Home

Results 1 to 5 of 5

Thread: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

  1. #1
    Join Date
    Oct 2011
    Posts
    2

    Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu


    Are there users out there who have experience with NetIQ IDM 4.0.x (or
    earlier) configurations where SSL processing is performed by external
    appliances, which also provide high availability / load balancing
    functions?

    We are in the midst of establishing such an environment and have run
    into a few stumbling blocks. We've found work-arounds for issues such as
    NCP and NAT, but are confounded by a problem with the UserApp and the
    Reporting Module which we have setup under JBoss -- the UserApp seems to
    work well enough alone, but the Reporting App doesn't seem to like
    working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
    SSL connection is between the client browser and the F5 appliance, but
    the connection between the F5 and the IDM UserApp is cleartext, and
    essentially proxied.

    We modified the default connector config:
    novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml

    from:
    <Connector protocol="HTTP/1.1" port="8080"
    address="${jboss.bind.address}"
    connectionTimeout="20000" redirectPort="8443" />

    to:

    <Connector protocol="HTTP/1.1" port="8080"
    address="${jboss.bind.address}"
    connectionTimeout="20000" redirectPort="8443"
    scheme="https" secure="true" proxyName="idmdev.bc.edu"
    proxyPort="443"/>

    But this isn't sufficient, and results in an error with authentication
    token results:

    The authentication server is invalid:
    https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens

    Has anyone run into similar issue or have a suggestion?

    Cheers,
    David Mak
    Boston College


    --
    davidmakbc
    ------------------------------------------------------------------------
    davidmakbc's Profile: http://forums.novell.com/member.php?userid=118358
    View this thread: http://forums.novell.com/showthread.php?t=455218


  2. #2
    Steven Williams NNTP User

    Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

    On 04/27/2012 04:26 PM, davidmakbc wrote:
    >
    > Are there users out there who have experience with NetIQ IDM 4.0.x (or
    > earlier) configurations where SSL processing is performed by external
    > appliances, which also provide high availability / load balancing
    > functions?
    >
    > We are in the midst of establishing such an environment and have run
    > into a few stumbling blocks. We've found work-arounds for issues such as
    > NCP and NAT, but are confounded by a problem with the UserApp and the
    > Reporting Module which we have setup under JBoss -- the UserApp seems to
    > work well enough alone, but the Reporting App doesn't seem to like
    > working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
    > SSL connection is between the client browser and the F5 appliance, but
    > the connection between the F5 and the IDM UserApp is cleartext, and
    > essentially proxied.
    >
    > We modified the default connector config:
    > novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
    >
    > from:
    > <Connector protocol="HTTP/1.1" port="8080"
    > address="${jboss.bind.address}"
    > connectionTimeout="20000" redirectPort="8443" />
    >
    > to:
    >
    > <Connector protocol="HTTP/1.1" port="8080"
    > address="${jboss.bind.address}"
    > connectionTimeout="20000" redirectPort="8443"
    > scheme="https" secure="true" proxyName="idmdev.bc.edu"
    > proxyPort="443"/>
    >
    > But this isn't sufficient, and results in an error with authentication
    > token results:
    >
    > The authentication server is invalid:
    > https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens
    >
    > Has anyone run into similar issue or have a suggestion?
    >
    > Cheers,
    > David Mak
    > Boston College
    >
    >

    Greetings David,
    You are experiencing a known issue with the Reporting module where
    it will not work on ports 80 or 443. This issue will be resolved in the
    next Public Patch for the 401 release.

    --
    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ

  3. #3
    Steven Williams NNTP User

    Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

    On 04/27/2012 08:20 PM, Steven Williams wrote:
    > On 04/27/2012 04:26 PM, davidmakbc wrote:
    >>
    >> Are there users out there who have experience with NetIQ IDM 4.0.x (or
    >> earlier) configurations where SSL processing is performed by external
    >> appliances, which also provide high availability / load balancing
    >> functions?
    >>
    >> We are in the midst of establishing such an environment and have run
    >> into a few stumbling blocks. We've found work-arounds for issues such as
    >> NCP and NAT, but are confounded by a problem with the UserApp and the
    >> Reporting Module which we have setup under JBoss -- the UserApp seems to
    >> work well enough alone, but the Reporting App doesn't seem to like
    >> working behind a SSL accelerator such as the F5 LTM (9.4.8) -- where the
    >> SSL connection is between the client browser and the F5 appliance, but
    >> the connection between the F5 and the IDM UserApp is cleartext, and
    >> essentially proxied.
    >>
    >> We modified the default connector config:
    >> novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
    >>
    >> from:
    >> <Connector protocol="HTTP/1.1" port="8080"
    >> address="${jboss.bind.address}"
    >> connectionTimeout="20000" redirectPort="8443" />
    >>
    >> to:
    >>
    >> <Connector protocol="HTTP/1.1" port="8080"
    >> address="${jboss.bind.address}"
    >> connectionTimeout="20000" redirectPort="8443"
    >> scheme="https" secure="true" proxyName="idmdev.bc.edu"
    >> proxyPort="443"/>
    >>
    >> But this isn't sufficient, and results in an error with authentication
    >> token results:
    >>
    >> The authentication server is invalid:
    >> https://idmdev.bc.edu:443/IDMRPT-AUTH/auth/tokens
    >>
    >> Has anyone run into similar issue or have a suggestion?
    >>
    >> Cheers,
    >> David Mak
    >> Boston College
    >>
    >>

    > Greetings David,
    > You are experiencing a known issue with the Reporting module where it
    > will not work on ports 80 or 443. This issue will be resolved in the
    > next Public Patch for the 401 release.
    >

    Greetings David,
    This was outlined in the thread "IDM 4.01 Reporting Module Login Error"

    --
    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ

  4. #4
    Join Date
    Oct 2011
    Posts
    2

    Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu


    Thank you Steven for the information. Do you know if an early access
    patch is available via a SR (Service Request)?

    Thank you,
    David


    --
    davidmakbc
    ------------------------------------------------------------------------
    davidmakbc's Profile: http://forums.novell.com/member.php?userid=118358
    View this thread: http://forums.novell.com/showthread.php?t=455218


  5. #5
    Steven Williams NNTP User

    Re: Any experience with IDM 4.0.1 and F5-LTM (SSL Proxy) configu

    On 04/30/2012 11:16 AM, davidmakbc wrote:
    >
    > Thank you Steven for the information. Do you know if an early access
    > patch is available via a SR (Service Request)?
    >
    > Thank you,
    > David
    >
    >

    Greetings David,
    Yes.

    --
    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •