How to Preserve Encoded character in URL from NAM AG to webserver

  • 7016712
  • 28-Jul-2015
  • 28-Jul-2015

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Gateway Appliance or Service

Situation

There are some webservers which expects encoded characters to be present in the URL when request is made.
e.g GET https://ssd.msingh4.lab.novell.com/sap/opu/odata/BSHB2B/CA_US_IAM_SRV/Users(%27cn%3duid000023%2cou%3duser%2co%3ddata%27)?$expand=Categories/Roles,Categories/Category/Roles,Resources/RequestParams

This request should go as it is to the webserver(with encoded characters), otherwise webserver rejects the request with error. Currently MAG is missing this feature but we can use the workaround provided in the TID.

Resolution

Need to follow the below steps to configure Apache Gateway to preserve the encoded characters in the HTTP Requests:
1. Global Advance Option
NAGGlobalOptions noURLNormalize=on
( this advance option will not nromalize the URL by Access Gateway, this setting will appear in NovellAgSettings.conf)

2. Access Gateway is a reverse proxy and has two parts server part and client part.( Proxy works as server when communicate with Browser and as Client when communicate with WebServer)
Using above advance option will not allow normalization to server part of AG but the client part of AG will do a normalization( mod_proxy_balancer) before passing it to webserver.
Go to the Reverse Proxy accessing the webserver ( the one which needs encoded chars to be present ) and configure the below advance option (service level advance option)
AllowEncodedSlashes On
( this setting will appear in service configuration file under vhost.d directory )

3.Below configuration is required for mod_proxy_balacer to avoid normaliztion.( service level conf file under vhost.d )
ProxyPass / balancer://bal_ssd/ lbmethod=byrequests stickysession=ZNPCQ003-32393400 nocanon

4. But currently we don't have option of setting nocanon with ProxyPass directive from Admin Console. Hence after every configuration push from Admin Console, httpd configuration will keep 1 and 2 but not 3.
(A bug is raised for the issue and it will a part of product in future release)

5. We can use search and replace method to achieve this.
Search for string "#increase default ulimit from 1024" in /etc/init.d/novell-apache2 and add the below lines above that.
sed -i 's/ProxyPass \/ balancer:\/\/bal_ssd\/ lbmethod=byrequests stickysession=ZNPCQ003-32393400/ProxyPass \/ balancer:\/\/bal_ssd\/ lbmethod=byrequests stickysession=ZNPCQ003-32393400 nocanon/' /etc/opt/novell/apache2/conf/vhosts.d/ssd.conf

( Here ssd.conf is the configuration file for Proxy Service )

6. After following the above steps you can send the URL with encoded characters to webserver.