Symantec Access Management

 View Only
  • 1.  Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 03:44 AM



    We are setting up CA Access Gateway into an existing CA SSO


    For security reason we need to bind the Tomcat HTTP/S and AJP to a
    specific address instead of having it listening on all interfaces.

    For this purpose we've set the parameter inside the file
    server.conf to a local IP address (tried also with hostname) but this
    throws an exception on startup and the proxy engine does not come-up
    until I set back the parameter to its original value that is*. The errors in the logs file are:


    ProxyServer initialization failed.
    Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')


    [19/Apr/2018:14:40:31-499] [ERROR] - ProxyServer initialization failed.
    [19/Apr/2018:14:40:31-499] [ERROR] - Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')


    2018-Apr-19 14:36:47,585 - ERROR - - Unable to Initialize Proxy UI Configuration
    java.lang.NumberFormatException: null
    at java.lang.Integer.parseInt( ~[?:1.8.0_162]
    at java.lang.Integer.valueOf( ~[?:1.8.0_162]
    at Source) ~[classes/:?]
    at Source) ~[classes/:?]
    at Source) [classes/:?]
    at org.apache.catalina.core.StandardWrapper.initServlet( [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardWrapper.loadServlet( [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardWrapper.load( [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardContext.loadOnStartup( [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardContext.startInternal( [catalina.jar:7.0.82]
    at org.apache.catalina.util.LifecycleBase.start( [catalina.jar:7.0.82]
    at org.apache.catalina.core.ContainerBase$ [catalina.jar:7.0.82]
    at org.apache.catalina.core.ContainerBase$ [catalina.jar:7.0.82]
    at [?:1.8.0_162]
    at java.util.concurrent.ThreadPoolExecutor.runWorker( [?:1.8.0_162]
    at java.util.concurrent.ThreadPoolExecutor$ [?:1.8.0_162]
    at [?:1.8.0_162]


    How can we configure this properly ?




    At the moment, the functionality to modify the ports and addresses for
    the ProxyUI isn't documented and an idea to get it implemented is
    still not planned.


    Raise this Idea in the CA Single Sign-On Communities to get this
    possibility implemented out of the box.

    1. Go to the CA Security Overview Page :
    2. Click on the "Actions" drop-down menu and select "Create an
    3. Give your idea a title and detailed description to encourage
    4. Publish and vote on your idea!


    Please find below link to related content


    RFE - Restricting access to the SPS ProxyUI Admin Console


    KB : KB000099443

  • 2.  Re: Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 04:02 AM

    Hi Patrick,  I remember this one from quite a while ago.

  (or IP address ), was raised as a bug and fixed - I found it - below are the details from the case in 2015 :  


    Perhaps the fix did not make it into the head branch - maybe raise it as a regression then. 



    In server.conf there are two settings : 

    Those "should" determine the listen 
    but since about R12.5+ when they introduced proxyui 
    it has ignored the setting 

    Engineering has provided the fix on 6/3 and customer tested it has successfully addressed the 8080 port disablement


    SE ticket update : Work Item 154314 

    XXXX changed on Tuesday, August 11, 2015 at 9:02:53 AM Eastern Daylight Time:
    Status: Implemented --> Verifying
    Resolution: Fixed --> Unresolved
    added: This Defect has been verified with 12.52 integration CR03 build, and found it is fixed. 
    Verified on Upgraded environment from 12.52 SP01 CR01 GA build tp 12/52 omtegratopm CR03 build and the issue is not reproducible
    Verified build version: FullVersion=12.52.0103.821


    Scenario 1: 
    In SPS server.conf file change the = "IP which is resolved from the SPS host" 
    Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf 
    tcp 0 0 ::ffff: :::* LISTEN


    Scenario 2: 
    In case of localhost below is the out put for netstat -an | grep 8080
    tcp 0 0 ::ffff: :::* LISTEN


    Issue is fixed in both upgrade and clean installation. Hence closing the issue 


    Cheers - Mark

  • 3.  Re: Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 04:13 AM

    Hi Mark, 


    Thanks for the note. Do you recall if this was changing also the listening port and address configuration for the AJP module ?


    Best Regards,