Run the Novell Identity Manager User Application listening on default HTTP and HTTPS ports.
(Last modified: 25Feb2006)
This document (10100489) is provided subject to the disclaimer at the end of this document.
goal
Run the Novell Identity Manager User Application listening on default HTTP and HTTPS ports.
symptom
The User Application will not load when configured for port 80 and 443.
fact
User Application
Novell Identity Manager 3.0
Linux
cause
After configuring JBoss to listen on ports 80 and (optionally) 443 some kind of change must be made to allow JBoss to listen on that port. By default (as of 2006-02-16) the User Application is installed as a non-root user. These types of users cannot use ports less-than 1024 for security reasons. Because JBoss is installed as a non-root user it also is configured, by default, to run as the same non-root user.
fix
A good work-around for this issue is to use iptables (IP Tables; successor to IP Chains) to forward port 80 (and optionally 443) to the ports that JBoss is listening on (8080 and 8443 by default). This can be done with a line resembling the following:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
This line tells the server that any traffic with a destination port of 80 should be redirected to port 8080. Another line would be needed for sending 443 traffic to 8443. These lines should be integrated into any existing iptables configuration. iptables is a feature of the Linux kernel versions 2.4+.
On SLES 9 the iptables configuration is stored in /etc/sysconfig/SuSEfirewall2. A variable called 'FW_REDIRECT' exists to redirect traffic. The following line redirects all incoming TCP traffic from port 443 to port 8443 where the IP address of the host is 123.45.67.89:
Another worthwhile option may apply specifically to users already using Apache as the interface to JBoss. The technique using Apache is similar to forwarding ports with iptables but uses Apache to do the same functionality. This may have the added benefit of allowing the port redirection to only take place for certain paths on the server instead of blindly transferring all port 80 traffic to 8080.
Configuring Apache for this functionality is outside the scope of this TID but information can be found online where multiple people have done this for Tomcat. See http://jakarta.apache.org/ and http://httpd.apache.org/ for each product's documentation. Searching Google Groups should also provide results relevant to this fix.
A quick option to allow JBoss to use the low ports is to actually run JBoss as root. JBoss does not have a problem with this though to be completely conscious of security it is not the best solution. The reasoning behind this is that if a security hole is found in JBoss in the future allowing JBoss to run an attacker's arbitrary code there will be a significantly-smaller impact on the server if JBoss does not have root privileges. Most services in Linux run as non-root users for this reason. The User Application installer will not currently install as root because MySQL by default does not want to run as root for this very reason. The applications requiring low ports but that still run as non-root users (Apache web server, for instance) have a mechanism to use root to access and hold the low port (80) and then switch to another low-privileges user.
note
TID# 10100226 touches on enabling HTTPS in JBoss and shows ports to use. Following it should allow somebody to change both the HTTP and HTTPS ports. See the JBoss documentation for more details.
document
| Document Title: | Run the Novell Identity Manager User Application listening on default HTTP and HTTPS ports. |
| Document ID: | 10100489 |
| Solution ID: | NOVL105182 |
| Creation Date: | 16Feb2006 |
| Modified Date: | 25Feb2006 |
| Novell Product Class: | DirXML |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.