davidmakbc Absent Member.
Absent Member.
404 views

Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu


Are there users out there who have experience with NetIQ IDM 4.0.x (or
earlier) configurations where SSL processing is performed by external
appliances, which also provide high availability / load balancing
functions?

We are in the midst of establishing such an environment and have run
into a few stumbling blocks. We've found work-arounds for issues such as
NCP and NAT, but are confounded by a problem with the UserApp and the
Reporting Module which we have setup under JBoss -- the UserApp seems to
work well enough alone, but the Reporting App doesn't seem to like
working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
SSL connection is between the client browser and the F5 appliance, but
the connection between the F5 and the IDM UserApp is cleartext, and
essentially proxied.

We modified the default connector config:
novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml

from:
<Connector protocol="HTTP/1.1" port="8080"
address="${jboss.bind.address}"
connectionTimeout="20000" redirectPort="8443" />

to:

<Connector protocol="HTTP/1.1" port="8080"
address="${jboss.bind.address}"
connectionTimeout="20000" redirectPort="8443"
scheme="https" secure="true" proxyName="idmdev.bc.edu"
proxyPort="443"/>

But this isn't sufficient, and results in an error with authentication
token results:

The authentication server is invalid:
https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens

Has anyone run into similar issue or have a suggestion?

Cheers,
David Mak
Boston College


--
davidmakbc
------------------------------------------------------------------------
davidmakbc's Profile: http://forums.novell.com/member.php?userid=118358
View this thread: http://forums.novell.com/showthread.php?t=455218

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

On 04/27/2012 04:26 PM, davidmakbc wrote:
>
> Are there users out there who have experience with NetIQ IDM 4.0.x (or
> earlier) configurations where SSL processing is performed by external
> appliances, which also provide high availability / load balancing
> functions?
>
> We are in the midst of establishing such an environment and have run
> into a few stumbling blocks. We've found work-arounds for issues such as
> NCP and NAT, but are confounded by a problem with the UserApp and the
> Reporting Module which we have setup under JBoss -- the UserApp seems to
> work well enough alone, but the Reporting App doesn't seem to like
> working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
> SSL connection is between the client browser and the F5 appliance, but
> the connection between the F5 and the IDM UserApp is cleartext, and
> essentially proxied.
>
> We modified the default connector config:
> novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
>
> from:
> <Connector protocol="HTTP/1.1" port="8080"
> address="${jboss.bind.address}"
> connectionTimeout="20000" redirectPort="8443" />
>
> to:
>
> <Connector protocol="HTTP/1.1" port="8080"
> address="${jboss.bind.address}"
> connectionTimeout="20000" redirectPort="8443"
> scheme="https" secure="true" proxyName="idmdev.bc.edu"
> proxyPort="443"/>
>
> But this isn't sufficient, and results in an error with authentication
> token results:
>
> The authentication server is invalid:
> https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens
>
> Has anyone run into similar issue or have a suggestion?
>
> Cheers,
> David Mak
> Boston College
>
>

Greetings David,
You are experiencing a known issue with the Reporting module where
it will not work on ports 80 or 443. This issue will be resolved in the
next Public Patch for the 401 release.

--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

On 04/27/2012 08:20 PM, Steven Williams wrote:
> On 04/27/2012 04:26 PM, davidmakbc wrote:
>>
>> Are there users out there who have experience with NetIQ IDM 4.0.x (or
>> earlier) configurations where SSL processing is performed by external
>> appliances, which also provide high availability / load balancing
>> functions?
>>
>> We are in the midst of establishing such an environment and have run
>> into a few stumbling blocks. We've found work-arounds for issues such as
>> NCP and NAT, but are confounded by a problem with the UserApp and the
>> Reporting Module which we have setup under JBoss -- the UserApp seems to
>> work well enough alone, but the Reporting App doesn't seem to like
>> working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
>> SSL connection is between the client browser and the F5 appliance, but
>> the connection between the F5 and the IDM UserApp is cleartext, and
>> essentially proxied.
>>
>> We modified the default connector config:
>> novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
>>
>> from:
>> <Connector protocol="HTTP/1.1" port="8080"
>> address="${jboss.bind.address}"
>> connectionTimeout="20000" redirectPort="8443" />
>>
>> to:
>>
>> <Connector protocol="HTTP/1.1" port="8080"
>> address="${jboss.bind.address}"
>> connectionTimeout="20000" redirectPort="8443"
>> scheme="https" secure="true" proxyName="idmdev.bc.edu"
>> proxyPort="443"/>
>>
>> But this isn't sufficient, and results in an error with authentication
>> token results:
>>
>> The authentication server is invalid:
>> https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens
>>
>> Has anyone run into similar issue or have a suggestion?
>>
>> Cheers,
>> David Mak
>> Boston College
>>
>>

> Greetings David,
> You are experiencing a known issue with the Reporting module where it
> will not work on ports 80 or 443. This issue will be resolved in the
> next Public Patch for the 401 release.
>

Greetings David,
This was outlined in the thread "IDM 4.01 Reporting Module Login Error"

--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
davidmakbc Absent Member.
Absent Member.

Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu


Thank you Steven for the information. Do you know if an early access
patch is available via a SR (Service Request)?

Thank you,
David


--
davidmakbc
------------------------------------------------------------------------
davidmakbc's Profile: http://forums.novell.com/member.php?userid=118358
View this thread: http://forums.novell.com/showthread.php?t=455218

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

On 04/30/2012 11:16 AM, davidmakbc wrote:
>
> Thank you Steven for the information. Do you know if an early access
> patch is available via a SR (Service Request)?
>
> Thank you,
> David
>
>

Greetings David,
Yes.

--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.