JSON based application fails when accessed via Access Gateway

  • 7014694
  • 05-Mar-2014
  • 09-Jun-2014

Environment

NetIQ Access Manager 3.2

Situation

Access Gateway (AG) used to accelerate a JSON enabled Video cataloging web application called "QUMU" where the Web server is simply sending parameters to the browser to execute. After launching the Web application, some elements on the main Application page do not display, and an option to upload and view streamed files fails.

The issue only seems to appear with SSL enabled between the browser and the AG - when SSL is disabled between AG and browser, everything displays correctly. The communication between the webservers to the proxy is port 80 and cleartext.

Using Fiddler to view the HTTP headers and payload on the browser, one could see that some of the links returned to the browser were referencing HTTP and not HTTPS. Since the AG only accepted requests over HTTPS, this was the likely reason for the failure.

Resolution

Make sure that the rewriter configuration includes the following changes to allow the JSON responses to be rewritten:

a) go to the default rewriter profile enabled for that proxy service
b) Under 'If Requested URL Is' add the URL that we need to rewrite the data for eg.

/viewerportal/external/Service.json.do

This is purely for performance reasons because the more URLs we need to look at, the greater the impact on performance.

c) Under 'And Document Content-Type Header Is', add

text/json-comment-filtered
application/json

Although we did not see it in this environment, some JSON enabled apps also use the following content-type headers, and therefore may be required in some environments:

 text/json
text/x-json

d) Under 'Additional Strings to Replace'

Search : https://video.novell.com
Replace: https://video.novell.com

or the relevant string that needs to be rewritten in the environment

Additional Information

When troubleshooting rewriter issues, the Fiddler trace on the browser as well as the error_log and httpheaders files from the AG are very useful. The Fiddler trace can be used to search for internal ports, schemes, IP addresses or hostnames that may not have been rewritten as they should have.

To get the error_log and httpheaders from the AG, use the settings below to enable debug:

a) In the Admin Console, go to Devices > Access Gateways > AG-Cluster Advanced Options. Add the the following global Advanced options:

NAGGlobalOptions DebugHeaders=on
LogLevel info
DumpHeaders on
DumpResponseHeaders on
DumpHeadersFacility local6
DumpResponseHeadersFacility local6

b) Update the Access Gateways after adding the options.

c) Clear all logs before starting debug logging (can simple echo > filename to reset a file on Linux)

d) Apache on the Access Gateways needs to be restart in debug mode:

rcnovell-apache2 stop
rcnovell-apache2 start

e) Duplicate the issue and look at:

/var/opt/novell/nam/logs/mag/apache2/error_log
/var/opt/novell/nam/logs/mag/apache2/httpheaders
Fiddler trace from browser