Kaden Napper

Environment:

  • Identity Server configured for authentication on port 443.
  • Iptables configured with a rule such as:

    “iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443″

    or

    “iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to <<IPADDRESS>>:8443″

PROBLEM: Identity Server Health reports:

SSL Communication is not operating correctly! URL https://<<IPADDRESS>>:443/nidp/app/ping Error: Connection refused
(Required Action) Check SSL connectivity. Possible expired SSL certificate.

The Identity Server is still functioning.

Solution

The existing iptables rule does not work for connections initiated from the Identity Server (such as the Server Health Monitoring).

Add the following iptables rule
iptables -t nat -A OUTPUT -p tcp -d <<IPADDRESS>> –dport 443 -j DNAT –to <<IPADDRESS>>:8443

EXAMPLE:

The following is my /etc/init.d/idp_8443_redirect file (modified from Mark van Reijn’s original)

# All rights reserved.
#
# Author: Mark van Reijn, Novell
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start: SuSEfirewall2_setup $network $local_fs
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IdP
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
IDP_IP=10.5.0.31

. /etc/rc.status

# First reset status of this service
rc_reset

case "$1" in
start)
echo -n "Starting IP Port redirection"
$IPT_BIN -t nat --flush

$IPT_BIN -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to  $IDP_IP:8443
$IPT_BIN -t nat -A OUTPUT -p tcp -d $IDP_IP --dport 443 -j DNAT --to  $IDP_IP:8443

rc_status -v
;;
stop)
echo -n "Flushing all IP Port redirection rules"
$IPT_BIN -t nat --flush
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Jun 12, 2008
11:38 am
Reads:
1,057
Score:
Unrated