Article

(View Disclaimer)

Problem

A Forum reader recently asked:

"We have users who connect to our previous iChain from behind their corporate firewalls. Changing to Access Manager means they cannot now get to these resources, as the login is presented from the IDserver on 8443.
These users reasonably do not want to open ports for this. The presented login page ask for a post back to 8443. How can I get around this? If I change the post URL on the custom login page, will this break other services?"

And here are several responses ...

Solution

Jared Jennings

The key steps to this are:

1. Change the BASE URL in the IDP configuration to port 443 instead of 8443.

2. Configure IPTABLES to redirect requests from 443 to 8443.

3. Edit server.xml to redirect non-secure requests 8080 to 443, instead of to 8443 as is it is probably set to.

Dave Parry

Step 2 uses a script by Mark van Reijn, Novell. It sits in /etc/init.d/ and will need to be set to start in the right runlevels. Set the environment variables first. I had probs initially as I copied, edited it through a win box and
ended up with carriage rtn inserted into it, should be okay if you grab these contents from within linux.

Note: This script accomodates for the changed base URL of the IDP. Because the IDP base url is also set to port 443, the IDP may connect to itself via port 443; this is addressed by the third iptables line referring to the OUTPUT chain.

#!/bin/sh
# Copyright (c) 2008 Novell, Inc.
# All rights reserved.
#
# Author: Mark van Reijn, Novell
#
# ### BEGIN INIT INFO
# Provides: novell-portredirect
# Required-Start: SuSEfirewall2_setup $network $local_fs
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 443 to 8443 and 80 to 8080 for Novell IdP
### END INIT INFO #

# Update with your own binary, interface and IdP address.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=192.168.0.1

. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
    start)
        echo -n "Starting IP Port redirection"
        $IPT_BIN -t nat --flush
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d ${ADDR} --dport 443 -j DNAT --to ${ADDR}:8443
        rc_status -v
        ;;
    stop)
        echo -n "Flushing all IP Port redirection rules"
        $IPT_BIN -t nat --flush
        rc_status -v
        ;;
    restart)
        $0 stop
        $0 start
        rc_status
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac
rc_exit

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.