Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration
Situation
Linux Access Gateway setup to front end a number of Web
applications. Authentication was required for each of these
applications and the redirect to authenticate through the Novell
Identity server would result in a 100101044 error at the browser.
Looking at the output of the catalina.out file, the following would
be displayed:
< amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP https://idp-neil.novell.com/nidp/idff/metadata
< amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, error: Connection refused
< amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : Embedded Provider failed to load Identity Provider metadata
Going straight to the Identity Server login page from the browser would work fine.
< amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP https://idp-neil.novell.com/nidp/idff/metadata
< amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, error: Connection refused
< amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : Embedded Provider failed to load Identity Provider metadata
Going straight to the Identity Server login page from the browser would work fine.
Resolution
Make sure that the identity (IDP) server is listening on all IP
addresses. By default, the IDP server listens on the first bound
interface, eth0 in most cases.
If DNS resolves the Identity Server baseURL hostname to another interface on the box, no listener will be available on 8443 (by default) and the request to connect to the IDP server will fail.
In the above case, an internal DNS server resolved the IDP server hostname to the internal IP address and an external DNS server resolved it to the external IP address. Since we only had a listener on the internal interface, requests into that internal IP address would succeed and all other requests to the external IP address would fail.
To verify and change the address used for the listener, look at the contents of the /var/opt/novell/tomcat4/conf/server.xml file. Search for the 8443 and 8080 strings to locate the identity server connector information, and check whether an "address" parameter exists. Here's an example connector from a setup that only listens on IP address 147.2.16.109.
acceptCount="0" debug="0" connectionTimeout="20000" useURIValidationHack="false
" disableUploadTimeout="true" address="147.2.16.109" URIEncoding="utf-8" useBody
EncodingURI="false" />
To change that IP address and listen on all interfaces, remove the"address=" string, for example:
acceptCount="0" debug="0" connectionTimeout="20000" useURIValidationHack="false
" disableUploadTimeout="true" URIEncoding="utf-8" useBodyEncodingURI="false" />
Make sure that you do this for both the connectors on 8080 and 8443.
If DNS resolves the Identity Server baseURL hostname to another interface on the box, no listener will be available on 8443 (by default) and the request to connect to the IDP server will fail.
In the above case, an internal DNS server resolved the IDP server hostname to the internal IP address and an external DNS server resolved it to the external IP address. Since we only had a listener on the internal interface, requests into that internal IP address would succeed and all other requests to the external IP address would fail.
To verify and change the address used for the listener, look at the contents of the /var/opt/novell/tomcat4/conf/server.xml file. Search for the 8443 and 8080 strings to locate the identity server connector information, and check whether an "address" parameter exists. Here's an example connector from a setup that only listens on IP address 147.2.16.109.
acceptCount="0" debug="0" connectionTimeout="20000" useURIValidationHack="false
" disableUploadTimeout="true" address="147.2.16.109" URIEncoding="utf-8" useBody
EncodingURI="false" />
To change that IP address and listen on all interfaces, remove the"address=" string, for example:
acceptCount="0" debug="0" connectionTimeout="20000" useURIValidationHack="false
" disableUploadTimeout="true" URIEncoding="utf-8" useBodyEncodingURI="false" />
Make sure that you do this for both the connectors on 8080 and 8443.