7.3 Protected Resource Issues

7.3.1 HTML Frames Are Lost

When a protected resource on an Access Gateway includes pages with multiple frames, the page displays incorrectly under the following conditions:

  • The user’s session times out, the user is redirected to the login page, and the user successfully reauthenticates.

  • The user logs out, and the logout page redirects the user to a page with multiple frames.

Under these conditions, only the top frame of the page is displayed. To correct this problem:

  1. Create a custom login page for the protected resource.

    This can be as simple as creating a copy of the nipd.jsp file and renaming it. For more information on customizing the login page, see Customizing the Identity Server Login Page in the Novell Access Manager 3.1 SP1 Identity Server Guide.

  2. Copy the custom login page to the JSP directory of the Identity Server.

    Linux: /var/opt/novell/tomcat5/webapps/nidp/jsp

    Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\jsp

  3. Modify the top.jsp file in the JSP directory.

    1. Locate the following lines in the top.jsp file:

      <!--
     top.location.href='<%=url%>';
-->

    2. Replace these lines with the following:

      <!--
    location.href='<%=url%>';
-->

  4. (Conditional) If the Identity Server belongs to a cluster, copy the modified top.jsp file and the custom login page to each Identity Server in the cluster.

  5. Add two property values to the method that creates the contract for the protected resource.

    If multiple protected resources are using the contract, you can create a custom method and contract rather than modifying the existing method. For information on this process, see Configuring Authentication Methods and Configuring Authentication Contracts in the Novell Access Manager 3.1 SP1 Identity Server Guide.

    1. In the Administration Console, click Devices > Identity Servers > Edit > Methods.

    2. Click the name of the method that is used by the contract for the protected resource.

    3. In the Properties section, click New, then specify the following values:

      Property Name: MainJSP

      Property Value: true

    4. Click OK.

    5. In the Properties section, click New, then specify the following values:

      Property Name: JSP

      Property Value: <custom_login_page>

      Replace <custom_login_page> with the name of your page, without the JSP extension. (see Step 1). Property values are case sensitive.

    6. Click OK twice.

  6. Click Devices > Identity Servers, then update the Identity Server.

  7. Click Devices > Access Gateways, then update the Access Gateway.

  8. (Conditional) If you created a new contract for the protected resource, assign the new contract to the protected resource, then update the Access Gateway.

  9. To verify that the modifications have solved the problem:

    1. Access the page and log in.

    2. Wait for the session to timeout.

    3. Access the page again.

    4. Authenticate as prompted and make sure all the frames are displayed.

7.3.2 Troubleshooting HTTP 1.1 and GZIP

HTTP 1.1 has the ability to deal with compressed data in either a Deflate or GZIP format. This reduces the size of data being sent across the wire. Because HTML pages are just text, they typically compress very well.

To use GZIP, you enable your Web servers to send GZIP-compressed data. Be aware that some Web servers do not respond with compressed (GZIP) data when the Access Gateway sends the Via header to the Web server. Check you Web server documentation.

When the Web server sends compressed data and the rewriter needs to process the data, the data is decompressed, rewritten, and then recompressed. When Form Fill needs to process the data, the data is decompressed and then processed. If the Access Gateway does not need to perform any rewriting of the data or if Form Fill does not need to process the data, the compressed data is sent unchanged from the Web server to the browser. This is the default behavior.

To turn off the GZIP feature:

  1. Add the following touch file

    /var/novell/.noGzipSupport

    Use the touch utility to create this blank file.

  2. Restart the Linux Access Gateway.

In the presence of this touch file, Linux Access Gateway does not forward the ACCEPT-ENCODING header to the Web server. Without this header, the Web server does not send any data with GZIP or Deflate encoding to the Linux Access Gateway.

To allow the Linux Access Gateway to receive GZIP or Deflate encoded data, remove the touch file and restart the Linux Access Gateway.

7.3.3 Protected Resources Referencing Non-Existent Policies

If your protected resources contain references to policies that do not exist, use the following procedures to remove them.

  1. Click Auditing > Troubleshooting.

  2. In the Access Gateways with Protected Resources Referencing Nonexistent Policies section, click Repair.

    This removes the link between the protected resource and the policy.

  3. Verify that correct policies are enabled on the protected resources. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.

  4. Change to the Policy View.

  5. (Optional) Click the Used By link to modify existing assignments.

  6. Click OK, then click the Access Gateways link.

  7. Click Update > OK.

7.3.4 Protected Resource Configuration Changes Are Not Applied

If you modify the configuration for a protected resource by modifying its URL Path List or its Authorization, Identity Injection, or Form Fill policies, save these changes and apply them by clicking Update, then return to the resource and the changes have not been applied, the protected resource has a corrupted configuration. To repair the configuration:

  1. Click Auditing > Troubleshooting.

  2. In the Access Gateways with Corrupted Protected Resource Data list, select the resource with the problem, then click Repair.

    This repairs the configuration for the selected protected resource.

  3. Reconfigure the protected resource with the changes that weren’t applied.

7.3.5 Error AM#300101010 and Missing Resources

Image display problems can arise when an unprotected page references multiple protected resources. The best practices for HTML is to avoid situations where an unprotected page contains references to multiple, automatically loaded protected resources. For example, the unprotected page index.html might contain references to two GIF image files. Both GIF files are protected resources. The browser automatically attempts to load the GIF files during the initial load of index.html. Because of multiple requests happening at the same time, one or more of the GIFs might be denied access. To avoid this, you should add the page and the index.html page as a protected resource. Doing this avoids the possibility of missing GIFs.

7.3.6 Unable to View Contents of Mail When Outlook Web Access is Protected by Access Gateway

If you are not able to view contents of mail when Outlook Web Access is protected by Linux Access Gateway and you see a login page instead of content, configure /exchweb/* as a public resource.

7.3.7 Redirection Issue with Some IE7 Versions

With Internet Explorer 7, if the Linux Access Gateway redirects the first request after authentication to a secure site and if the certificates are not present in the browser, the browser is not redirected to the proper site.

To workaround this problem use the /var/novell/.useJSFor302withIE7 touch file.

When this touch file is used and Internet Explorer 7 browser is used, 200 OK response is sent back with the redirect metatag instead of the 302 redirect.