38.4 Translating the Identity Server Configuration Port

If your Identity Server must communicate with an external Identity Server through a firewall, you must either set up a hole in your firewall for TCP ports 8080 or 8443 (default ports used respectively for non secure and secure communication with Identity Server), or configure the Identity Server service to use TCP port 80 or 443.

The Identity Server service (hosted on Tomcat) runs as a non-privileged user and cannot therefore bind to ports below 1024. In order to allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use iptables to perform a port translation. Assuming HTTPS on port 443 is used, perform the following procedure. Similar steps apply to using HTTP on port 80 if a non secure channel is required.

  1. In the Administration Console, click Identity Server > Servers > Edit, and configure the base URL with HTTPS as protocol, and the TCP Port as 443.

  2. At a terminal window, log in as the root user.

  3. Create a file to hold the iptables rule and place it in the /etc/init.d directory.

    For example, /etc/init.d/Redirect. An example of a redirect startup file for this purpose might be:

    #!/bin/sh
    # Copyright (c) 2008 Novell, Inc.
    # All rights reserved.
    #
    #! /bin/sh
    #! /etc/init.d/idp_8443_redirect
    # ### BEGIN INIT INFO
    # Provides: idp_8443_redirect
    # Required-Start: SuSEfirewall2_setup $network $local_fs
    # Required-Stop:
    # Default-Start: 2 3 5
    # Default-Stop: 0 1 6
    # Description: Redirect 8443 to 443 for Novell IDP
    ### END INIT INFO #
    
    # Environment-specific variables.
    IPT_BIN=/usr/sbin/iptables
    INTF=eth0
    ADDR=10.10.0.1
    
    . /etc/rc.status
    
    # First reset status of this service
    rc_reset
    
    case "$1" in
        start)
            echo -n "Starting IP Port redirection"
            $IPT_BIN -t nat --flush
            $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 
    -j DNAT --to ${ADDR}:8080
            $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 
    -j DNAT --to ${ADDR}:8443
            rc_status -v
            ;;
        stop)
            echo -n "Flushing all IP Port redirection rules"
            $IPT_BIN -t nat --flush
            rc_status -v
            ;;
        restart)
            $0 stop
            $0 start
            rc_status
            ;;
        *)
            echo "Usage: $0 {start|stop|restart}"
            exit 1
            ;;
    esac
    rc_exit
    

    For more information about init scripts in SUSE Linux Enterprise Server, see 20.2.2 Init Scripts in the SUSE Linux Enterprise Server 10 Installation and Administration Guide.

  4. Modify the environment-specific variables found in the following lines:

    # Environment-specific variables.
    IPT_BIN=/usr/sbin/iptables
    INTF=eth0
    ADDR=10.10.0.1
    
  5. Ensure that your redirect script has execute rights. Use CHMOD as appropriate. For example:

    chmod 755 Redirect
    
  6. Ensure that the iptables rule is active after rebooting:

    1. In YaST, click System > Runlevel Editor [or System Services (Runlevel)].

    2. Select the Redirect service, and enable it.

  7. (Conditional) On SLES 9.x when you enable the redirect script in the Runlevel editor, it automatically enables 3 startup scripts for the SuSEfirewall2. You need to disable the SuSEfirewall2_final script because it overwrites the rules in your Redirect script.

    1. In YaST click System > Runlevel Editor.

    2. Select the SuSEfirewall2_final script, and disable it.

  8. To verify that the script is running, enter the following command:

    iptables -t nat --list
    

    If it is running, the output should contain lines similar to the following:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source   destination
    DNAT   tcp  --  anywhere anywhere tcp dpt:http to:10.10.0.1:8080
    DNAT   tcp  --  anywhere anywhere tcp dpt:https to:10.10.0.1:8443
    
    

IMPORTANT:This simple solution only works if you are not using iptables to translate ports of other applications or Access Manager components. For a solution that works with multiple components, see NAM Filters for iptables Commands.