Symantec Access Management

Hi,

I am sure a lot of people are looking for this kind of integration,  where customers do not have an tomcat web-agent installer/license to configure on a tomcat web server to protect applications.

If that is the case we can take two approaches.

OPTION- 1. Install Apache on the tomcat websever which will act as a proxy. This setup needs a connector which is available on the Apache website. CA has this setup inforamtion on their KB as well. I am just sharing the link for ease below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec491302.aspx

OPTION-2. This is not on the CA's K-Base so I am posting it.

You can use IIS as a proxy as well(much easier). If the tomcat web-server already has IIS installed on it below are instructions to use the regular IIS  web agent for integration

1. Install IIS on the WIN server (If already exists ignore)

2. Download the tomcat and IIS connector (Check the install section on this link: The Apache Tomcat Connectors - Webserver HowTo - IIS HowTo  )

3. Unzip it. Copy the DLL file (ISAPI redirector) to the Apache Install/bin or to any location. We will be later pointing registry entry to this location.

4. https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Keep this link open in another browser window to check the examples and steps to configure the redirector.

5. Copy over sample Worker.properties (This will have the tomcat port and the tomcat server name) and URIworker.properties (give the URL pattern here. So if IIS gets that pattern then IIS will use the connector to forward to tomcat)

          Note: Make sure you edit the files according to your environment.

6. Go through the “Configuring the ISAPI Redirector” section from above link(step 4) and follow the instructions from there. Make sure the location can be different based on 64 bit or 32 bit.

7. Test the sample URL and see if the proxy works first.

8. Install the IIS Web agent and configure it just like how you do it for protecting any applications.

Thanks,

Rahul Joshiya

Good post. A couple notes I have on this setup that might help some folks as well.

1) If you don't want Tomcat listening on other connectors, and AJP connector only from localhost, be sure to update the connector info in server.xml

For example:

remove all 8080/8443/other HTTP connectors.

Update AJP to only 127.0.0.1

<Connector port="8009" protocol="AJP/1.3"  address="127.0.0.1" />

-----------------

2) On IIS, if you're doing certificate authentication or other larger transactions, might need to adjust the worker packet size. When it's not adjusted have seen certificate auth or SAML (using Web Agent Option Pack)  throw problems because it's over the current setting so not getting through properly.

For example, to set to max I would do something like the following:

Update connector

   <Connector port="8009" protocol="AJP/1.3" packetSize="65536" address="127.0.0.1" />

Update worker.properties and add the following (replace worker1 with whatever your worker name is)

worker.worker1.max_packet_size=65536

*Note: in the server.xml packetSize seems to be case sensitive. At least on the versions I've tested, it must be exactly packetSize....any other seems to barf.

And of course tweak this appropriately to your setup in terms of increasing them.

---------------

3) On IIS, if you deploy the connector but when accessing a URL it tries to download the bits instead of rendering...double check that you have "Execute" enabled in Handler Mappings.

Checked by going to appropriate location and choose Handler Mappings feature --> click the Edit Feature Permissions. Verify "Execute" is enabled.

If it's not enabled, you'll see a section in the top of Handler Mappings that shows "ISAPI-dll" being Disabled. When Execute is set, it will be changed to the Enabled section.