Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.2
Situation
A NAM administrator trying to add the following lines to the Access Gateway (AG) Advanced Options of a specific reverse Proxy (RP). They way the AC is parsing the third line is causing a configuration error when we restart apache.
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
SSLProxyCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!AESGCM:!eNULL:!NULL
All lines are applied to the vhost file of this RP but the very last one - which is completely missing
// hosts.d/test-application.conf snippet of end of file
# Advanced Options
CacheIgnoreHeaders Authorization
SetEnvIf User-Agent ".*Mozilla.*"\
downgrade-1.0 force-response-1.0 no-gzip
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
</VirtualHost>
This only seems to happen with domain based proxy - if I add the same settings to the path based proxy advanced option, it is written correctly.
// path based vhost file snippet
# Advanced Options
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
SSLProxyCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!AESGCM:!eNULL:!NULL
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
SSLProxyCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!AESGCM:!eNULL:!NULL
All lines are applied to the vhost file of this RP but the very last one - which is completely missing
// hosts.d/test-application.conf snippet of end of file
# Advanced Options
CacheIgnoreHeaders Authorization
SetEnvIf User-Agent ".*Mozilla.*"\
downgrade-1.0 force-response-1.0 no-gzip
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
</VirtualHost>
This only seems to happen with domain based proxy - if I add the same settings to the path based proxy advanced option, it is written correctly.
// path based vhost file snippet
# Advanced Options
SSLProtocol All -SSLv2
SSLHonorCipherOrder On
SSLProxyCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!AESGCM:!eNULL:!NULL
Resolution
Apply NAM 4.3 SP2 patch.