3.5 Translating Identity Server Configuration Port

To enable Identity Server to communicate through a firewall, you can perform one of the following actions:

  • Open TCP ports 8080 or 8443. These are default ports used respectively for non-secure and secure communication with Identity Server.

  • Configure the Identity Server service to use the TCP port 80 or 443.

This section includes the following topics:

3.5.1 Changing the Port on Windows Identity Server

Set the port in Base URL in Identity Server and save the changes. Then, modify the server.xml file located in the Tomcat configuration directory.

Perform the following steps:

  1. In Administration Console, click Devices > Identity Server > Edit, and configure Base URL with the HTTPS protocol and TCP port 443.

  2. Click OK.

  3. Update Identity Server.

  4. In a terminal window, open the \Program Files\Novell\Tomcat\conf\server.xml file.

  5. Change the ports from 8080 and 8443 to 80 and 443.

  6. Restart the Tomcat service by running the following command:

    net stop Tomcat8

    net start Tomcat8

3.5.2 Changing the Port on Linux Identity Server

The Identity Server service (hosted on Tomcat) runs as a non-privileged user on Linux and cannot bind to ports below 1024. To allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use the iptables to perform a port translation. Port translation allows the base URL of Identity Server to be configured for port 443 and to listen on this port. The iptables translates it to port 8443 when communicating with Tomcat.

The following are two solutions out of many possibilities:

  • If you have disabled the SUSE Linux Enterprise Server (SLES) firewall and do not have any other Access Manager components installed on the same server along with Identity Server, use a simple iptables script to translate the ports. See Configuring a Simple Redirect Script.

  • If you have configured the SLES firewall or have installed other Access Manager components on the same server along with Identity Server, use a custom rule script that allows for multiple port translations. See Configuring iptables for Multiple Components.

For more information about iptables, see “Iptable Tutorial 1.2.2” and “NAM Filters for iptables Commands”.

Port Forwarding

For both of these configurations (Configuring a Simple Redirect Script and Configuring iptables for Multiple Components) to work, you must enable port forwarding. To verify whether port forwarding is enabled, run the following command:

- cat /proc/sys/net/ipv4/ip_forward

If the value is 0, then port forwarding is not enabled.

To enable port forwarding, perform the following steps:

  1. Run the following command:

    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. Verify the status.

For more information, see How To Forward Ports through a Linux Gateway with Iptables.

Configuring a Simple Redirect Script

This simple solution works only if you are not using iptables to translate ports of other applications or other Access Manager components. For a solution that works with multiple components, see Configuring iptables for Multiple Components.

Ensure that you have enabled port forwarding. See Port Forwarding.

Perform the following steps to configure a simple redirect script:

On SLES 11 SP4

  1. In Administration Console, click Devices > Identity Server > Edit., and configure Base URL with the HTTPS protocol and the TCP Port 443.

  2. Click OK.

  3. Update Identity Server.

  4. At a terminal window, log in as the root user.

  5. Create a file to hold the iptables rule and place it in the /etc/init.d directory.

    For example, /etc/init.d/AM_IDP_Redirect. Ensure that it has execute rights. You can use CHMOD as appropriate.

    The following is an example of a redirect startup file:

    #!/bin/sh
# Copyright (c) 2010 Novell, Inc.
# All rights reserved.
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IDP
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=10.10.0.1

. /etc/rc.status

    # First reset status of this service
rc_reset

case "$1" in
    start)
        echo -n "Starting IP Port redirection"
        $IPT_BIN -t nat --flush
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
        rc_status -v
        ;;
    stop)
        echo -n "Flushing all IP Port redirection rules"
        $IPT_BIN -t nat --flush
        rc_status -v
        ;;
    restart)
        $0 stop
        $0 start
        rc_status
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac
rc_exit

    For more information about init scripts for SLES 11, see “Init Scripts” in the SLES 11 Administration Guide.

  6. Modify the environment-specific variables found in the following lines:

    # Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=10.10.0.1

  7. Run the following command to ensure that the iptables rule is active after rebooting:

    chkconfig AM_IDP_Redirect on

  8. To verify that your script is running, run the following command:

    chkconfig AM_IDP_Redirect

  9. Reboot the Identity Server machine.

  10. Verify that port 443 is being routed to Identity Server by running the following command:

    iptables -t nat -nvL

    The following is a sample entry:

    pkts bytes target     prot opt in     out     source               destination         
17   748    DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.10.0.1:8443

    This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1.

  11. (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.

On SLES 12 SP3 or RHEL server

  1. In Administration Console, click Devices > Identity Server > Edit., and configure Base URL with the HTTPS protocol and the TCP Port 443.

  2. Click OK.

  3. Update Identity Server.

  4. At a terminal window, log in as the root user.

  5. Create a unit configuration file to hold the iptables rule and place it in any directory. For example, /usr/bin/redirect-idp.

    Ensure that it has execute rights. You can use CHMOD as appropriate.

    NOTE:Do not create the file in the /etc/init.d directory because it may cause some issues. For information about the issues, see the section 13.3.3 System V Compatibility in the SUSE Linux Enterprise Server Administration Guide.

  6. Copy the following example script and paste it in the file that you created in Step 5.

    The following is an example of a redirect startup file:

    #!/bin/sh
# Copyright (c) 2010 Novell, Inc.
# All rights reserved.
#
#! /bin/sh
#! /etc/init.d/idp_8443_redirect
# ### BEGIN INIT INFO
# Provides: idp_8443_redirect
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: Redirect 8443 to 443 for Novell IDP
### END INIT INFO #

# Environment-specific variables.
IPT_BIN=/usr/sbin/iptables
INTF=eth0
ADDR=10.10.0.1

. /etc/rc.status

    # First reset status of this service
rc_reset

case "$1" in
    start)
        echo -n "Starting IP Port redirection"
        $IPT_BIN -t nat --flush
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080
        $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443
        $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080
        rc_status -v
        ;;
    stop)
        echo -n "Flushing all IP Port redirection rules"
        $IPT_BIN -t nat --flush
        rc_status -v
        ;;
    restart)
        $0 stop
        $0 start
        rc_status
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac
rc_exit

    For more information about init scripts for SLES 12, see “Managing Services in a Running System” in the SLES 12 Administration Guide.

  7. Create a systemd service unit at /etc/systemd/system/<unit-name>.service. In this example unit-name is redirect-idp therefore, the service unit is /etc/systemd/system/redirect-idp.service.

  8. Copy the following code and paste it in the service unit:

    [Unit]
Description=Novell AM-IDP-Redirection

After=local-fs.target network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/redirect-idp start
ExecStop=/usr/bin/redirect-idp stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

  9. Modify the service unit content as per requirement but ensure that ExecStart and ExecStop script points to the script that you created in the unit configuration file.

    In this example, the scripts must include /usr/bin/redirect-idp.

  10. Execute the following commands:

    1. systemctl daemon-reload

    2. systemctl enable <unit-name>.service

      For example, systemctl enable redirect-idp.service

  11. Reboot the Identity Server machine.

  12. Verify that port 443 is being routed to Identity Server by running the following command:

    iptables -t nat -nvL

    The following is a sample entry:

    pkts bytes target     prot opt in     out     source               destination         
17   748    DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.10.0.1:8443

    This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1.

  13. (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.

Configuring iptables for Multiple Components

If you need to use iptables for multiple components (the host machine, Identity Server), centralize the commands into one manageable location. The following sections explain how to use the SuSEFirewall2 option in YaST to centralize the commands.

Identity Server requires pre-routing commands.

NOTE:Port forwarding must be enabled for this configuration to work. See Port Forwarding.

Adding Identity Server Commands

  1. In Administration Console, click Devices > Identity Server > Edit, and configure Base URL with the HTTPS protocol and the TCP port 443.

  2. Click OK.

  3. Update Identity Server.

  4. On Identity Server, edit the /etc/sysconfig/SuSEfirewall2 file.

    1. Change the FW_CUSTOMRULES="" line to the following:

      FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

    2. Save the changes and exit.

  5. Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.

    This is the custom rules file you specified in Step 4.

  6. Add the following lines under the fw_custom_before_port_handling() section:

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.10.0.1:8443 
iptables -t nat -A OUTPUT -p tcp -o eth0 --dport 443 -j DNAT --to 10.10.0.1:8443
true

    The first command rewrites all incoming requests with a destination TCP port of 443 to TCP port 8443 on the 10.10.0.1 IP address for eth0. Modify the IP address to match the IP address of your Identity Server.

    The second command rewrites the health checks.

  7. Save the file.

  8. At the system console, restart the firewall by running the following command:

    /etc/init.d/SuSEfirewall2_setup restart

  9. Verify that port 443 is being routed to Identity Server by running the following command:

    iptables -t nat -nvL

    The following is a sample entry:

    pkts bytes target     prot opt in     out     source               destination         
17   748 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.10.0.1:8443

    This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1:8443.

  10. (Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.