Environment
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Netware Access Gateway
Novell Access Management 3 Support Pack 2 applied
Situation
Access Manager setup defined where users are required to
authenticate to a Novell Identity (NIDP) server when accessing a
Linux Access Gateway (LAG) protected resource. Two IDP and LAG
services existed in clusters. After configuring Access Manager to
do the above, users would get the following error message after
entering credentials on the IDP server login page:
"Error obtaining SOAP response.
Reason: White spaces are required between publicId and systemId"
All users would experience this error.
"Error obtaining SOAP response.
Reason: White spaces are required between publicId and systemId"
All users would experience this error.
Resolution
Make sure that connectivity exists to the /nidp/idff/soap service
on the IDP servers. The baseURL of the IDP servers was setup with
TCP port 443 and an iptables command was defined to translate the
TCP 443 to 8443 that the application was listening on. When one of
the IDP servers needed to proxy the SOAP request to the other IDP
server in the cluster (based on the clustsre cookie), it would not
be able to connect to the TCP port running the SOAP service. The
following excerpt from the catalina.log file would show the
error:
"Forwarding HTTP request to cluster member at URL:
https://171.215.74.240:443/nidp/idff/soap"
< amLogEntry> 2008-02-12T19:26:19Z NIDS Trace: Method:
NIDPProxyableServlet.A()
Thread: http-8443-Processor2
Proxy: Request: added header: Name: soapaction, Value:
urn:liberty:soap-action
Proxy: Request: added header: Name: content-type, Value: text/xml; charset="utf-8"
Proxy: Request: added header: Name: connection, Value: close
Proxy: Request: added header: Name: user-agent, Value: Java/1.4.2_12
Proxy: Request: added header: Name: host, Value: login.novell.com
Proxy: Request: added header: Name: accept, Value: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy: Request: added header: Name: content-length, Value: 584
Proxy: Request: added new Via header: HTTP/1.1 171.215.36.9
Proxy: Request: added new custom NIDPProxiedRequest http header:
171.215.36.9;fckuhjec4tv2xx;fckuhjelqf52xy
Proxy: Response: The Cluster Proxy Request List has 0 members!
< /amLogEntry>
2008-02-12T19:26:19Z NIDS Trace: NIDP TRACE
EXCEPTION LOG
(Thread: http-8443-Processor2):
Exception message: "Connection refused"
PlainSocketImpl.java, Line: -2, Method: socketConnect
PlainSocketImpl.java, Line: 305, Method: doConnect
PlainSocketImpl.java, L
:
:
The connect failure this ip address stemmed from an invalid iptables command which performed the translation operation on eth0 only, when in actual fact that requests were coming in on eth1. Adding the following to the iptables script fixed the issue.
"Forwarding HTTP request to cluster member at URL:
https://171.215.74.240:443/nidp/idff/soap"
< amLogEntry> 2008-02-12T19:26:19Z NIDS Trace: Method:
NIDPProxyableServlet.A()
Thread: http-8443-Processor2
Proxy: Request: added header: Name: soapaction, Value:
urn:liberty:soap-action
Proxy: Request: added header: Name: content-type, Value: text/xml; charset="utf-8"
Proxy: Request: added header: Name: connection, Value: close
Proxy: Request: added header: Name: user-agent, Value: Java/1.4.2_12
Proxy: Request: added header: Name: host, Value: login.novell.com
Proxy: Request: added header: Name: accept, Value: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy: Request: added header: Name: content-length, Value: 584
Proxy: Request: added new Via header: HTTP/1.1 171.215.36.9
Proxy: Request: added new custom NIDPProxiedRequest http header:
171.215.36.9;fckuhjec4tv2xx;fckuhjelqf52xy
Proxy: Response: The Cluster Proxy Request List has 0 members!
< /amLogEntry>
(Thread: http-8443-Processor2):
Exception message: "Connection refused"
PlainSocketImpl.java, Line: -2, Method: socketConnect
PlainSocketImpl.java, Line: 305, Method: doConnect
PlainSocketImpl.java, L
:
:
The connect failure this ip address stemmed from an invalid iptables command which performed the translation operation on eth0 only, when in actual fact that requests were coming in on eth1. Adding the following to the iptables script fixed the issue.
iptables -t nat --flush iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 171.215.74.239:8443 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 171.215.74.240:8443 |