IMPORTANT:Add the DNS name of the second connector in the browser exception list or proxy settings.
You can specify the port and URL name as per your environment. The URL name and port number specified in the following procedure is an example.
Prerequisite:You must have a parent domain and a sub-domain.
For example, you must have the following domains:
Parent Domain: https://240onbox.nam.example.com:8443/nidp/
Sub-Domain: https://onbox.nam.example.com:8443/
To create a sub-domain, create a secondary Ethernet in Identity Server with the IP address that you want to create the sub-domain.
Perform the following steps to configure a dual connector setup:
Open Identity Server’s server.xml file.
For information about how to open and modify a file, see Modifying Configurations.
Search the <Connector NIDP_Name="connector" string and create a copy of the existing connector in the same file.
In the new connector, change the port number to 8448.
Change the clientAuth="false" string to clientAuth="want".
Add "protocol = "HTTP/1.1" for Apache Tomcat Version 9.0.87.
NOTE:Ensure that the Apache Tomcat version used is compatible with Access Manager. For determining the installed Apache Tomcat version, use the command cd /opt/novell/apache2/sbin grep "Tomcat Version" /opt/netiq/common/tomcat/RELEASE-NOTES in NAM. For further information on supported HTTP connector protocols for your Apache Tomcat version, see https://tomcat.apache.org/.
Open Identity Server’s context.xml file.
For information about how to open and modify a file, see Modifying Configurations.
Set a same cookie for sub-domains. Ensure that the path is set to "/" as follows:
<?xml version="1.0" encoding="UTF-8"?> <Context sessionCookiePath="/" sessionCookieDomain=".nam.example.com"> <!-- Disable session persistence across Tomcat restarts --> <Manager pathname="" saveOnRestart="false"/> </Context>Uncomment the following string:
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
Change session proxying for setting this cookie.
On the Home page, click Identity Servers > [cluster name] > Configuration > Properties > Plus icon.
Specify the following details:
|
Property Name |
Property Value |
|---|---|
|
CLUSTER COOKIE DOMAIN |
nam.example.com |
|
CLUSTER COOKIE PATH |
/nidp |
NOTE:Before proceeding to the next step, ensure that you have configured the X.509 class, method, and contract. For more information, see Mutual SSL (X.509) Authentication.
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods.
Click the X.509 authentication method > Advanced Settings > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Property Name |
CONNECTOR_HOST |
|
Property Value |
https://onbox.nam.example.com:8448 |
NOTE:Do not add a / after the port number.
For X.509Class-based redirection, this property will redirect X.509 to the new connector. The DNS named onbox is a sub-domain as indicated in the prerequisite.
Use a wildcard name for the Identity Server certificate. For example, *.nam.example.com.
Verify the configuration as follows:
Access the Identity Server URL in a browser that does not have the client certificate. Access the X.509 authentication card and verify the behavior. It must redirect to the connector page and redirect to the original page with an Access Manager error message or error code.