Environment
NetIQ Access Manager 3.2
Situation
Access Gateway (AG) used to accelerate a JSON enabled Video
cataloging web application called "QUMU" where the Web server is
simply sending parameters to the browser to execute. After
launching the Web application, some elements on the main
Application page do not display, and an option to upload and view
streamed files fails.
The issue only seems to appear with SSL enabled between the browser and the AG - when SSL is disabled between AG and browser, everything displays correctly. The communication between the webservers to the proxy is port 80 and cleartext.
Using Fiddler to view the HTTP headers and payload on the browser, one could see that some of the links returned to the browser were referencing HTTP and not HTTPS. Since the AG only accepted requests over HTTPS, this was the likely reason for the failure.
The issue only seems to appear with SSL enabled between the browser and the AG - when SSL is disabled between AG and browser, everything displays correctly. The communication between the webservers to the proxy is port 80 and cleartext.
Using Fiddler to view the HTTP headers and payload on the browser, one could see that some of the links returned to the browser were referencing HTTP and not HTTPS. Since the AG only accepted requests over HTTPS, this was the likely reason for the failure.
Resolution
Make sure that the rewriter configuration includes the following
changes to allow the JSON responses to be rewritten:
a) go to the default rewriter profile enabled for that proxy service
b) Under 'If Requested URL Is' add the URL that we need to rewrite the data for eg.
/viewerportal/external/Service.json.do
This is purely for performance reasons because the more URLs we need to look at, the greater the impact on performance.
c) Under 'And Document Content-Type Header Is', add
text/json-comment-filtered
application/json
Although we did not see it in this environment, some JSON enabled apps also use the following content-type headers, and therefore may be required in some environments:
text/json
text/x-json
d) Under 'Additional Strings to Replace'
Search : https://video.novell.com
Replace: https://video.novell.com
or the relevant string that needs to be rewritten in the environment
a) go to the default rewriter profile enabled for that proxy service
b) Under 'If Requested URL Is' add the URL that we need to rewrite the data for eg.
/viewerportal/external/Service.json.do
This is purely for performance reasons because the more URLs we need to look at, the greater the impact on performance.
c) Under 'And Document Content-Type Header Is', add
text/json-comment-filtered
application/json
Although we did not see it in this environment, some JSON enabled apps also use the following content-type headers, and therefore may be required in some environments:
text/json
text/x-json
d) Under 'Additional Strings to Replace'
Search : https://video.novell.com
Replace: https://video.novell.com
or the relevant string that needs to be rewritten in the environment
Additional Information
When troubleshooting rewriter issues, the Fiddler trace on the
browser as well as the error_log and httpheaders files from the AG
are very useful. The Fiddler trace can be used to search for
internal ports, schemes, IP addresses or hostnames that may not
have been rewritten as they should have.
To get the error_log and httpheaders from the AG, use the settings below to enable debug:
a) In the Admin Console, go to Devices > Access Gateways > AG-Cluster Advanced Options. Add the the following global Advanced options:
NAGGlobalOptions DebugHeaders=on
LogLevel info
DumpHeaders on
DumpResponseHeaders on
DumpHeadersFacility local6
DumpResponseHeadersFacility local6
b) Update the Access Gateways after adding the options.
c) Clear all logs before starting debug logging (can simple echo > filename to reset a file on Linux)
d) Apache on the Access Gateways needs to be restart in debug mode:
rcnovell-apache2 stop
rcnovell-apache2 start
e) Duplicate the issue and look at:
/var/opt/novell/nam/logs/mag/apache2/error_log
/var/opt/novell/nam/logs/mag/apache2/httpheaders
Fiddler trace from browser
To get the error_log and httpheaders from the AG, use the settings below to enable debug:
a) In the Admin Console, go to Devices > Access Gateways > AG-Cluster Advanced Options. Add the the following global Advanced options:
NAGGlobalOptions DebugHeaders=on
LogLevel info
DumpHeaders on
DumpResponseHeaders on
DumpHeadersFacility local6
DumpResponseHeadersFacility local6
b) Update the Access Gateways after adding the options.
c) Clear all logs before starting debug logging (can simple echo > filename to reset a file on Linux)
d) Apache on the Access Gateways needs to be restart in debug mode:
rcnovell-apache2 stop
rcnovell-apache2 start
e) Duplicate the issue and look at:
/var/opt/novell/nam/logs/mag/apache2/error_log
/var/opt/novell/nam/logs/mag/apache2/httpheaders
Fiddler trace from browser