Environment
- NetIQ Access Manager 4.2.1
- NetIQ Access Manager 4.1.2
- NetIQ Access Manager Appliance 4.2.1
- NetIQ Access Manager Appliance 4.1.2
Situation
- Four NetIQ Access Manager Appliances have been installed in a cluster
- A Layer 4 Switch has been configured to load balance between cluster nodes
- Each Appliance has two network interface cards
- The Management IP address has been configured at an IP address assigned to eth1
- All other services (NDIP Server, Access Gateway Reverse Proxy)
have been configured fo IP addresses assigned to eth0 - Users randomly receive the error message:
Error: NIDPMAIN.114
(An error has occurred which may have Invalided your authentication. Please try refreshing the browser page. If this error persists close this browser windows, open a new browser, and login again.)
Resolution
There are two different ways to solve this problem:
- Option 1) review the NetIQ Access Manager admin guild section: "Configuring a Specific IP Address for Proxied Requests". Basically you can modify the web.xml file used by the NIDP server in order to add a proxyAddessMap parameter entry to the file.
<context-param> <param-name>proxyAddressMap</param-name> <param-value>Managament_IP, unused, Proxied_Request_IP </param-value> </context-param>
- Option 2) modify the server.xml "Connector NIDP_Name" in order to listen on all assigned IP addresses by completely removing the address directive
Example:
<Connector NIDP_Name="connector" port="2443" maxThreads="1000" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" sslProtocol="TLS" clientAuth="false" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" keystoreFile="/opt/novell/devman/jcc/certs/nam/nam.keystore" keystorePass="changit" SSLEnabled="true" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA" /> - modify create an init script which will implement an iptables rule redirecting requests from the management interface from destination port 443 to destination port 2443 completely removing the address directive simlar to what has been documented in the NetIQ Access Manager "install_upgrade" documentation section: "Changing the Port on a Linux Identity Server" except that the redirection should not be done from port destination port 443 to 8443 (2443 is required with the NAM appliance)
Example:
# ### BEGIN INIT INFO
# Provides: idp_2443_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 2443 to 443 for Novell IDP
### END INIT INFO #
# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=10.10.0.1
. /etc/rc.status
# First reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:2443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:2443
rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
Cause
Due to the fact that the management IP address has been assigned to another interface as the NIDP server any NIDP proxy request in order to retrieve user information for a given user which started or was already logged in to another cluster node the wrong IP address has been used. This got visible from the catalina.out
INFO NIDS Application: AM#500105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
Forwarding HTTP request to cluster member at URL: https://[IP address of Management Interface not hosting the NIDP server]:443/nidp/saml2/sso?sid=0&sid=0
SEVERE NIDS Application: AM#100105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
An error happened while forwarding a request to a cluster member. Error: Connection refused. Unable to forward request to cluster member.
INFO NIDS Application: AM#500105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
Forwarding HTTP request to cluster member at URL: https://[IP address of Management Interface not hosting the NIDP server]:443/nidp/saml2/sso?sid=0&sid=0
SEVERE NIDS Application: AM#100105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
An error happened while forwarding a request to a cluster member. Error: Connection refused. Unable to forward request to cluster member.
Additional Information
Troubleshooting:
- use the following NIDP cluster logging options:
enable: File Logging
enable: Echo To Console
enable: Component File logger Levels: Application+Liberty = Info" - clear up the NIDP server catalina.out file
"echo >/var/opt/novell/nam/logs/idp/tomcat/catalina.out" - Install a browser header trace tool in order to follow a particular user session and match this with the
- Use a fresh browser session in order to reproduce the problem