NetIQ Access Manager Admin Console does not display AG Reverse Proxy Services list and Tree view

  • 7023652
  • 18-Jan-2019
  • 18-Jan-2019

Environment

Access Manager 4.4.3 Admin Console

Situation

  • iManager returns empty Pages for
    • Access Gateway Reverse Proxy Services list
    • Manage Directory Objects => Tree / Browser / Search

  • A NAM 4.4.2 backup had been restored on a fresh  NAM 4.4.3 Admin Console server
  • iManager logs the following error in the catalina.out:

    • java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    • 400 – Bad Request request errors

Resolution

Make sure the connector has the required relaxedPathChars, relaxedQueryChars parameters set

<Connector NIDP_Name="connector" port="2443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystorePass="changeit" SSLEnabled="true" address="147.2.92.100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&amp;#x5c;&amp;#x60;&amp;quot;&amp;lt;&amp;gt;'" />

Cause

  • The security level for Tomcat tomcat-8.5.32-1 (used with iManager)  security level has been increased. It does no longer allow for example raw square brackets in the query string
    .
  • NAM 4.4.3 adds the relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&amp;#x5c;&amp;#x60;&amp;quot;&amp;lt;&amp;gt;'" connector setting to address this issue. Due to the fact that the server.xml is part of the Access Manager Backup tool a server.xml not including this directive will be applied to the system