If your Identity Server must communicate with an external Identity Server through a firewall, you must either set up a hole in your firewall for TCP ports 8080 or 8443 (default ports used respectively for non secure and secure communication with Identity Server), or configure the Identity Server service to use TCP port 80 or 443.
The Identity Server service (hosted on Tomcat) runs as a non-privileged user and cannot therefore bind to ports below 1024. In order to allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use iptables to perform a port translation. Assuming HTTPS on port 443 is used, perform the following procedure. Similar steps apply to using HTTP on port 80 if a non secure channel is required.
In the Administration Console, click > > , and configure the base URL with HTTPS as protocol, and the TCP Port as 443.
At a terminal window, log in as the root user.
Create a file to hold the iptables rule and place it in the /etc/init.d directory.
For example, /etc/init.d/Redirect. An example of a redirect startup file for this purpose might be:
#!/bin/sh
# Copyright (c) 2008 Novell, Inc.
# All rights reserved.
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start: SuSEfirewall2_setup $network $local_fs
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IDP
### END INIT INFO #
# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=10.10.0.1
. /etc/rc.status
# First reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80
-j DNAT --to ${ADDR}:8080
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443
-j DNAT --to ${ADDR}:8443
rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
For more information about init scripts in SUSE Linux Enterprise Server, see 20.2.2 Init Scripts in the SUSE Linux Enterprise Server 10 Installation and Administration Guide.
Modify the environment-specific variables found in the following lines:
# Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1
Ensure that your redirect script has execute rights. Use CHMOD as appropriate. For example:
chmod 755 Redirect
Ensure that the iptables rule is active after rebooting:
In YaST, click > [or ].
Select the Redirect service, and enable it.
(Conditional) On SLES 9.x when you enable the redirect script in the Runlevel editor, it automatically enables 3 startup scripts for the SuSEfirewall2. You need to disable the SuSEfirewall2_final script because it overwrites the rules in your Redirect script.
In YaST click > .
Select the SuSEfirewall2_final script, and disable it.
To verify that the script is running, enter the following command:
iptables -t nat --list
If it is running, the output should contain lines similar to the following:
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:10.10.0.1:8080 DNAT tcp -- anywhere anywhere tcp dpt:https to:10.10.0.1:8443
IMPORTANT:This simple solution only works if you are not using iptables to translate ports of other applications or Access Manager components. For a solution that works with multiple components, see NAM Filters for iptables Commands.