Environment
NetIQ Access Manager 4.0
NetIQ Access Manager Appliance
Situation
- The NAM appliance configuration will create the "NAM-Service" proxy service which protects the NIDP server running on the same box.
- The configured IP address on the "Web Server List" references the IP address of the primary Access Gateway / NIDP server only
Resolution
- The NAM-Service reverse proxy should never be changed manually!
- This Web Server List configuration is misleading as the NAM Appliance handles requests directed to the local NIDP server internally.
- All NIDP server requests will be directed to the local NIDP only.
- This will be achieved by making use of the Apache ProxyPass directive.
You can see the real configuration details from within the "/etc/opt/novell/apache2/conf/vhosts.d/NAM-Services.conf" file:
-----------------------------------------------------------------------------------
ProxyPass /nidp/nidpsecure ajp://127.0.0.1:9019/nidp
ProxyPass /nidp ajp://127.0.0.1:9019/nidp
-----------------------------------------------------------------------------------
Besides for the x509 authentication process the clustering architecture of NIDP server does not require any Access Gateway to proxy. - Cross landing requests would anyway reduce performance due to proxying.
Additional Information
running Apache in debug mode you can check this as well from the error_log.
review events generated by the "mod_proxy" module
Example:
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(1506): AMEVENTID#14: proxy: ajp: found worker ajp://127.0.0.1:9019/nidp for ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy.c(1024): Running scheme ajp handler (attempt 0)
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_http.c(2115): proxy: HTTP: declining URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_ajp.c(731): proxy: AJP: serving URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2031): proxy: AJP: has acquired connection for (127.0.0.1)
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2087): proxy: connecting ajp://127.0.0.1:9019/nidp/ to127.0.0.1:9019
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2213): proxy: connected /nidp/ to 127.0.0.1:9019
review events generated by the "mod_proxy" module
Example:
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(1506): AMEVENTID#14: proxy: ajp: found worker ajp://127.0.0.1:9019/nidp for ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy.c(1024): Running scheme ajp handler (attempt 0)
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_http.c(2115): proxy: HTTP: declining URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_ajp.c(731): proxy: AJP: serving URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2031): proxy: AJP: has acquired connection for (127.0.0.1)
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2087): proxy: connecting ajp://127.0.0.1:9019/nidp/ to127.0.0.1:9019
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2213): proxy: connected /nidp/ to 127.0.0.1:9019