I'm having some weird problems with SOAP backchannel traffic between
multiple AG's (Linux AG service 4.1.2.0-23). Whenever an AG needs to
execute a locally enabled policy (Identity Injection) and the ESP does
not have the information cached, it will query the authoritative ESP
((the AG ESP that was originally involved in authenticating the user and
so establishing the user session) via SOAP which results in a hostname
certificate mismatch.

I have troubleshooted the actual steps:

1) The backchannel traffic for identifying which ESP in the cluster
holds the user session details succeeds:


Code:
--------------------

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: DMessageBus.A
Thread: ajp-nio-127.0.0.1-9009-exec-14
Sending DMessageBus Message: Mode: Get All: Destination: All Cluster Members
DMessageExistsCacheObject:
Status: success
Status Description: null
Source Ip: 1.2.3.185
Id: 6F00D89BEEF3B77E0A0445D81DA26EB6
Type: 2
</amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: DMessageBus.A
Thread: ajp-nio-127.0.0.1-9009-exec-14
DMessageBus Message Response: Elapsed Millis: 3, Count: 1
Response #0: from member 1.2.3.184.
Was Received: true
Was Suspected: false
Response Message:
DMessageExistsCacheObjectResponse:
Status: success
Status Description: null
Source Ip: 1.2.3.184
Exists: true
</amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: DMessageBus.A
Thread: ajp-nio-127.0.0.1-9009-exec-14
Actual response objects returned: 1 </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.locateSession
Thread: ajp-nio-127.0.0.1-9009-exec-14
Remote response received: DMessageExistsCacheObjectResponse:
Status: success
Status Description: null
Source Ip: 1.2.3.184
Exists: true
</amLogEntry>

--------------------


2) However the resulting IP (and not the hostname) is directly used for
proxy’ing the SOAP request to the authoritative ESP to try and
evaluate the information required to satisfy the policy:


Code:
--------------------

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: BasicSoapInformationContext.A
Thread: ajp-nio-127.0.0.1-9009-exec-14
Initiating remote SOAP request to gather user attributes for policy evaluation. URL: https://1.2.3.184:443/nesp/app/soap </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z VERBOSE NIDS Application: Attempting to connect to URL: https://1.2.3.184:443/nesp/app/soap via POST </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableHostNameVerifier.verify
Thread: ajp-nio-127.0.0.1-9009-exec-14
My Certificate: Issuer: CN=TERENA SSL CA 3, O=TERENA, L=Amsterdam, ST=Noord-Holland, C=NL, Subject: CN=www.protectedresource.nl, O=MyCompany, L=MyCity, ST=MyState, C=NL </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableHostNameVerifier.verify
Thread: ajp-nio-127.0.0.1-9009-exec-14
Peer Certificate #0: Issuer: CN=TERENA SSL CA 3, O=TERENA, L=Amsterdam, ST=Noord-Holland, C=NL, Subject: CN=esp.domain.nl, O=MyCompany, L=MyCity, ST=MyState, C=NL </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableHostNameVerifier.verify
Thread: ajp-nio-127.0.0.1-9009-exec-14
Peer Certificate #1: Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Subject: CN=TERENA SSL CA 3, O=TERENA, L=Amsterdam, ST=Noord-Holland, C=NL </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableHostNameVerifier.verify
Thread: ajp-nio-127.0.0.1-9009-exec-14
Peer Certificate #2: Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: NIDPProxyableHostNameVerifier.verify
Thread: ajp-nio-127.0.0.1-9009-exec-14
Match NOT Found! </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z DEBUG NIDS Application:
Method: URLUtil.connectToURL
Thread: ajp-nio-127.0.0.1-9009-exec-14
Error connecting to URL HTTPS hostname wrong: should be <1.2.3.184> </amLogEntry>

<amLogEntry> 2016-12-22T15:01:16Z WARNING NIDS Application: AM#501101054: AMDEVICEID#esp-B7A926ACF000EFF1: AMAUTHID#6F00D89BEEF3B77E0A0445D81DA26EB6: PolicyID#69MM8L05-1P30-85L5-11OO-8PML11N54395: NXPESID#9
055: Error retrieving data from cluster: cluster member -1.2.3.184
Exception message: "HTTPS hostname wrong: should be <1.2.3.184>"
y, Line: 3011, Method: connectToURL
y, Line: 655, Method: connectToURL
y, Line: 1890, Method: A
y, Line: 2125, Method: doSOAPRequest
y, Line: 2093, Method: A
y, Line: 2218, Method: setContextData
y, Line: 135, Method: evaluate
y, Line: 40, Method: A
y, Line: 2419, Method: processSoapRequest
y, Line: 964, Method: I
y, Line: 1774, Method: processSOAPRequest
y, Line: 840, Method: handleSOAPCommand
y, Line: 1766, Method: handleSOAPMessage
y, Line: 1498, Method: handleRequest
y, Line: 2066, Method: myDoGet
y, Line: 821, Method: doGet
y, Line: 3510, Method: doPost
HttpServlet.java, Line: 648, Method: service
HttpServlet.java, Line: 729, Method: service
ApplicationFilterChain.java, Line: 291, Method: internalDoFilter
ApplicationFilterChain.java, Line: 206, Method: doFilter
WsFilter.java, Line: 52, Method: doFilter
ApplicationFilterChain.java, Line: 239, Method: internalDoFilter
ApplicationFilterChain.java, Line: 206, Method: doFilter
FilterChainInvocation.java, Line: 66, Method: doFilter
FilterDefinition.java, Line: 168, Method: doFilter
FilterChainInvocation.java, Line: 58, Method: doFilter
ManagedFilterPipeline.java, Line: 118, Method: dispatch
GuiceFilter.java, Line: 113, Method: doFilter
ApplicationFilterChain.java, Line: 239, Method: internalDoFilter
ApplicationFilterChain.java, Line: 206, Method: doFilter
StandardWrapperValve.java, Line: 219, Method: invoke
StandardContextValve.java, Line: 106, Method: invoke
AuthenticatorBase.java, Line: 502, Method: invoke
StandardHostValve.java, Line: 142, Method: invoke
ErrorReportValve.java, Line: 79, Method: invoke
StandardEngineValve.java, Line: 88, Method: invoke
CoyoteAdapter.java, Line: 518, Method: service
AbstractAjpProcessor.java, Line: 844, Method: process
AbstractProtocol.java, Line: 668, Method: process
NioEndpoint.java, Line: 1527, Method: doRun
NioEndpoint.java, Line: 1484, Method: run
ThreadPoolExecutor.java, Line: 1142, Method: runWorker
ThreadPoolExecutor.java, Line: 617, Method: run
TaskThread.java, Line: 61, Method: run
Thread.java, Line: 745, Method: run
</amLogEntry>

--------------------


My questions:

* Is this working as designed? If so, why is the documentation not
mentioning you have to have your ESP IP's as alt names available within
the ESP certificate?
* How do I enable the SOAP backchannel to actually use hostnames (i.e.
via reverse resolving)?

Note: my ESP certificate has the host names of both AG's available via
alt names.


--
sveldhuisen
------------------------------------------------------------------------
sveldhuisen's Profile: https://forums.netiq.com/member.php?userid=1813
View this thread: https://forums.netiq.com/showthread.php?t=57104