Symantec Access Management

My org is trying to set up a federation server using the WAOP (v12.52.0108) and Tomcat (7.0.88) architecture in a 12.7 SSO environment. We have run into an issue when configuring a federation where when the SSO service URL is hit we just land at a (chrome) 404 page without getting an SSO prompt. If we hit the authentication URL pointing to the .jsp page in the affwebservices directory we get an SSO prompt from the authentication scheme and then dumped to a (chrome) 404 page. The one thing that came to mind on this issue is that tomcat isn't getting the cert from IIS in front of it. So we set up a keystore and imported the key in pks12 format into the tomcat jks store. No issues in the catalina log from this but the cert still isn't getting passed along and neither link works while still getting a 404 error. 

Does anything come to mind when setting up this architecture that could be useful to double check as to why we can't get a .jsp page to load as well as the cert passed? 

Here are the tomcat server.xml SSL connector settings being used:

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="D:\localapps\Apache Software Foundation\Tomcat 7.0\<org keystore name>.jks"
keystorePass="<keystore p/w>"
sslProtocol="SSL"
sslEnabledProtocols="TLSv1.2" />

This isn't a cert problem - a 404 is a valid HTTP response, so you are past the TLS handshake. Either your IIS is not properly forwarding to Tomcat, or the application isn't deployed properly on Tomcat

-Richard

Richard,

I have tried deploying and redeploying the .war file as directed in the 12.52 SP1 Guide found here https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/installing/install-agents/web-agent-option-pack/deploy-federation-web-services/set-up-jboss-or-tomcat-to-work-with-federation-web-services corresponding with tomcat. Could it be a permissions issue how could I track down a failed deployment in the tomcat logs if you know?

You need to look in the Tomcat log files, there should be a message for

each application Tomcat deploys on startup.

Well, I got a little further after not looking at the certificates as closely. I noticed that if I put a helloworld.jsp into the directory I am trying to access and using the hostname:port for tomcat rather than the FQDN (which passes through IIS) I am able to get to the page with an invalid cert error (Error: The security certificate presented by this website was issued for a different website's address.). 

Ex.

      FQDN: https://<fqdn.blah.blah>/affwebservices/redirectjsp/helloworld.jsp [Does Not Work]

      Hostname: https://<hostname.blah.blah>:8443/affwebservices/redirectjsp/helloworld.jsp [Does Work]

It appears we are seeing a 404 error from the IIS side so it doesn't look like the request is even getting to Tomcat

What mechanism are you using to forward from IIS to Tomcat? Jakarta plugin for IIS? There are several steps needed both in IIS and in the plugin configuration to get the plugin working. There is also a log file for the plugin that you can configure. If IIS is trying to load the plugin and failing, you should also see an error in the windows event viewer. HTH!