Changing the Web Server List configuration on the NAM-Service default proxy service breaks NAM 4.0 Appliance config

  • 7014902
  • 14-Apr-2014
  • 14-Apr-2014

Environment


NetIQ Access Manager 4.0
NetIQ Access Manager Appliance

Situation

  • The NAM appliance configuration will create the "NAM-Service" proxy service which protects the NIDP server running on the same box.
  • The configured IP address on the "Web Server List" references the IP address of the primary Access Gateway / NIDP server only

Resolution

  • The NAM-Service reverse proxy should never be changed manually!
  • This Web Server List configuration is misleading as the NAM Appliance handles requests directed to the local NIDP server internally.

  • All NIDP server requests will be directed to the local NIDP only.

  • This will be achieved by making use of the Apache ProxyPass directive.
    You can see the real configuration details from within the "/etc/opt/novell/apache2/conf/vhosts.d/NAM-Services.conf" file:
    -----------------------------------------------------------------------------------
    ProxyPass /nidp/nidpsecure ajp://127.0.0.1:9019/nidp
    ProxyPass /nidp ajp://127.0.0.1:9019/nidp

    -----------------------------------------------------------------------------------

    Besides for the x509 authentication process the clustering architecture of NIDP server does not require any Access Gateway to proxy.
  • Cross landing requests would anyway reduce performance due to proxying.

Additional Information

running Apache in debug mode you can check this as well from the error_log.
review events generated by the "mod_proxy" module

Example:

Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(1506): AMEVENTID#14: proxy: ajp: found worker ajp://127.0.0.1:9019/nidp for ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy.c(1024): Running scheme ajp handler (attempt 0)
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_http.c(2115): proxy: HTTP: declining URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] mod_proxy_ajp.c(731): proxy: AJP: serving URL ajp://127.0.0.1:9019/nidp/
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2031): proxy: AJP: has acquired connection for (127.0.0.1)
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2087): proxy: connecting ajp://127.0.0.1:9019/nidp/ to127.0.0.1:9019
Apr 10 10:18:42 nam httpd[24840]: [debug] proxy_util.c(2213): proxy: connected /nidp/ to 127.0.0.1:9019