Symantec IGA

 View Only

 How to Buypass internal vApp proxy and connect directly to portal from SPS

Shashank Agarwal's profile image
Shashank Agarwal posted Sep 28, 2020 07:03 AM
Hello Team,

We have configured a SPS instance to connect to vApp. We have configured proxy rules in a manner that it connects to vApp internal proxy on 443 port. Please see below proxy rule for instance. This configuration works absolutely fine.

<nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
<nete:forward>https:/<vapp ip>:443$0</nete:forward>
</nete:case>
<nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
<nete:forward>https://<vapp ip>:443$0</nete:forward>
</nete:case>


Now , we disabled the internal Vapp proxy of the vApp and made following changes to the proxyrules.xml file as IAM runs SSL on 8443 and portal on 8444.

<nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
<nete:forward>https:/<vapp ip>:8443$0</nete:forward>
</nete:case>
<nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
<nete:forward>https://<vapp ip>:8444$0</nete:forward>
</nete:case>

When we now access the URL , the login page is displayed but the moment user enters the password , we get a noodle exception on web page. And the logs says something about the handshake error and missing certificates.

[09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][releaseConnection(): ][Released connection is not reusable.]
[09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
[09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Retrying to send the request to backend web server.Retry count: 1]
[09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Sending request to backend = <vApp IP>:8444 url = https://<vApp IP>:8444/sigma/app/index]
[09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][requestConnection(): ][Get connection: {s}->https://<vApp ip>:8444, timeout = 180000]

From SPS server.log we have following:-

[23/Sep/2020:17:31:25-470] [ERROR] - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416)
[23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:400)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSSecureSocketFactory.connectSocket(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.conn.scheme.SchemeLayeredSocketFactoryAdaptor2.connectSocket(SchemeLayeredSocketFactoryAdaptor2.java:62)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSConnectionFactory.openConnection(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.ConnectionCapsule.open(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.impl.ConnectionPoolConnAdapter.open(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
[23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.SPSClient.execute(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.ProxyModule.proxyRequest(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.doGet(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.service(Unknown Source)
[23/Sep/2020:17:31:25-470] [ERROR] - at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742)
[23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:484)


We have imported the vApp server certificate in the ca bundle cert file of the instance and in MMC as well. Is there anything we have missed here ? Can anyone review and provide any input to us ?

Thanks,
Shashank
Larry Kasten's profile image
Broadcom Employee Larry Kasten
You can bypass the embedded proxy by hitting the URLs directly on their ports. See the documentation below.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/ca-identity-suite-reference-architecture/foundation-physical-architecture/base-system-configuration-requirements/load-balancer-lb.html