Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1
Novell Cool Solutions: Tip
By Michael Faris, Neil Cashell
Digg This -
Posted: 29 Aug 2007
I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.
Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:
<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP https://idp-neil.novell.com/nidp/idff/metadata </amLogEntry> <amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, error: Connection refused </amLogEntry> <amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237: AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : Embedded Provider failed to load Identity Provider metadata </amLogEntry>
Here's how you resolve the issue ...
1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.
2. Search for the 8443 and 8080 strings to locate the identity server connector information.
Here's an example connector from a setup that only listens on IP address 192.168.1.19.
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5" maxProcessors="200" enableLookups="false" redirectPort="8443" acceptCount="0" debug="0" connectionTimeout="20000" useURIValidationHack="false "disableUploadTimeout="true" address="192.168.1.19" URIEncoding="utf-8" useBody EncodingURI="false" />
3. Remove the "address=" string. This will force tomcat to listen on all interfaces. Make sure that you do this for both the connectors on 8080 and 8443.
4. Save the file and restart Tomcat:
This is the output of netstat to test for change results:
linuxlab5:/ # netstat -patune|grep -i listen|grep 443 tcp 0 0 126.96.36.199:443 0.0.0.0:* LISTEN 0 13446 7420/stunnel tcp 0 0 188.8.131.52:1443 :::* LISTEN 0 14759 6644/java tcp 0 0 :::8443 :::* LISTEN 100 17071 9056/java
What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:
tcp 0 0 :::8443 :::* LISTEN 100 17071 9056/java
In the case where we specifically listen out on a single IP address, you will see this:
tcp 0 0 184.108.40.206:443:8443 0.0.0.0:* LISTEN 100 17071 9056/java
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com