Article

(View Disclaimer)

Problem

I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.

Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: 
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP 
https://idp-neil.novell.com/nidp/idff/metadata </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: 
Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, 
error: Connection refused </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237:
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, 
error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : 
Embedded Provider failed to load Identity Provider metadata </amLogEntry>

Solution

Here's how you resolve the issue ...

1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.

2. Search for the 8443 and 8080 strings to locate the identity server connector information.

Here's an example connector from a setup that only listens on IP address 192.168.1.19.

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" 
minProcessors="5" maxProcessors="200" enableLookups="false"
redirectPort="8443" acceptCount="0" debug="0"
connectionTimeout="20000"
useURIValidationHack="false "disableUploadTimeout="true"
address="192.168.1.19" URIEncoding="utf-8" useBody
EncodingURI="false" />

3. Remove the "address=" string. This will force tomcat to listen on all interfaces.
Make sure that you do this for both the connectors on 8080 and 8443.

4. Save the file and restart Tomcat:
/etc/init.d/novell-tomcat4 restart

This is the output of netstat to test for change results:

linuxlab5:/ # netstat -patune|grep -i listen|grep 443

tcp	0  	0 147.2.16.109:443	0.0.0.0:*	LISTEN   0 13446	  7420/stunnel
tcp	0	0 147.2.16.109:1443	:::* 		LISTEN   0 14759  6644/java
tcp	0	0 :::8443		:::*		LISTEN	100	17071		9056/java

What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:

tcp	0	0 :::8443	:::*	LISTEN	100	17071		9056/java

In the case where we specifically listen out on a single IP address, you will see this:

tcp	0	0 147.2.16.109:443:8443	0.0.0.0:*	LISTEN 100 17071  9056/java

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.