Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-3375

IIS6 notification mode does not work if SSL offloading is done at a loadbalancer

    XMLWordPrintable

Details

    • Rank:
      1|hzo6bj:
    • 0
    • No
    • None

    Description

      When doing SSL offloading to a LB the notification url will point to the agent's server directly.

      However due to SSL offloading scheme and port of the incoming request have to be changed by the agent so that 'goto' parameter points back to LB again

      Example agent profile excerpt

      com.sun.identity.agents.config.agenturi.prefix=https://iis6.test.xyz:443/amagent
      com.sun.identity.client.notification.url=http://iis6.test.xyz:80/UpdateAgentCacheServlet?shortcircuit=false
      com.sun.identity.agents.config.override.protocol=true
      com.sun.identity.agents.config.override.host=false
      com.sun.identity.agents.config.override.port=true
      com.sun.identity.agents.config.override.notification.url=false
      

      In contrast to Apache http server agent, the agent for IIS6 (and potentially IIS7) do not correctly handle this case.

      Excerpt from agent debug log...

      2013-11-29 15:07:12.625    Debug 1928:1ec6da0 all: HttpExtensionProc(): agent initialized
      2013-11-29 15:07:12.640    Debug 1928:2010198 ThreadPool: ::spin() : Thread Function calling 0x20095a0.
      2013-11-29 15:07:12.640    Debug 1928:1ec6da0 all: get_header_value(): HTTPS = off
      2013-11-29 15:07:12.671    Debug 1928:1ec6da0 all: get_request_url(): requestProtocolType = off
      2013-11-29 15:07:12.687    Debug 1928:1ec6da0 all: get_header_value(): HEADER_Host = iis6.test.xyz
      2013-11-29 15:07:12.703    Debug 1928:1ec6da0 all: get_header_value(): SERVER_PORT = 80
      2013-11-29 15:07:12.718    Debug 1928:1ec6da0 all: get_header_value(): URL = /UpdateAgentCacheServlet
      2013-11-29 15:07:12.718    Debug 1928:1ec6da0 all: get_header_value(): PATH_INFO = /UpdateAgentCacheServlet
      2013-11-29 15:07:12.734    Debug 1928:1ec6da0 all: get_header_value(): SCRIPT_NAME = /UpdateAgentCacheServlet
      2013-11-29 15:07:12.750    Debug 1928:1ec6da0 all: get_request_url(): Reconstructed path info = 
      2013-11-29 15:07:12.765    Debug 1928:1ec6da0 all: get_header_value(): QUERY_STRING = shortcircuit=false
      2013-11-29 15:07:12.781    Debug 1928:1ec6da0 all: am_web_get_all_request_urls(): orig_request_url is http://iis6.test.xyz:80/UpdateAgentCacheServlet?shortcircuit=false
      2013-11-29 15:07:12.796    Debug 1928:1ec6da0 all: am_web_get_all_request_urls(): request_url is https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false
      2013-11-29 15:07:12.796    Debug 1928:1ec6da0 all: get_request_url(): Constructed request url: https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false
      2013-11-29 15:07:12.812 MaxDebug 1928:1ec6da0 all: am_web_is_notification(): https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false is not notification url http://iis6.test.xyz:80/UpdateAgentCacheServlet?shortcircuit=false.
      2013-11-29 15:07:12.828 MaxDebug 1928:1ec6da0 all: am_web_is_notification(): https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false is not notification url http://iis6.test.xyz:80/UpdateAgentCacheServlet?shortcircuit=false.
      2013-11-29 15:07:12.843    Debug 1928:1ec6da0 all: getHttpStatusCode(): File/directory "c:\inetpub\wwwroot\UpdateAgentCacheServlet" doesn't exist, setting HTTP status code to 404.
      2013-11-29 15:07:12.859    Debug 1928:1ec6da0 all: get_header_value(): REQUEST_METHOD = POST
      2013-11-29 15:07:12.875    Debug 1928:1ec6da0 all: HttpExtensionProc(): requestMethod = POST
      2013-11-29 15:07:12.875    Debug 1928:1ec6da0 all: get_header_value(): REMOTE_ADDR = 192.168.1.20
      2013-11-29 15:07:12.890 MaxDebug 1928:1ec6da0 all: get_normalized_url(): Original url: https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false
      2013-11-29 15:07:12.906 MaxDebug 1928:1ec6da0 all: get_normalized_url(): PathInfo: 
      2013-11-29 15:07:12.921 MaxDebug 1928:1ec6da0 all: get_normalized_url(): Using Full URI for policy evaluation.
      2013-11-29 15:07:12.937 MaxDebug 1928:1ec6da0 all: get_normalized_url(): Normalized url: https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false
      2013-11-29 15:07:12.953    Debug 1928:1ec6da0 all: is_url_not_enforced(): client_ip 192.168.1.20 not found in client ip not enforced list
      2013-11-29 15:07:12.953 MaxDebug 1928:1ec6da0 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "https://iis6.test.xyz:443/UpdateAgentCacheServlet" and "https://iis6.test.xyz:443/dummypost*" returned AM_NO_MATCH (usePatterns=true)
      2013-11-29 15:07:12.968    Debug 1928:1ec6da0 all: in_not_enforced_list: Enforcing access control for https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false 
      2013-11-29 15:07:12.984 MaxDebug 1928:1ec6da0 all: is_url_not_enforced(): URL https://iis6.test.xyz:443/UpdateAgentCacheServlet?shortcircuit=false is enforced.
      

      In contrast to Apache http server agent the manipulation of the request seem to take place much earlier in the request handling.

      Attachments

        Activity

          People

            mareks Mareks Malnacs
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: