To enable Identity Server to communicate through a firewall, you can perform one of the following actions:
Open TCP ports 8080 or 8443. These are default ports used respectively for non-secure and secure communication with Identity Server.
Configure the Identity Server service to use the TCP port 80 or 443.
The Identity Server service (hosted on Tomcat) runs as a non-privileged user and cannot bind to ports below 1024. To allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use the iptables to perform a port translation. Port translation allows the base URL of Identity Server to be configured for port 443 and to listen on this port. The iptables translates it to port 8443 when communicating with Tomcat.
The following are two solutions out of many possibilities:
If you have disabled the SLES firewall and do not have any other Access Manager components installed on the same server along with Identity Server, use a simple iptables script to translate the ports. See Configuring a Simple Redirect Script.
If you have configured the SLES firewall or have installed other Access Manager components on the same server along with Identity Server, use a custom rule script that allows for multiple port translations. See Configuring iptables for Multiple Components.
For information about iptables, see “Iptable Tutorial 1.2.2” and “NAM Filters for iptables Commands”.
For both of these configurations (Configuring a Simple Redirect Script and Configuring iptables for Multiple Components) to work, you must enable port forwarding. To verify whether port forwarding is enabled, run the following command:
- cat /proc/sys/net/ipv4/ip_forward
If the value is 0, then port forwarding is not enabled.
To enable port forwarding, perform the following steps:
Run the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Verify the status.
For more information, see How To Forward Ports through a Linux Gateway with Iptables.
This simple solution works only if you are not using iptables to translate ports of other applications or other Access Manager components. For a solution that works with multiple components, see Configuring iptables for Multiple Components.
Ensure that you have enabled port forwarding. See Port Forwarding.
Perform the following steps to configure a simple redirect script:
Click Devices > Identity Server.
Select the Identity Server name and click Edit, and configure Base URL with HTTPS protocol and Port 443.
Click OK.
Update Identity Server.
At a terminal window, log in as the root user.
Create a unit configuration file to hold the iptables rule and place it in any directory. For example, /usr/bin/redirect-idp.
Ensure that it has execute rights. You can use CHMOD as appropriate.
NOTE:Do not create the file in the /etc/init.d directory because it may cause some issues. For information about the issues, see 13.3.3 System V Compatibility.
Copy the following example script and paste it in the file that you created in Step 6.
The following is an example of a redirect startup file:
#!/bin/sh # Copyright (c) 2010 Novell, Inc. # All rights reserved. # #! /bin/sh #! /etc/init.d/idp_8443_redirect # ### BEGIN INIT INFO # Provides: idp_8443_redirect # Required-Start: # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: Redirect 8443 to 443 for Novell IDP ### END INIT INFO # # Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1 . /etc/rc.status
# First reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
$IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
For more information about init scripts for SLES 12, see “Managing Services in a Running System” in the SLES 12 Administration Guide.
Create a systemd service unit at /etc/systemd/system/<unit-name>.service. In this example unit-name is redirect-idp therefore, the service unit is /etc/systemd/system/redirect-idp.service.
Copy the following code and paste it in the service unit:
[Unit] Description=Novell AM-IDP-Redirection After=local-fs.target network.target [Service] Type=oneshot ExecStart=/usr/bin/redirect-idp start ExecStop=/usr/bin/redirect-idp stop RemainAfterExit=yes [Install] WantedBy=multi-user.target
Modify the service unit content as per requirement but ensure that ExecStart and ExecStop script points to the script that you created in the unit configuration file.
In this example, the scripts must include /usr/bin/redirect-idp.
Execute the following commands:
systemctl daemon-reload
systemctl enable <unit-name>.service
For example, systemctl enable redirect-idp.service
Reboot the Identity Server machine.
Verify that port 443 is being routed to Identity Server by running the following command:
iptables -t nat -nvL
The following is a sample entry:
pkts bytes target prot opt in out source destination 17 748 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.10.0.1:8443
This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1.
(Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.
If you need to use iptables for multiple components (the host machine, Identity Server), centralize the commands into one manageable location. The following sections explain how to use the SuSEFirewall2 option in YaST to centralize the commands.
Identity Server requires pre-routing commands.
NOTE:Port forwarding must be enabled for this configuration to work. See Port Forwarding.
Click Devices > Identity Server > Edit, and configure Base URL with the HTTPS protocol and the TCP port 443.
Click OK.
Update Identity Server.
On Identity Server, edit the /etc/sysconfig/SuSEfirewall2 file.
Change the FW_CUSTOMRULES="" line to the following:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Save the changes and exit.
Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.
This is the custom rules file you specified in Step 4.
Add the following lines under the fw_custom_before_port_handling() section:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.0.1:8443 iptables -t nat -A OUTPUT -p tcp -o eth0 --dport 443 -j DNAT --to 10.10.0.1:8443 true
The first command rewrites all incoming requests with a destination TCP port of 443 to TCP port 8443 on the 10.10.0.1 IP address for eth0. Modify the IP address to match the IP address of your Identity Server.
The second command rewrites the health checks.
Save the file.
At the system console, restart the firewall by running the following command:
/etc/init.d/SuSEfirewall2_setup restart
Verify that port 443 is being routed to Identity Server by running the following command:
iptables -t nat -nvL
The following is a sample entry:
pkts bytes target prot opt in out source destination 17 748 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.10.0.1:8443
This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1:8443.
(Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.