3.4 Translating Identity Server Configuration Port

To enable Identity Server to communicate through a firewall, you can perform one of the following actions:

  • Open TCP ports 8080 or 8443. These are default ports used respectively for non-secure and secure communication with Identity Server.

  • Configure the Identity Server service to use the TCP port 80 or 443.

The Identity Server service (hosted on Tomcat) runs as a non-privileged user and cannot bind to ports below 1024. To allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use the iptables to perform a port translation. Port translation allows the base URL of Identity Server to be configured for port 443 and to listen on this port. The iptables translates it to port 8443 when communicating with Tomcat.

The following are two solutions out of many possibilities:

  • If you have disabled the SLES firewall and do not have any other Access Manager components installed on the same server along with Identity Server, use a simple iptables script to translate the ports. See Configuring a Simple Redirect Script.

  • If you have configured the SLES firewall or have installed other Access Manager components on the same server along with Identity Server, use a custom rule script that allows for multiple port translations. See Configuring iptables for Multiple Components.

For information about iptables, see “Iptable Tutorial 1.2.2” and “NAM Filters for iptables Commands”.

Port Forwarding

For both of these configurations (Configuring a Simple Redirect Script and Configuring iptables for Multiple Components) to work, you must enable port forwarding. To verify whether port forwarding is enabled, run the following command:

cat /proc/sys/net/ipv4/ip_forward

If the value is 0, then port forwarding is not enabled.

To enable port forwarding, perform the following steps:

  1. Run the following command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. Verify the status.

For more information, see How To Forward Ports through a Linux Gateway with Iptables.

3.4.1 Configuring a Simple Redirect Script

This simple solution works only if you are not using iptables to translate ports of other applications or other Access Manager components. For a solution that works with multiple components, see Configuring iptables for Multiple Components.

Ensure that you have enabled port forwarding. See Port Forwarding.

Perform the following steps to configure a simple redirect script:

On SLES 12 SP5 or SLES 15 server

  1. On the Home page, click Identity Servers > [cluster name] > Configuration > General.

  2. Configure Base URL with HTTPS protocol and Port 443.

  3. Click Save.

  4. Update Identity Server.

  5. At a terminal window, log in as the root user.

  6. Create a unit configuration file to hold the iptables rule and place it in any directory. For example, /usr/bin/redirect-idp.

    Ensure that it has execute rights. You can use CHMOD as appropriate.

    NOTE:Do not create the file in the /etc/init.d directory because it may cause some issues. For information about the issues, see 13.3.3 System V Compatibility.

  7. Copy the following example script and paste it in the file that you created in Step 6.

    The following is an example of a redirect startup file:

    #!/bin/sh
    # Copyright (c) 2010 Novell, Inc.
    # All rights reserved.
    #
    #! /bin/sh
    #! /etc/init.d/idp_8443_redirect
    # ### BEGIN INIT INFO
    # Provides: idp_8443_redirect
    # Required-Start:
    # Required-Stop:
    # Default-Start: 2 3 5
    # Default-Stop: 0 1 6
    # Description: Redirect 8443 to 443 for Novell IDP
    ### END INIT INFO #
    
    # Environment-specific variables.
    IPT_BIN=/usr/sbin/iptables
    INTF=eth0
    ADDR=10.10.0.1
    
    . /etc/rc.status
    
    # First reset status of this service
    rc_reset
    
    case "$1" in
        start)
            echo -n "Starting IP Port redirection"
            $IPT_BIN -t nat --flush
            $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
            $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
            $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
            $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
            rc_status -v
            ;;
        stop)
            echo -n "Flushing all IP Port redirection rules"
            $IPT_BIN -t nat --flush
            rc_status -v
            ;;
        restart)
            $0 stop
            $0 start
            rc_status
            ;;
        *)
            echo "Usage: $0 {start|stop|restart}"
            exit 1
            ;;
    esac
    rc_exit
    

    For more information about init scripts for SLES 12, see “Managing Services in a Running System” in the SLES 12 Administration Guide.

  8. Create a systemd service unit at /etc/systemd/system/<unit-name>.service. In this example unit-name is redirect-idp therefore, the service unit is /etc/systemd/system/redirect-idp.service.

  9. Copy the following code and paste it in the service unit:

    [Unit]
    Description=Novell AM-IDP-Redirection
    
    After=local-fs.target network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/bin/redirect-idp start
    ExecStop=/usr/bin/redirect-idp stop
    RemainAfterExit=yes
    
    [Install]
    WantedBy=multi-user.target
  10. Modify the service unit content as per requirement but ensure that ExecStart and ExecStop script points to the script that you created in the unit configuration file.

    In this example, the scripts must include /usr/bin/redirect-idp.

  11. Run the following commands:

    1. systemctl daemon-reload

    2. systemctl enable <unit-name>.service

      For example, systemctl enable redirect-idp.service

  12. Reboot the Identity Server machine.

  13. Verify that port 443 is being routed to Identity Server by running the following command:

    iptables -t nat -nvL

    The following is a sample entry:

    pkts bytes target     prot opt in     out     source               destination         
    17   748    DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.10.0.1:8443 

    This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1.

  14. (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.

3.4.2 Configuring iptables for Multiple Components

If you need to use iptables for multiple components (the host machine, Identity Server), centralize the commands into one manageable location. The following sections explain how to use the SuSEFirewall2 option in YaST to centralize the commands.

Identity Server requires pre-routing commands.

NOTE:Port forwarding must be enabled for this configuration to work. See Port Forwarding.

Adding Identity Server Commands

  1. On the Home page, click Identity Servers > [cluster name] > Configuration > General.

  2. Configure Base URL with the HTTPS protocol and the TCP port 443.

  3. Click Save.

  4. Update Identity Server.

  5. On Identity Server, edit the /etc/sysconfig/SuSEfirewall2 file.

    1. Change the FW_CUSTOMRULES="" line to the following:

      FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    2. Save the changes and exit.

  6. Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.

    This is the custom rules file you specified in Step 5.

  7. Add the following lines under the fw_custom_before_port_handling() section:

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.0.1:8443 
    iptables -t nat -A OUTPUT -p tcp -o eth0 --dport 443 -j DNAT --to 10.10.0.1:8443
    true

    The first command rewrites all incoming requests with a destination TCP port of 443 to TCP port 8443 on the 10.10.0.1 IP address for eth0. Modify the IP address to match the IP address of your Identity Server.

    The second command rewrites the health checks.

  8. Save the file.

  9. At the system console, restart the firewall by running the following command:

    /etc/init.d/SuSEfirewall2_setup restart
  10. Verify that port 443 is being routed to Identity Server by running the following command:

    iptables -t nat -nvL

    The following is a sample entry:

    pkts bytes target     prot opt in     out     source               destination         
    17   748 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.10.0.1:8443 

    This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1:8443.

  11. (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.