*	LISTEN 100 17071  9056/java

Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
thanks man, had a similar issue with the Access Management Administration Console.
this worked a treat and saved me a tonne of time trying to work it out 😉
cheers again.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:09
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.