I have setup IBM MobileFirst 7.0 with IBM HTTPServer. HTTPServer only listens for SSL traffic on 443 (no requests over http on port 80 are being processed). The plugin-cfg.xml is directing the /appcenterconsole URLs to the WebSphere Liberty server running the MobileFirst app.
At first, the App Center console loaded and I could login, but any calls to /appcenterconsole/services/* were getting a certificate chain error. I fixed this by adding the http server's certificate to the Liberty keystore. After executing this change, the behavior changed such that on login to App Center, the user immediately receives a 'Your session has expired' message and is sent back to the login page.
Why is my session getting lost? The HTTP server has a JSESIONID for requests to /appcenterconsole/*.
Can the HTTP plugin send the traffic over http to the Liberty server to avoid the SSL chain issue?
This looks like an SSO (Single Sign On) problem. There are two web application, AppCenterConsole and AppCenterServices, and both require authentication, hence they should be set up with SSO. It seems you reach the AppCenterConsole but not the AppCenterService.
Liberty has SSO by default, but if you are using multiple servers, ensure that you have followed the instructions Configuring LTPA on the Liberty profile in the Websphere Liberty Profile documentation.
Alternatively, you can set the JNDI property ibm.appcenter.ui.cors to false for the AppCenterConsole. This will avoid the redirection of requests from the AppCenterConsole to the AppCenterService. If it doesn't already fix the problem, then at least it will produce a better error message with a stack trace that points to the real problem.
Related
I am running Keycloak on an OpenShift project, and I have 4 pods running:
keycloak (v8.0.1 configured to listen on 8443 with TLS),
keycloakdb (PostgreSQL DB),
proxy (Apache 2.4 reverse proxy), and
portal (our app that we developed to handle connecting to other applications).
The keycloak pod also contains two jar files that we “borrowed” that implements PKI authentication as part of the log on.
The routes configured in OpenShift are
apache: tcp/443 to tcp/8443 on the apache pod
keycloak: tcp/443 to tcp/8443 on the keycloak pod, and
Current state:
A connection to https://proxy.domain.com is redirected to https://keycloak.domain.com for authentication
https://keycloak/domain.com which requests my certificate for a 2-way TLS authentication
then redirected to https://keycloak.domain.com/auth/auth?response_type=code&scope=openid&client=potal&state=&redirect_uri=https://proxy.domain.com/redirect_uri&nonce=
The browser displays a page which give details of my certificate and my user account name with a button to continue
Clicking the continue button, POSTs to https://keycloak.domain.com
The browser is then redirected to https://proxy.domain.com:8443
Since there is no route to https://proxy.domain.com:8443 the connection times out.
The question is how do I get keycloak to redirect the browser to https://proxy.domain.com on tcp/443?
For redirecting to particular URL after authentication, you can use URL redirection setting in client settings.
The problem is the redirect_uri in the authentication request. It points to proxy.domain.com instead to the portal.
The redirect_uriis set by the OAuth 2.0 client code in the portal. Probably, the portal software thinks its own URL starts with proxy.domain.com.
So investigate and fix the OAuth 2.0 code in the portal (probably just a configuration issue).
We have OpenAM plugin for Apache Http server.
Here Apache Http server works as reverse-proxy.
OpenAM plugin validates user requests for authentication and authorisation then forwards the requests to service.
This works fine for some days. But suddenly, OpenAM plugin fails to authenticate and authorise and requests directly goes to service.
Only fix is to restart the Apache HTTP server.
But this is not the correct fix. We would like to find the real route cause of this problem and fix. There is no logging reported from http server.
Thanks.
There is no logs reported. Totally clueless. It is happening once in two days or >so.
You should set the Agent level to message and check the debug.log (in agent root --> instances --> debu --> debug.log) and trace the requests in the agent log files that are not working. There may also be relevant information in the system logs in the agent root log folders.
But suddenly, OpenAM plugin fails to authenticate and authorise and requests
directly goes to service.
What HTTP status code is returned during this period? By default, if the Agent cannot communicate to AM for policy advice (unless it has preconfigured fallback not enforced URLs) will be to 403 each request. You'd really need to check your debug and apache access logs to look at these requests hitting the reverse proxy (or whether they hit them at all).
We have a couple of back-end web applications to which we want to provide access via the public internet. To that end, we are setting up a reverse proxy (IIS 7.5) from our DMZ. At the same time, we want these web applications to be claims-enabled through ADFS 2.0.
WEB1.MYCORP.COM/WFE1 is the other back-end web application, on our internal network
WEB1.MYCORP.COM/WFE2 is the other back-end web application, on our internal network
ADFS.MYCORP.COM is the ADFS 2.0 server, on our internal network
FSPROXY.MYCORP.COM is the ADFS 2.0 proxy server, on our DMZ
RPROXY1.MYCORP.COM is the reverse proxy for WFE1, on our DMZ
RPROXY2.MYCORP.COM is the reverse proxy for WFE2, on our DMZ
In keeping with the proper configuration of ADFS, our internal DNS resolves ADFS.MYCORP.COM to the actual internal server, while external DNS points ADFS.MYCORP.COM to the ADFS proxy (FSPROXY).
So, here's the scenario:
End user browses to RPROXY.MYCORP.COM
Reverse proxy forwards request to WEB1.MYCORP.COM/WFE1
WFE1 redirects browser to ADFS.MYCORP.COM (actually FSPROXY)
ADFS Proxy prompts for credentials and authenticates against ADFS server
Upon successful authentication, browser redirected back to web app
I have a couple of questions. Do I need to configure something in the rp or the application to allow this. Also the adfs endpoint is the rp url is that an issue?
Do I need to set up something for the reverse proxy as well? (Should I/can I) set up a claims-enabled reverse proxy in IIS? How do I set up the reverse proxy rules to pass back the ADFS request unaltered? Currently, when I try to access the back-end application, it fails with a 401 authentication error. If I remove the proxy and just hit the app server it works fine.
Further,
This fails:
The path is client --> rp -->app -->adfs --> rp -->app --> rp -->client machine
this works:
The path is client -->rp -->app -->adfs -->app -->rp -->client machine
Any suggestions would be greatly appreciated!
Not familiar with how you enabled reverse proxy in IIS (ARR?). Something like this http://blogs.iis.net/carlosag/setting-up-a-reverse-proxy-using-iis-url-rewrite-and-arr
One choice for you is to use ADFS 2012R2 (if possible) because the proxy in that, the Web Application Proxy, handles both ADFS authentication and can handle app publishing for your claims enabled application. There are 2 ways you can publish your app to the internet. Once is pass-through which is kinda what you are trying to do. But it also allows pre-authentication support for a claims aware app. This way, you can have a different policy that decides whether the application can get pass your EDGE network before a packet goes to your internal application.
After doing lots of digging and fiddler traces I found the issue. In testing idp setup the token was different then stage env. The fiddler traces showed that the token was making it back to the app server. The issue was it also looked like the cookie dropped off for no reason. The issue was because the old dev ipd value disagreed with the stage value...naturally. Once I cleared the old token from the database everything worked.
Recently we have configured SSL to open WSS on our RESTCOMM server, as we got the issue of "getUserMedia()" deprecation issue because of insecure origin issue by chromium fix.
We managed to get WSS working and we can open RESTCOM Admin portal via HTTPs over 8443 port and even OLYMPUS is working too.
But because we have configured a SSL on RESTCOM Server i think even the REST Client API calls need to be on HTTPS too. Am icorrect?
Becuase when we use the HTTP based URLs for programmatically adding clients by invoking REST Client APIs of RESTCOMM, then we are getting SSl certificate issues and the reason for this i think is that we have configured SSL cert to address the getUserMedia() security issue by CHROMIUM fix.
can i request any solution or work around for this pls.
thanks in advance
ias
I have configured JBoss with HTTPS connector only. Now I have problem, that in case I'm using HTTP request to HTTPS connector, it returns page with one ASCII character, instead of some error page, for example 505 or something else what can user inform, about invalid request.
There is no used Apache nor any other web server, where some rules for URL rewriting could apply. Also often used change in web.xml with <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag do not solve this problem, as there must be HTTP request, which is then redirected to HTTPS based on "redirectPort" param in connector configuration and in this case there is not plan to use any other port and it is not possible to combine HTTP and HTTPS listener together on one port.
Is there some way how to configure SSL listener, that way, that it refuse HTTP request, or automatically change to HTTPS?
JBoss 5.1.0
Your browser uses HTTP to talk to server, but on the server side is the security layer (around the HTTP) and it wants to do a SSL/TLS handshake. So the communication fails because client doesn't know about the security on the other side.
The client (browser) receives error message (binary data) from server. The client doesn't know what to do with them, so it presents them to a user as a web page content.
RFC-5246 states:
Error handling in the TLS Handshake protocol is very simple. When an
error is detected, the detecting party sends a message to the other
party. Upon transmission or receipt of a fatal alert message, both
parties immediately close the connection.
Undertow - a new web server in WildFly - is able to do HTTP Upgrade. But I'm not sure if the upgrade to SSL/TLS is already supported. Nevertheless, the problem with this scenario could be on the browser side.