ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Admiral
Admiral
890 views

SSPR unable to use OSP with port redirection

We are running the following versions of IDM Modules:
IDM Apps 4.6.2.1
IDM Reporting 5.5.2
OSP 6.1.6
SSPR 4.2.0.5

To allow access to the IDM Apps we configured a port redirection using iptables

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A OUTPUT -p tcp --dport 443 -o lo -j REDIRECT --to-port 8443

All URLs in SSO Clients (configupdate) are configured to https://server (without any port)

We can see, that access to all application (idmdash, rra, IDMProv, IDMRep) is working as deigend, but SSPR is not working, because of problems in the OSP integration.

When configuring SSPR through the UI it is not possible to receive the osp certificate if the osp urls are configured like in configupdate. (https:// without port) In this case we are receiving an connection refused error.

When configuring SSPR to use https:// with port 8443 the osp certificate can be read, but SSO to SSPR is not possible, because of osp errors.

I am sure, this configuration was working before - maybe it is broken since the last update of SSPR?!

Can anybody provide a hint, how to configure the whole stack on one server to virtually listen on port 443 (only) without assigning the novlua user the right to open port 443!

Kind regards,

Thorsten
Labels (1)
0 Likes
7 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 5/25/2018 3:56 AM, tschloesser wrote:
>
> We are running the following versions of IDM Modules:
> IDM Apps 4.6.2.1
> IDM Reporting 5.5.2
> OSP 6.1.6
> SSPR 4.2.0.5
>
> To allow access to the IDM Apps we configured a port redirection using
> iptables
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 8443
> iptables -t nat -A OUTPUT -p tcp --dport 443 -o lo -j REDIRECT --to-port
> 8443
>
> All URLs in SSO Clients (configupdate) are configured to https://server
> (without any port)
>
> We can see, that access to all application (idmdash, rra, IDMProv,
> IDMRep) is working as deigend, but SSPR is not working, because of
> problems in the OSP integration.
>
> When configuring SSPR through the UI it is not possible to receive the
> osp certificate if the osp urls are configured like in configupdate.
> (https:// without port) In this case we are receiving an connection
> refused error.
>
> When configuring SSPR to use https:// with port 8443 the osp certificate
> can be read, but SSO to SSPR is not possible, because of osp errors.
>
> I am sure, this configuration was working before - maybe it is broken
> since the last update of SSPR?!
>
> Can anybody provide a hint, how to configure the whole stack on one
> server to virtually listen on port 443 (only) without assigning the
> novlua user the right to open port 443!


Typically what we do is use configupdate.sh and specify the :443 on the
various URLs. Then save, edit the ism-configuration.properties file and
remove the :443.

This is a stupid situation, I am told it is standards based, regardless
it is not a good situation.

0 Likes
Admiral
Admiral

Thanks for the fast answer,

but this ain't work.
I can see, that any local osp request will fail since those requests are not affected by the PAT. Since there is nothing listening on 443 the request do not get through to OSP
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 5/25/2018 7:26 AM, tschloesser wrote:
>
> Thanks for the fast answer,
>
> but this ain't work.
> I can see, that any local osp request will fail since those requests are
> not affected by the PAT. Since there is nothing listening on 443 the
> request do not get through to OSP


I must have missed something. SSPR, OSP, and ID Apps all on the same box?

if so, why did the iptables redirect not listen on 443?


0 Likes
Absent Member.
Absent Member.

Do you also have firewall on? https://www.netiq.com/communities/cool-solutions/identity-manager-applications-pat-firewall/

I've actually seen inconsistent behaviour around this....recently built a 4.7 environment and the only config was all URL's being non-port specified except for the OSP configure (required value).....also make sure you've set up all the whitelists in SSPR (key="security.redirectUrl.whiteList") to include both port and non-port URLs

Visit my Website for links to Cool Solution articles.
0 Likes
Admiral
Admiral

it is not only SSPR which is afected. If ism-configuration.properties is either using port 443 or none for the osp url access to the IDM Apps is not working either.
And yes, I turned the firewall off - I bet the server does not have be be restarted after entering the two iptables commands, does it?
0 Likes
Absent Member.
Absent Member.

Just got around to replying to your Cool Solution message.

Visit my Website for links to Cool Solution articles.
0 Likes
Absent Member.
Absent Member.

On 2018-05-25 09:56, tschloesser wrote:
>
> We are running the following versions of IDM Modules:
> IDM Apps 4.6.2.1
> IDM Reporting 5.5.2
> OSP 6.1.6
> SSPR 4.2.0.5
>
> To allow access to the IDM Apps we configured a port redirection using
> iptables
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 8443
> iptables -t nat -A OUTPUT -p tcp --dport 443 -o lo -j REDIRECT --to-port
> 8443
>
> All URLs in SSO Clients (configupdate) are configured to https://server
> (without any port)
>
> We can see, that access to all application (idmdash, rra, IDMProv,
> IDMRep) is working as deigend, but SSPR is not working, because of
> problems in the OSP integration.
>
> When configuring SSPR through the UI it is not possible to receive the
> osp certificate if the osp urls are configured like in configupdate.
> (https:// without port) In this case we are receiving an connection
> refused error.
>
> When configuring SSPR to use https:// with port 8443 the osp certificate
> can be read, but SSO to SSPR is not possible, because of osp errors.
>
> I am sure, this configuration was working before - maybe it is broken
> since the last update of SSPR?!
>
> Can anybody provide a hint, how to configure the whole stack on one
> server to virtually listen on port 443 (only) without assigning the
> novlua user the right to open port 443!
>
> Kind regards,
>
> Thorsten
>
>

Hello Thorsten,

I would recommend that you set up Apache web server with an AJP13 proxy. In the past we have used a lot of different solutions
to get everything running on 443; iptables, setcap, Apache jsvc but using a web server as a proxy seems to be the best and most
robust solution. It requires some extra bits and bytes but the configuration is straight forward.

Best regards,
Tobias
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.