We are setting up CA Access Gateway into an existing CA SSOinfrastructure.
For security reason we need to bind the Tomcat HTTP/S and AJP to aspecific address instead of having it listening on all interfaces.
For this purpose we've set the parameter local.host inside the fileserver.conf to a local IP address (tried also with hostname) but thisthrows an exception on startup and the proxy engine does not come-upuntil I set back the parameter to its original value that islocal.host=*. The errors in the logs file are:
ProxyServer initialization failed.Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')
[19/Apr/2018:14:40:31-499] [ERROR] - ProxyServer initialization failed.[19/Apr/2018:14:40:31-499] [ERROR] - Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')
2018-Apr-19 14:36:47,585 - ERROR - com.ca.sps.adminui.listener.SPSConfigLoadServlet - Unable to Initialize Proxy UI Configurationjava.lang.NumberFormatException: nullat java.lang.Integer.parseInt(Integer.java:542) ~[?:1.8.0_162]at java.lang.Integer.valueOf(Integer.java:766) ~[?:1.8.0_162]at com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO.loadCurrentProxyServerInfo(Unknown Source) ~[classes/:?]at com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO.getInstance(Unknown Source) ~[classes/:?]at com.ca.sps.adminui.listener.SPSConfigLoadServlet.init(Unknown Source) [classes/:?]at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1269) [catalina.jar:7.0.82]at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) [catalina.jar:7.0.82]at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) [catalina.jar:7.0.82]at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5362) [catalina.jar:7.0.82]at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) [catalina.jar:7.0.82]at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) [catalina.jar:7.0.82]at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1700) [catalina.jar:7.0.82]at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1690) [catalina.jar:7.0.82]at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_162]at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_162]at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_162]at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
How can we configure this properly ?
At the moment, the functionality to modify the ports and addresses forthe ProxyUI isn't documented and an idea to get it implemented isstill not planned.
Raise this Idea in the CA Single Sign-On Communities to get thispossibility implemented out of the box.
1. Go to the CA Security Overview Page : https://communities.ca.com/community/ca-security/ca-single-sign-on 2. Click on the "Actions" drop-down menu and select "Create an idea." 3. Give your idea a title and detailed description to encourage voting. 4. Publish and vote on your idea!
Please find below link to related content
RFE - Restricting access to the SPS ProxyUI Admin Console https://communities.ca.com/ideas/235717668
KB : KB000099443
Hi Patrick, I remember this one from quite a while ago.
local.host=localhost (or IP address ), was raised as a bug and fixed - I found it - below are the details from the case in 2015 :
Perhaps the fix did not make it into the head branch - maybe raise it as a regression then.
In server.conf there are two settings : local.host=localhost local.http.port=8080 Those "should" determine the listen but since about R12.5+ when they introduced proxyui it has ignored the local.host setting Engineering has provided the fix on 6/3 and customer tested it has successfully addressed the 8080 port disablement
SE ticket update : Work Item 154314 :
XXXX changed on Tuesday, August 11, 2015 at 9:02:53 AM Eastern Daylight Time:Status: Implemented --> VerifyingResolution: Fixed --> UnresolvedComments:added: This Defect has been verified with 12.52 integration CR03 build, and found it is fixed. Verified on Upgraded environment from 12.52 SP01 CR01 GA build tp 12/52 omtegratopm CR03 build and the issue is not reproducibleVerified build version: FullVersion=12.52.0103.821
Scenario 1: Steps: In SPS server.conf file change the local.host = "IP which is resolved from the SPS host" Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN
Scenario 2: In case of local.host= localhost below is the out put for netstat -an | grep 8080tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN
Issue is fixed in both upgrade and clean installation. Hence closing the issue
Cheers - Mark
Thanks for the note. Do you recall if this was changing also the listening port and address configuration for the AJP module ?