HTTP Accel. using wrong port for SSL Auth.

(Last modified: 30Jul1999)

This document (2952986) is provided subject to the disclaimer at the end of this document.

Symptom

When the HTTP Accelerator is configured to require authentication, and SSL authentication is enabled, when a browser goes to the accelerator it is redirected to the BM-Login page. Part of that page is a "Destination:" field which contains the URL which the browser will be redirected to in the event that the login is successful.

The problem is that although this field uses the IP address of the HTTP Accelerator, it is specifying the port address that was configured for the Web Server when the HTTP Accelerator was created.

The result is that after a successful login, the browser is redirected to the wrong port causing either failure to pull up a web page or, if the port is actually used for a different accelerator, it will pull up the wrong web page.

(My guess is that this will be easy to fix, and that we are simply using the wrong variable when building the URL for the Destination: field.)

Duplication:

1. Configure the SSL authentication by creating a tree CA, a KMO, and the BM server to use that KMO for SSL authentication. (These are generic steps to enable SSL and are covered in the documentation.)

2. Enable the HTTP Accelerator on the server.
- Open the server object, select BorderManager Setup
- Click the Acceleration tab
- Check the box for the HTTP Accelerator
- Double-click the HTTP Accelerator option to bring up details
- Click the add button and configure the fields with the following info:
  Enable this particular accelerator: TRUE
  Enable authentication for this particular accelerator: TRUE
  Accelerator Name: sjf-ts1
  Web Server Port: 8000 (yes, eight thousand)
  Web Server: add one for server name sjf-ts1.sjf.novell.com
  Proxy IP Addresses: select one of your interfaces
  Accelerate on a different port: TRUE
  Accelerator port: 81
- Click OK, OK, and OK again to commit the configuration change

3. Verify that your browser is NOT set up to use the HTTP Forward Proxy. (Steps vary depending on your browser.)

4. Try accessing the HTTP Accelerator. For example, if you accelerator is listening on 10.10.1.3, you would try the following URL:

http://10.10.1.3:81

5. You will get a login page. Notice that the Destination: line shows the IP address of your accelerator, but the port address of the Web Server (8000).

6. Authenticate successfully. Though you can authenticate, your browser will give you an error that the document can not be reached.

7. Logout. This is done through an HTTP request to your proxy server. For example, if you proxy server is address 10.10.1.3, the URL would be:

http://10.10.1.3:1959/cmd/BM-Logout

8. Try accessing the accelerator again, change the port address in the Destination: field to be that of the accelerator (81), and enter your login information.

9. This time you can ge the web page successfully.

10. Logout again (as in step 7).

11. Set your Browser to use the HTTP Forward Proxy so the Forward Proxy is sent the request to GET the HTTP Accelerator page.

12. Try to access the Accelerator again.

13. This time, the login page comes back and the Destination: line shows the correct port address. This is because the HTTP Forward Proxy is using the port address from the original requested URL rather than the port address of the configured Web Server.

Solutions

Passed to engineering.

document

Document Title: HTTP Accel. using wrong port for SSL Auth.
Document ID: 2952986
Creation Date: 30Jul1999
Modified Date: 30Jul1999
Revision: 1
Novell Product Class:Novell BorderManager Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.