Environment
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway
NAT enabled Access Manager setup
Novell Access Manager 3.1 Linux Access Gateway
NAT enabled Access Manager setup
Situation
An Access Manager setup was performed where a Network Address Translator device was located between the Linux Access Gateway (LAG) and the Admin COnsole as follows:
AC/IDP-----Private Network------NAT------Public Network-----LAG
With this setup, the Admin Console's (AC) Health panel for the LAG always shows yellow for the service "Configuration Datastore" with a corresponding message "Some configuration datastore replicas are not responding". Despite this warning, the Administrator is able to push configuration changes to that LAG successfully.
However, the command status goes to Pending and stays there. Clicking the Pending link to get to the Command Status page shows that the Configuration command was successful but the "Service Provider Refresh" command is in Pending.
AC/IDP-----Private Network------NAT------Public Network-----LAG
With this setup, the Admin Console's (AC) Health panel for the LAG always shows yellow for the service "Configuration Datastore" with a corresponding message "Some configuration datastore replicas are not responding". Despite this warning, the Administrator is able to push configuration changes to that LAG successfully.
However, the command status goes to Pending and stays there. Clicking the Pending link to get to the Command Status page shows that the Configuration command was successful but the "Service Provider Refresh" command is in Pending.
Resolution
Access Manager currently does NOT support a NAT device being placed between the Admin Console and any of the remote components such as LAG, Identity Server, SSLVPN or Java Agents.
In the setup above, the LAG ESP is still trying to talk to the private IP address of the Admin Console and not the public NAT mapped address.A snippet from the LAG's /var/opt/novell/tomcat5/logs/catalina.out is below. You can see that it's trying to do an ldap connection to the internal ip address of the AC (10.251.202.150) instead of it's public NAT addr (137.65.1.111).
In the setup above, the LAG ESP is still trying to talk to the private IP address of the Admin Console and not the public NAT mapped address.A snippet from the LAG's /var/opt/novell/tomcat5/logs/catalina.out is below. You can see that it's trying to do an ldap connection to the internal ip address of the AC (10.251.202.150) instead of it's public NAT addr (137.65.1.111).
******************************************************
Replica: Id: fn7tpwcq3gp8o, host: ldaps://10.251.202.150, Initiating placement
onto restart thread!
(2 of 2):
Replica: Id: fn7tpwcq3gp8o, host: ldaps://10.251.202.150, Already on restart
thread!
</amLogEntry>
<amLogEntry> 2008-11-06T21:08:42Z NIDS Trace: Method:
JNDIUserStoreReplicaRestart.run()
Thread: JNDIReplicaRestart-fn7tq760qbd8s
Replica ldaps://10.251.202.150 restart failed! Will try again after 60000
milliseconds!
</amLogEntry>
<amLogEntry> 2008-11-06T21:08:47Z NIDS Trace: Method: CacheMap.A()
Thread: http-8080-Processor25
(1 of 2):
Retrieval of object from cache session failed using key
9C54F9996A5D9EA70F813630E21FC3C1. Cache size is 113
(2 of 2):
Addition of object com.novell.nidp.servlets.NIDPServletSession@110c2e8 to cache
session succeeded using key 9C54F9996A5D9EA70F813630E21FC3C1. Cache size is
114
</amLogEntry>
<amLogEntry> 2008-11-06T21:08:49Z NIDS Trace: Method:
NIDPServletContext.getServiceVersion()
Thread: RMI TCP Connection(234)-127.0.0.1
Product version: 3.1.0-380
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:19Z NIDS Trace: Method: CacheMap.A()
Thread: http-8080-Processor25
(1 of 2):
Retrieval of object from cache session failed using key
E1C41483F4201D0D50AC84972AF02494. Cache size is 114
(2 of 2):
Addition of object com.novell.nidp.servlets.NIDPServletSession@1f3329a to cache
session succeeded using key E1C41483F4201D0D50AC84972AF02494. Cache size is
115
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:35Z NIDS Trace: Method: CacheMap.A()
Thread: ContainerBackgroundProcessor[StandardEngine[Catalina]]
Retrieval of object com.novell.nidp.servlets.NIDPServletSession@10a8143 from
cache session succeeded using key FFAA58438EE8691C8F1571F6690DB68A. Cache size
is 115
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>
<amLogEntry> 2008-11-06T21:09:35Z NIDS Trace: Method: CacheMap.A()
Thread: ContainerBackgroundProcessor[StandardEngine[Catalina]]
(1 of 2):
Removal of object com.novell.nidp.servlets.NIDPServletSession@10a8143 from
cache session succeeded using key FFAA58438EE8691C8F1571F6690DB68A. Cache size
is 114
(2 of 2):
Retrieval of object com.novell.nidp.servlets.NIDPServletSession@a7fdef from
cache session succeeded using key EC52749B7B431C8DE5C3D0F7E33AC36C. Cache size
is 114
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>
<amLogEntry> 2008-11-06T21:09:37Z NIDS Trace: Method: CacheMap.A()
Thread: ContainerBackgroundProcessor[StandardEngine[Catalina]]
Removal of object com.novell.nidp.servlets.NIDPServletSession@a7fdef from cache
session succeeded using key EC52749B7B431C8DE5C3D0F7E33AC36C. Cache size is
113
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:40Z NIDS Trace: Method:
JNDIUserStoreReplicaRestart.run()
Thread: JNDIReplicaRestart-fn7tq760qbd8s
(1 of 2):
Woke up from sleep! Attempting to open admin pool on replica:
ldaps://10.251.202.150
(2 of 2):
Starting reopen of admin pool!
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:40Z NIDS Trace: Method:
JNDIUserStoreReplicaConnectionPool.open()
Thread: JNDIReplicaRestart-fn7tq760qbd8s
Pool Id: PLfn7tpwcq80u8p:fn7tpwcq3gp8o, Opening pool on host:
ldaps://10.251.202.150
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:40Z NIDS Trace: Method:
JNDIUserStoreReplicaConnectionPool.A()
Thread: JNDIReplicaRestart-fn7tq760qbd8s
(1 of 2):
Pool Id: PLfn7tpwcq80u8p:fn7tpwcq3gp8o, Connection deficit: 1, max: 3, checked
out: 0, checked in: 0
(2 of 2):
Pool Id: PLfn7tpwcq80u8p:fn7tpwcq3gp8o, Filling deficit #0 of 1, Create at
:ldaps://10.251.202.150 for user
ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
</amLogEntry>
<amLogEntry> 2008-11-06T21:09:42Z NIDS Trace: Method:
JNDIUserStoreReplicaConnection.<init>()
Thread: JNDIReplicaRestart-fn7tq760qbd8s
Connection: fn7w6qafks8d2, Environment Parameters for InitialDirContext()
method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://10.251.202.150:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 14000
Key: java.naming.security.principal, Value:
ou=nidsUser,ou=UsersContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value:
com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
</amLogEntry>