Configuring a Dual Connector Setup in a Single-Node Identity Server Environment

IMPORTANT:Add the DNS name of the second connector in the browser exception list or proxy settings.

You can specify the port and URL name as per your environment. The URL name and port number specified in the following procedure is an example.

Prerequisite:You must have a parent domain and a sub-domain.

For example, you must have the following domains:

Parent Domain: https://240onbox.nam.example.com:8443/nidp/

Sub-Domain: https://onbox.nam.example.com:8443/

To create a sub-domain, create a secondary Ethernet in Identity Server with the IP address that you want to create the sub-domain.

Perform the following steps to configure a dual connector setup:

  1. Open Identity Server’s server.xml file.

    For information about how to open and modify a file, see Modifying Configurations.

    1. Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.

    2. In the new connector, change the port number to 8448.

    3. Change the clientAuth="false" string to clientAuth="want".

    4. Add protocol="org.apache.coyote.http11.Http11NioProtocol".

  2. Open Identity Server’s context.xml file.

    For information about how to open and modify a file, see Modifying Configurations.

    1. Set a same cookie for sub-domains. Ensure that the path is set to "/" as follows:

      <?xml version="1.0" encoding="UTF-8"?> <Context sessionCookiePath="/" sessionCookieDomain=".nam.example.com"> <!-- Disable session persistence across Tomcat restarts --> <Manager pathname="" saveOnRestart="false"/> </Context>

    2. Uncomment the following string:

      <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

  3. Change session proxying for setting this cookie.

    1. Navigate to Devices > Identity Servers > Edit > Options.

    2. Click New and specify the following details:

      Property Name: CLUSTER COOKIE DOMAIN

      Property Value: nam.example.com

      Property Name: CLUSTER COOKIE PATH

      Property Value: /nidp

      NOTE:Before proceeding to the next step, ensure that you have configured the X.509 class, method, and contract. For more information, see Mutual SSL (X.509) Authentication.

  4. Navigate to Devices > Identity Servers > Edit > Options.

  5. Select the X.509 authentication method and click New under Properties.

  6. Specify the following details:

    Property Name: CONNECTOR_HOST

    Property Value: https://onbox.nam.example.com:8448

    NOTE:Do not add a / after the port number.

    For X.509Class-based redirection, this property will redirect X.509 to the new connector. The DNS named onbox is a sub-domain as indicated in the prerequisite.

    Use a wildcard name for the Identity Server certificate. For example, *.nam.example.com.

Verify the configuration as follows:

Access the Identity Server URL in a browser that does not have the client certificate. Access the X.509 authentication card and verify the behavior. It must redirect to the connector page and redirect to the original page with an Access Manager error message or error code.