Environment
Access Manager 4.4.3 Admin Console
Situation
- iManager returns empty Pages for
- Access Gateway Reverse Proxy Services list
- Manage Directory Objects => Tree / Browser / Search
- A NAM 4.4.2 backup had been restored on a fresh NAM 4.4.3 Admin Console server
- iManager logs the following error in the catalina.out:
- java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
- 400 – Bad Request request errors
Resolution
Make sure the connector has the required relaxedPathChars, relaxedQueryChars parameters set
<Connector NIDP_Name="connector" port="2443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystorePass="changeit" SSLEnabled="true" address="147.2.92.100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&#x5c;&#x60;&quot;&lt;&gt;'" />
Cause
- The security level for Tomcat tomcat-8.5.32-1 (used with iManager) security level has been increased. It does no longer allow for example raw square brackets in the query string
. - NAM 4.4.3 adds the relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&#x5c;&#x60;&quot;&lt;&gt;'" connector setting to address this issue. Due to the fact that the server.xml is part of the Access Manager Backup tool a server.xml not including this directive will be applied to the system