Article

Kaden Napper

Environment:

• Identity Server configured for authentication on port 443.
• Iptables configured with a rule such as:
  "iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443"
  or
  "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to <<IPADDRESS>>:8443"

PROBLEM: Identity Server Health reports:

SSL Communication is not operating correctly! URL https://<<IPADDRESS>>:443/nidp/app/ping Error: Connection refused
(Required Action) Check SSL connectivity. Possible expired SSL certificate.

The Identity Server is still functioning.

Solution

The existing iptables rule does not work for connections initiated from the Identity Server (such as the Server Health Monitoring).

Add the following iptables rule "iptables -t nat -A OUTPUT -p tcp -d <<IPADDRESS>> --dport 443 -j DNAT --to <<IPADDRESS>>:8443"

EXAMPLE:

The following is my /etc/init.d/idp_8443_redirect file (modified from Mark van Reijn's original)

# All rights reserved.
#
# Author: Mark van Reijn, Novell
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start: SuSEfirewall2_setup $network $local_fs
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IdP
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
IDP_IP=10.5.0.31

. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush

$IPT_BIN -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to  $IDP_IP:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $IDP_IP --dport 443 -j DNAT --to  $IDP_IP:8443

rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit