Environment
Novell iManager 2.7
SUSE Linux Enterprise Server 10
Novell NetWare 6.5
SUSE Linux Enterprise Server 10
Novell NetWare 6.5
Situation
Historically when accessing iManager via an insecure URL the server forwards the client to the configured secure port and specified HTTPS as the protocol to use. An example of the Linux insecure URL follows:
http://ipAddress:8080/nps
The default corresponding secure URL on Linux would be the following:
https://ipAddress:8443/nps
After applying iManager 2.7 SP3 accessing the former URL does not forward to the latter but instead continues the session on that port and using the cleartext protocol. Accessing the latter URL directly is preferred in any case but this change in functionality is not expected.
http://ipAddress:8080/nps
The default corresponding secure URL on Linux would be the following:
https://ipAddress:8443/nps
After applying iManager 2.7 SP3 accessing the former URL does not forward to the latter but instead continues the session on that port and using the cleartext protocol. Accessing the latter URL directly is preferred in any case but this change in functionality is not expected.
Resolution
A security update moving to iManager 2.7 SP3 changed a web.xml file which has the setting to forward from client to the secure Tomcat port. In most cases the setting can be seen in the oldweb.xml file which was created at the time that SP3 was applied. The web.xml file exists in /var/opt/novell/tomcat5/webapps/nps/WEB-INF by default for Linux and in sys:/tomcat/5.0/webapps/nps/WEB-INF for NetWare. The section at the bottom of the web.xml file is shown below:
<!-- WELCOME FILE LIST -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--
The following setting allows you to force SSL
browser connections. If you do not want to force SSL
browser connections, add comment tags around the
<security-constraint> element and restart your
web application (ie. tomcat).
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL-requiring Area</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This entire section should go at the bottom of the web.xml file before the closing </web-app> XML tag. For example the last section of the file, through the end of the file, may resemble the following before applying the patch:
<mime-mapping>
<extension>zip</extension>
<mime-type>application/zip</mime-type>
</mime-mapping>
</web-app>
and after the patch should then show the following:
<mime-mapping>
<extension>zip</extension>
<mime-type>application/zip</mime-type>
</mime-mapping>
<!-- WELCOME FILE LIST -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--
The following setting allows you to force SSL
browser connections. If you do not want to force SSL
browser connections, add comment tags around the
<security-constraint> element and restart your
web application (ie. tomcat).
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL-requiring Area</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Restart the Tomcat instance associated with iManager to apply the change. If there are multiple iManager instances with the same symptom be sure to apply the change to all of them individually.
<!-- WELCOME FILE LIST -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--
The following setting allows you to force SSL
browser connections. If you do not want to force SSL
browser connections, add comment tags around the
<security-constraint> element and restart your
web application (ie. tomcat).
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL-requiring Area</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This entire section should go at the bottom of the web.xml file before the closing </web-app> XML tag. For example the last section of the file, through the end of the file, may resemble the following before applying the patch:
<mime-mapping>
<extension>zip</extension>
<mime-type>application/zip</mime-type>
</mime-mapping>
</web-app>
and after the patch should then show the following:
<mime-mapping>
<extension>zip</extension>
<mime-type>application/zip</mime-type>
</mime-mapping>
<!-- WELCOME FILE LIST -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--
The following setting allows you to force SSL
browser connections. If you do not want to force SSL
browser connections, add comment tags around the
<security-constraint> element and restart your
web application (ie. tomcat).
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL-requiring Area</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Restart the Tomcat instance associated with iManager to apply the change. If there are multiple iManager instances with the same symptom be sure to apply the change to all of them individually.