Novell Home

Fixing Multiple Interface Problems with Tomcat on Novell Access Manager 3.0.1

Novell Cool Solutions: Tip
By Michael Faris, Neil Cashell

Digg This - Slashdot This

Posted: 29 Aug 2007
 

Problem

I recently had an issue with accessing my IDP server. I had configured it with a private address on eth0 and a public address on eth1. When Tomcat is installed, it uses the IP address of the first interface (eth0) to listen on. On a two-interface system, this makes accessing the protected resources impossible from the public Internet.

Attempting to authenticate through the IDP server would result in a "100101044" error at the browser. Looking at the output of the /var/opt/novell/tomcat4/logs/catalina.out file, the following would be displayed:

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105024: AMDEVICEID#esp-138B98BC4E339237: 
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: ESP is requesting metadata from IDP 
https://idp-neil.novell.com/nidp/idff/metadata </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-138B98BC4E339237: 
Unable to load metadata for Embedded Service Provider: https://idp-neil.novell.com/nidp/idff/metadata, 
error: Connection refused </amLogEntry>

<amLogEntry> 2007-08-15T19:45:17Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-138B98BC4E339237:
AMAUTHID#8227B4A17333BFB621976C2AB734E8CE: Error on session id 8227B4A17333BFB621976C2AB734E8CE, 
error 100101044-esp-138B98BC4E339237, Unable to authenticate. AM#100101044: AMDEVICEID#esp-138B98BC4E339237: : 
Embedded Provider failed to load Identity Provider metadata </amLogEntry>

Solution

Here's how you resolve the issue ...

1. Open a command line on the IDP server and edit the file /var/opt/novell/tomcat4/conf/server.xml.

2. Search for the 8443 and 8080 strings to locate the identity server connector information.

Here's an example connector from a setup that only listens on IP address 192.168.1.19.

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" 
minProcessors="5" maxProcessors="200" enableLookups="false"
redirectPort="8443" acceptCount="0" debug="0"
connectionTimeout="20000"
useURIValidationHack="false "disableUploadTimeout="true"
address="192.168.1.19" URIEncoding="utf-8" useBody
EncodingURI="false" />

3. Remove the "address=" string. This will force tomcat to listen on all interfaces. Make sure that you do this for both the connectors on 8080 and 8443.

4. Save the file and restart Tomcat:
/etc/init.d/novell-tomcat4 restart

This is the output of netstat to test for change results:

linuxlab5:/ # netstat -patune|grep -i listen|grep 443

tcp	0  	0 147.2.16.109:443	0.0.0.0:*	LISTEN   0 13446	  7420/stunnel
tcp	0	0 147.2.16.109:1443	:::* 		LISTEN   0 14759  6644/java
tcp	0	0 :::8443		:::*		LISTEN	100	17071		9056/java

What you want to see when the "Address" field is removed is that we listen out on 0 ie. all addresses:

tcp	0	0 :::8443	:::*	LISTEN	100	17071		9056/java

In the case where we specifically listen out on a single IP address, you will see this:

tcp	0	0 147.2.16.109:443:8443	0.0.0.0:*	LISTEN 100 17071  9056/java


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell