Access Gateway Service is not passing alternate hostname in reference header properly in 3.2 and 3.2ir1

  • 7010882
  • 06-Oct-2012
  • 06-Oct-2012

Environment

NetIQ Access Manager 3.2

Situation

When alternate host name is configured the Access Gateway Service (AGS/MAG) was corrupting the referrer value sent to the web server.

This became a problem because the customer was using a custom authentication method which relied on a proper referrer name to grant access to the web server.. Since the hostname was blank, the end user was getting redirected to an error page defined at the web server. There could be other symptoms depending on how the referrer is being used, but the problem is in the /opt/novell/ag/t/opt/novell/ag/lib/mod_novell_ag.so.1.0.0 library included with NAM version 3.2 and 3.2_ir1.

Resolution

The issue has been reported to engineering and the issue is fixed in 3.2 support pack 1. If you are experiencing the issue and version 3.2 support pack 1 is not yet available (not available at the time this tid was authored), please contact Novell Technical Services to obtain the fixed library until sp1 becomes available.

Cause

The Access Gateway Service (AGS/MAG) was nullifying the value in memory that contained the alternate host name when passing referrer header to the Web Server.

Example:

https://portal.acme.com/home/Home.aspx

[Fri Sep 07 08:38:18 2012] [debug] mod_deflate.c(615): AMEVENTID#1012: Zlib:

Compressed 139 to 118 : URL /Services/Brokerage.aspx, referer:

http://home/Home.aspx

Notice the hostname is not present after referrer, e.g. http://*/

The problem is present in both 3.2 and 3.2ir1.

See additional information below for notes on configuration and duplications steps used to identify and fix the issue.

Additional Information

Configuration/Duplication

a) Configured alternate host name (proxy91.com). The published DNS name is

www.ag1.com.

b) Enabled Rewrite Inbound Headers (rewriteRefererHeader) option under HTML

Rewriter

c) Issued the first request to http://www.ag1.com:81/scott

d) Then issued the request to http://www.ag1.com:81/scott/stuff

e) Verified the referrer header sent from MAG to web server was nullified.

1. The referrer header was http://www.proxy91.com/scott

2. Then issued another request to http://www.ag1.com:81/scott/stuff

3. The referrer header was http://scott/stuff/

Applied fixed build of mod_novell_ag.so.1.0.0 and restarted novell-apache2performed same test.

Now at step 3.e) the correct referrer id of http://www.ag1.com:81/scott/stuff is observed.