Symantec IGA

 View Only
Expand all | Collapse all

Noodle ConnectException

  • 1.  Noodle ConnectException

    Posted Apr 09, 2015 06:42 AM

    Error Details

    Request URI

    : /

    Error Type

    : SPS Exception

    Error Code

    : Noodle_ConnectException

    Message

    : Connection refused remotely, no process is listening on the remote address/port.

     

    While browsing the SPS url, running with above error. Any thoughts would be appritiated.

     

    Thanks,



  • 2.  Re: Noodle ConnectException

    Posted Apr 09, 2015 04:36 PM

    Shiva ShivaShankarPrasad

     

    The error looks pretty clear "no process is listening on the remote address / port".

     

    Check your server.conf (Virtual Host Section) and Proxy Rules.xml (proxy definitions).

     

    Make sure the URL (backend) defined in proxyrules.xml is responding.

     

     

     

    Regards

     

    Hubert



  • 3.  Re: Noodle ConnectException

    Posted Apr 10, 2015 05:19 AM

    Hi Hubert,

     

    Thank you so much for the reply. I checked my server.conf file and proxy.xml looks good, for you reference here mentioning the both  files.

     

    Request you please have a look and and let me know if any changes required. I even open a ticket in Support but no one replying on this not sure why.

     

    <server></server>

                   #General Server Information

     

                   #Define the listeners between

                   #HTTP listner and proxy engine

                   worker.ajp13.port=8009

                   worker.ajp13.host=localhost

                   worker.shutdown.port=8005

     

                   #Define additional tuning parameters for the connection between HTTP listener and proxy engine

                   #These parameters are used by mod_jk and are not used by proxy engine

                   #worker.ajp13.reply_timeout - The maximum time (milliseconds) that can elapse between any two packets received from proxy engine

                   #after which the connection between HTTP listener and proxy engine is dropped

                   #A value of zero makes it to wait indefinitely until response is received (default)

                   #worker.ajp13.retries - The maximum number of times that the worker will send a request to proxy engine in case of a communication error

                   #Default value for retries is 2

                   worker.ajp13.reply_timeout=0

                   worker.ajp13.retries=2

     

                   #Define AJP13 tuning parameters

                   #Number of request waiting in queue (queue length)

                   #Number of threads created at initialization time

                   #Maximum number of concurrent connections possible

                   #Maximum time (seconds) that the idle connections will remain the connection pool before timing out, default value is 0 that means never time out

                   ajp13.accept_count=10

                   ajp13.min_spare_threads=10

                   ajp13.max_threads=100

     

                   worker.ajp13.connection_pool_timeout=0

     

                   #'max_packet_size': This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536.

                   #This same value will be used as 'packetSize' attribute for AJP connector on the Tomcat side.

                   worker.ajp13.max_packet_size=16384

     

                   singleprocessmode="yes"

     

                    

    1. Provide the values for the Federation related parameters here

                   #

                    

    1. enablefederationgateway - "yes" or "no" - Enable or Disable SPS Federation Gateway

                    

    1. fedrootcontext - Name of the Federation root context ("affwebservices" by default)

                    

    1. authurlcontext - Path of the Authentication URL (without the jsp file name) (siteminderagent/redirectjsp by default)

                    

    1. protectedbackchannelservices - Names of protected Backchannel services

     

                    

     

                    

    1. Root of location that the agent will resolve "/" to for

                    

    1. finding forms (fcc) and error files.  Note: If document_root

                    

    1. is specified as a relative directory, it will be relative to

                    

    1. Tomcat/webapps/

                   document_root="../../proxy-engine/examples"

     

     

                    

    1. Enable disable HTTPClient logging with value "yes" or "no".

                    

    1. Recommended to enable the logging for only debug purposes. Not recommended for production environment.

                   httpclientlog="no"

     

                    

                                   

    1. Set the SSL protocol version to support:SSLv3, TLSv1

                                   

    1. NOTE: SSL version 2 is no longer supported

                                  versions="SSLv3"

     

                                  ciphers="-RSA_With_Null_SHA,RSA_With_Null_MD5,-RSA_With_RC4_SHA,RSA_With_RC4_MD5,RSA_With_DES_CBC_SHA,RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"

     

                                  fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"

     

                                   

    1. Covalent SSL CA certificate bundle and certs path to be converted

                                   

    1. The bundle and/or certs located at defined location will be converted

                                   

    1. to binary (DER) format and loaded as SSLParams.

                                   

    1. NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent

                                   

    1. certificate directory.

                                  cacertpath="C:\Program Files (x86)\CA\secure-proxy\SSL\certs"

                                  cacertfilename="C:\Program Files (x86)\CA\secure-proxy\SSL\certs\ca-bundle.cert"

     

                                   

    1. This certificate configured below is used as SPS client certificate for the backend servers when

                                   

    1. SSL client authentication is enabled.

                                   

    1. Location of the Key file : <install-dir>\SSL\clientcert\key\

                                   

    1. Location of public certs : <install-dir>\SSL\clientcert\certs\

                                   

    1. NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.

                                   

    1. Client pass phrase should be encrypted using EncryptUtil tool.

     

                                  #ClientKeyFile=

                                  #ClientPassPhrase=

                                   

    1. max cache time in milliseconds (Default: 120000 milliseconds)

                                  maxcachetime="120000"

                   </sslparams>

     

                   #This parameter is applicable to the cookie added by backend.

                   #"yes"--- Default Value. Quotes will be added to the cookie parameter value

                   #which contains special characters if the cookie version is other than "0"

                   #"no" --- Quotes will not be added to the cookie.

     

                   addquotestocookie="yes"

     

     

                    

    1. This parameter is applicable to the cookie sent to browser

                    

    1. Tomcat 5.5 and higher adds quotes to the cookie. Parameter "addquotestobrowsercookie" changes the default behavior of Tomcat.

                    

    1. "no" --- Default Value. Quotes will not be added to the cookie parameter value

                    

    1. "yes" --- Quotes will be added to the cookie.

     

            addquotestobrowsercookie="no"

     

                    

    1. This parameter is applicable to the equal (=) sign in the cookie.

                    

    1. Tomcat will allow = characters when parsing unquoted cookie values.

                    

    1. Tomcat 5.5 and higher adds quotes to the cookie. Parameter "allowequalsincookievalue" changes the default behavior of Tomcat.

                    

    1. "yes" --- Default Value. Cookie values are allowed to contain an equals character.

                    

    1. "no"  --- Cookie values containing = will be terminated when the = is encountered and the remainder of the cookie value will be dropped.

     

            allowequalsincookievalue="yes"

     

                    

    1. This parameter needs to be set to the appropriate char-set based upon the locale of the users

                    

    1. This parameter is used by the HttpClient inside SPS to appropriately encode the headers that

                    

    1. will be sent to the backend server

                    

    1. For Example -

                    

    1. "US-ASCII"--- Default value, which is appropriate for default US English Locale

                    

    1. "Shift_JIS" --- Should be set for supporting Japanese locale and for supporting login using Japanese usernames

                   requestheadercharset="US-ASCII"

     

                   #This parameter is applicable to the caching of POST data.

                   #"no"--- Default Value. Post data ia not cached by SPS.

                   #"yes"--- POST data Caching enabled

                   enablecachepostdata="no"

                   #This parameter defines that maximum size of POST data that is to be cached.

                   #Size in Kb

                   maxcachedpostdata="1024"

     

                    

    1. This parameter needs to be set to "yes" if request URL needs to be URLEncoded before sending the request to backend web server.

                    

    1. "no" --- The request URL will not be URLEncoded before sending the request to backend web server.

                    

    1. "yes" ---Default value.

                   encodeurl="yes"

     

                   #Configurations related to custom error pages

                    

                   #Custom error pages configuration end

     

                    

    1. MAX buffer size for monitoring feature buffer size. Used only atleast on metric-reporter tag is enabled.

                    

    1. default value 1000 entries

                   monitor_data_buffer_size="1000"

     

    </Server>

     

    #

    1. Default metric reporter to monitor SPS with Wily

    2. enabled - yes to enable and no to disable, default: no

    3. endpoint - format: protocol://hostname:port/

    4. hostname should be the hostname where Wily EPAgent is started

    5. port network data port/HTTP port configured in Wily EPAgent based on protocol given

    6. protocol - tcp, if network data port & http, if http port is configured on Wily EPAgent side

    #

     

                    

    1. Session Store Information

                   class="com.netegrity.proxy.session.SimpleSessionStore"

                   max_size="10000"

                   clean_up_frequency="60"

    </SessionStore>

     

    1. Service Dispatcher

    2. This is new since proxy 6.0

    3. Service Dispatcher is now a global server configuration parameter and is no longer

    4. configured on a per virtual host basis.

     

     

     

    1. Proxy Service

     

                   class="org.tigris.noodle.Noodle"

     

                    

    1. Enables support for multiple protocols if set to true. Currently only

                    

    1. http and https is supported.  If set to false only http is supported.

                   protocol.multiple="true"

                   http_connection_pool_min_size="4"

                   http_connection_pool_max_size="20"

                   http_connection_pool_incremental_factor="4"

     

                    

    1. Timeout to be used to close idle connections in the pool. If no units are specified,

         

    1. the default units are minutes

                   http_connection_pool_connection_timeout="1 minute"

     

                    

    1. Timeout (in milliseconds) to be used to wait for an available connection.

                    

    1. A timeout of zero:

                    

    1. 1. causes the pool to wait for a connection until notified

                    

    1. 2. invalidates the use of max retries

                   http_connection_pool_wait_timeout="0"

     

                    

    1. Number of attempts to obtain a connection.

                    

    1. A value of zero causes pool to attempt indefinetly.

                    

    1. Only applicable if wait timeout is not zero.

                   http_connection_pool_max_attempts="3"

     

                    

    1. Timeout (in milliseconds) to be used for creating connections and reading

                    

    1. responses. The timeout will limit the time spent doing the host name

                    

    1. translation and establishing the connection with the server when creating

                    

    1. sockets.

                    

    1. A timeout of zero means wait indefinetly.

                   http_connection_timeout="0"

     

                    

    1. Pool configuraiton for connection oriented authentication backend

                    

    1. connections eg: NTLM.

                   <connection-pool name="connection oriented authentication">

                                  connection-timeout="10 seconds"

                                  max-size="200"

                                  enabled="yes"

                   </connection-pool>

                    

    1. Proxy filters may be defined here to perform pre/post processing tasks.

                    

    1. The following format must be used to configure filters:

                   #

                    

    1. filter.<filter name>.class=<fully qualified filter class name>  (required)

                    

    1. filter.<filter name>.init-param.<param name1>=<param value1>                              (optional)

                    

    1. filter.<filter name>.init-param.<param name2>=<param value2>

                    

    1. filter.<filter name>.init-param.<param name3>=<param value3>

                   #

                    

    1. The filter name is used by the proxy rules to trigger a specific filter.

                    

    1. Filter names should be unique.

                    

    1. Filter jar files should be dropped in the <SPS_HOME>/Tomcat/lib directory

                    

    1. See the documentation for more details.

                   #

                    

    1. The following are examples for use with the provided sample filters:

                    

    1. Defines a filter with name "filter1" whose class is "SamplePreFilter"

                   #filter.filter1.class=SamplePreFilter

                   #filter.filter1.init-param.header1="Header1"

                   #filter.filter1.init-param.header2="header2"

                   #filter.filter1.init-param.newheader="FILTER_GENERATED_HEADER"

                   #

                    

    1. Defines a filter with name "filter2" whose class is "SamplePostFilter"

                   #filter.filter2.class=SamplePostFilter

                   #filter.filter2.init-param.oldStr="foo"

                   #filter.filter2.init-param.newStr="bar"

     

                   ##filter.myfilter.class=MyFilter

                   ##filter.myfilter.init-param.oldStr="CA"

                   ##filter.myfilter.init-param.newStr="Oracle"

                   #

                    

    1. The following example illustrates the use of custom filters in a group

                    

    1. Defines filter groups with valid Custom filter names.

                    

    1. Defines a filter group with name "group1" by grouping Custom filters "filter1" and "filter2"

                   #groupfilter.group1="filter1,filter2"

     

                    

    1. Defines a filter group with name "group2" by grouping Custom filters "myfilter" and "filter1"

                   #groupfilter.group2="myfilter,filter1"

     

     

     

    </Service>

     

    1. Redirect Service

     

                   class="com.netegrity.proxy.session.MiniCookieSessionScheme"

                   accepts_smsession_cookies="false"

     

                    

    1. The name of the small cookie to be stored in the client.

                   cookie_name="SMID"

     

                   class="com.netegrity.proxy.session.DeviceIdSessionScheme"

                   accepts_smsession_cookies="false"

     

                    

    1. The header name containing the device id of the wireless devices

                   device_id_header_name="vendor_device_id_header_name"

    </SessionScheme>

     

    1. TO-DO: Define Any User Agents, if you want to

    2. use a different session scheme based on

    3. the type of client accessing the server.

    #

    1. NOTE:  UserAgent matching is done in the order

    2. in which the user agents are defined in this file.

    3. <UserAgent name="user_agent_name_1">

    4.     header_name_1=some regular expression

    5. </UserAgent>

    6. <UserAgent name="user_agent_name_2">

    7.     header_name_1=some other regular expression

    8. </UserAgent>

     

     

                    

    1. default session scheme

                   defaultsessionscheme="default"

                   enablerewritecookiepath="no"

                   enablerewritecookiedomain="no"

                   enableproxypreservehost="no"

     

                    

    1. specify the block size for request and response in KBs

                   requestblocksize="4"

                   responseblocksize="4"

     

                   #TO-DO:  Define any session scheme mappings

                   #

                    

    1.    user_agent_name=session_scheme_name

                   #</SessionSchemeMappings>

     

                    

    1. Web Agent.conf

                    

     

    1. Default Virtual Host

     

                   #addresses="192.168.1.100"

                   hostnames="cdtspng01zu.custuac.rxcorp.uac"

                   defaultsessionscheme="default"

     

                    

    1. specify the block size for request and response in KBs

                   requestblocksize="4"

                   responseblocksize="8"

     

                   #The defaults can be overriden

                   #not only for the Virtual Host

                   #but for the WebAgent for that

                   #virtual host as well

                   #

     

     

    Thanks in advance,

    Shankar.



  • 4.  Re: Noodle ConnectException

    Posted Apr 10, 2015 05:45 AM

    we are redirecting to default url i.e www.ca.com

    Thanks,

    Shankar.



  • 5.  Re: Noodle ConnectException

    Posted Apr 10, 2015 10:11 AM

    Thank You Shankar

     

    Could you enable trace logging via ACO and add debug="yes" in proxyrules.xml. Then Access the URL. We may find some pointers there.

     

    ##################################

    Debug Attribute

    The debug attribute lets you manage logging and debug proxy rules. It has the following syntax:

     

    <ATTLIST nete:proxyrules
    debug (yes|no) "no"

     

    Set the value to yes to enable logging. The log file location is determined by the TraceFileName parameter in the agent configuration object that you configured for CA SiteMinder® SPS. The TraceConfigFile parameter in the same agent configuration object must point to the Secure Proxy-specific trace logging configuration file. By default, the file is located at <install-dir>\proxy-engine\conf\defaultagent\SecureProxyTrace.conf.

    For example: <nete:proxyrules xmlns:nete="http://www.ca.com/" debug="yes">

    ##################################

     

     

     

    Regards

     

    Hubert



  • 6.  Re: Noodle ConnectException

    Posted Apr 10, 2015 11:44 AM

    Hi Hubert,

     

    Thank you so much for the quick response. As you said I have enabled the logs and below is the same.

     

    [11:36:17][5132][2452][][InitializeTracingMT][Tracing initialized.]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][Entering the agent.]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][Virtual Host: default]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][Using session scheme: default]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][Using default user agent]

    [11:37:27][5132][5748][][ReportHealthData][Accumulating HealthMonitorCtxt.]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][Tomcat5serializedAgentData::setStatus()][Setting response status = 200]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][The agent finished processing the request.]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][Noodle::service][Method is: GET Content length is: 0]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][execute][Sending request to backend = www.ca.com url = http://www.ca.com//]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][requestConnection(): ][Get connection: HttpRoute[{}->http://www.ca.com], timeout = 0]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][openConnection()][Connecting to www.ca.com/23.54.215.14:80]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][releaseConnection(): ][Released connection is not reusable.]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][execute][Connection to http://www.ca.com refused]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][execute][Retrying to send the request to backend web server.Retry count: 1]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][Noodle::doGet][org.apache.http.conn.HttpHostConnectException: Connection to http://www.ca.com refused         at com.ca.proxy.apache.httpclient.conn.factory.SPSConnectionFactory.openConnection(SPSConnectionFactory.java:143)]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ErrorPageImpl::displayMessage][Custom Error Pages : Custom message is not an URL. If URL is specified then it might not be in proper format. Considering it as plain text message.]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][ProxyValve::invoke][Leaving the agent.]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][Entering the agent.]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][Virtual Host: default]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][Using session scheme: default]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][Using default user agent]

    [11:39:37][5132][5748][][ReportHealthData][Accumulating HealthMonitorCtxt.]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][Tomcat5serializedAgentData::setStatus()][Setting response status = 200]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][ProxyValve::invoke][The agent finished processing the request.]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][Noodle::service][Method is: GET Content length is: 0]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][execute][Sending request to backend = www.ca.com url = http://www.ca.com//]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][requestConnection(): ][Get connection: HttpRoute[{}->http://www.ca.com], timeout = 0]

    [11:39:37][5132][5748][11450180-27cb84e7-52d4cec1-460d66af-f4f765df-506f][openConnection()][Connecting to www.ca.com/23.54.215.14:80<http://www.ca.com/23.54.215.14:80>]

     

    Thanks,

    Shankar.



  • 7.  Re: Noodle ConnectException
    Best Answer

    Posted Apr 10, 2015 04:45 PM

    Are you able to access http://www.ca.com from the server which is hosting secure proxy server.

     

    I think network connections OR something might be blocking your request going out to the Internet.

     

     

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][execute][Sending request to backend = www.ca.com url = http://www.ca.com//]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][requestConnection(): ][Get connection: HttpRoute[{}->http://www.ca.com], timeout = 0]

    [11:37:27][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][openConnection()][Connecting to www.ca.com/23.54.215.14:80]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][releaseConnection(): ][Released connection is not reusable.]

    [11:37:48][5132][5748][118595d9-c20b5059-0607a636-e3d55e2b-3a8bedfa-294][execute][Connection to http://www.ca.com refused]

     

     

    Change the URL in the proxyrules.xml to some test server (backend Server), hosting a test page in your environment.

     

     

    Regards

     

    Hubert



  • 8.  Re: Noodle ConnectException

    Posted Apr 13, 2015 06:35 AM

    Hi Hubert,

     

    Thanks for your reply, I am able to browse the http://www.ca.com url on the box but if we access  thru SPS it’s not working. Yes as you expected I think there is something is blocking the url, because if I modify the proxyrules.xml to some internal application then it is working as expected.

     

    Thank you so much for help  and valuable comments on this.

     

    Thank,

    Shankar.



  • 9.  Re: Noodle ConnectException

    Posted Sep 01, 2016 03:06 AM

    HubertDennis

    Hey Hubert, sorry to bother you.

     

    I tried all that is commented here.Yet i am not able to proceed further, i get the same error. is there something else i have look into.

    Please advice



  • 10.  Re: Noodle ConnectException

    Posted Jan 25, 2018 06:31 PM

    Hi ChristieJS,

     

    I am also still getting the same error even after doing all the steps said by Hubert above. Were you able to resolve this? if yes could you share the resolution here.



  • 11.  Re: Noodle ConnectException

    Posted Jan 25, 2018 06:48 PM

    c-Anish

     

    Are you unable to proxy to www.ca.com OR Are you unable to proxy to a backend Web Server.



  • 12.  Re: Noodle ConnectException

    Posted Jan 25, 2018 06:58 PM

    I am able to navigate to www.ca.com from the box, I am unable to proxy to backend web server. After giving the credentials i am being redirected to below error page

     

    Secure Proxy Server - Error Report

    Error Details

    Request URI

    :/cwopa/

    Error Type

    :SPS Exception

    Error Code

    :Noodle_ConnectException

    Message

    :Connection refused remotely, no process is listening on the remote address/port.


  • 13.  Re: Noodle ConnectException

    Posted Jan 25, 2018 07:10 PM

    c-Anish

     

    You are probably mixing two things

     

    A. Proxy to www.ca.com

     

    B. Proxy to backend server.

     

     

    What is configured in your proxyrules.xml ? Could you paste that please.

     

    It seems like you are proxying to backend server.

     

    Could we check ..

     

    1. if there is connectivity from CA AG server to backend server on the IP:Port that the backend server is running on. You can do this running "Telnet IPAddress-backend-server Port". If the results returns connected, then there is connectivity.

     

    2. is backend server running on SSL ? If Yes then the root CA issuing the SSL Certificate for backend server needs to be trusted (added) within CA AG. You can do that by accessing ProxyUI and adding the Root CA.



  • 14.  Re: Noodle ConnectException

    Posted Jan 25, 2018 07:20 PM

    Thanks for your quick response Hubert. Below is the Proxyrules.xml file

     

    <?xml version="1.0"?>
    <?cocoon-process type="xslt"?>
    <!DOCTYPE nete:proxyrules SYSTEM "file:///E:\CA\Agent-for-SharePoint\proxy-engine\conf\dtd\proxyrules.dtd">

    <!-- Proxy Rules-->
    <nete:proxyrules xmlns:nete="https://externalurl.com:443" debug="yes">
    <nete:forward>http://internalurl.com:80$0</nete:forward>
    </nete:proxyrules>

     

    I did telnet the backend url with the secure port 443 it is not working

    I did telnet with localhost with secure port 443 its is working

     

    I added the root certificate in ca-bundle.cert file.

     

    This afternoon it worked as expected, but it suddenly is throwing this error after giving credentials.

     

    Thanks

    Anish



  • 15.  Re: Noodle ConnectException

    Posted Jan 26, 2018 10:34 AM

    Thank You c-Anish

     

    Agent for SharePoint ?

     

    Could you check the following.

    What happen if we "telnet internalurl 80" from CA AG Server, does it connect ?

    What happens if you type in the browser "http://internalurl.com, does it load content ?



  • 16.  Re: Noodle ConnectException

    Posted Jan 26, 2018 11:16 AM

    Thanks for you reply,

     

    Agent for sharepoint: 12.52, sp1 cr08 win32

     

    If I telnet internalurl at port 80/443 from my Local Machine it connects.

    If I telnet internal URL at port 2000/2001 from my local machine it connects (These are the ports we gave for http (2000) and https (2001) in connection wizard)

    If I telnet internal URL at port 80/443/2000/2001 from my agent server it fails it say as below

    Connecting to internalURL... Could not open connection to the host, on port 80: Connect failed

     

    If I type the internal url in the browser from my local machine it throws me the below error.

     

    Secure Proxy Server - Error Report

    Secure Proxy Server - Error Report

    Error Details

    Request URI

    :/

    Error Type

    :SPS Exception

    Error Code

    :VirtualHostNotFound

    Message

    :Virtual host is not properly configured.

     

    If I type in the internal url in the browser from the agent server it says page cannot be displayed.

     

    It perfectly loads the page for the working environment if I type internal url from my local machine, and even for the working environment if I type internal url in browser from it's own agent server it says page cannot be displayed.



  • 17.  Re: Noodle ConnectException

    Posted Jan 26, 2018 11:26 AM

    Below is the server.conf file I've addedd virtual host tags in the file.

     

    <Server>
    #General Server Information
    #Maximum Header Count
    ajp13.max_header_count=100


    #Define the listeners between
    #HTTP listener and proxy engine
    worker.ajp13.port=8009
    worker.ajp13.host=localhost
    worker.shutdown.port=8005

    #Define additional tuning parameters for the connection between HTTP listener and proxy engine
    #These parameters are used by mod_jk and are not used by proxy engine
    #worker.ajp13.reply_timeout - The maximum time (milliseconds) that can elapse between any two packets received from proxy engine
    #after which the connection between HTTP listener and proxy engine is dropped
    #A value of zero makes it to wait indefinitely until response is received (default)
    #worker.ajp13.retries - The maximum number of times that the worker will send a request to proxy engine in case of a communication error
    #Default value for retries is 2
    worker.ajp13.reply_timeout=0
    worker.ajp13.retries=2

    #Define AJP13 tuning parameters
    #Number of request waiting in queue (queue length)
    #Number of threads created at initialization time
    #Maximum number of concurrent connections possible
    #Maximum time (seconds) that the idle connections will remain the connection pool before timing out, default value is 0 that means never time out
    ajp13.accept_count=10
    ajp13.min_spare_threads=10
    ajp13.max_threads=410

    worker.ajp13.connection_pool_timeout=0

    #'max_packet_size': This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536.
    #This same value will be used as 'packetSize' attribute for AJP connector on the Tomcat side.
    worker.ajp13.max_packet_size=16384

    singleprocessmode="yes"

    #'agenttype' parameter indicates the type of SiteMinder Agent.
    #This parameter is intended for internal use only. It is not supposed to be modified by administrator.
    agenttype="-SPAGENT"

    # Provide the values for the Federation related parameters here
    #
    # enablefederationgateway - "yes" or "no" - Enable or Disable SPS Federation Gateway
    # fedrootcontext - Name of the Federation root context ("affwebservices" by default)
    # authurlcontext - Path of the Authentication URL (without the jsp file name) (siteminderagent/redirectjsp by default)
    # protectedbackchannelservices - Names of protected Backchannel services

    <federation>
    enablefederationgateway="yes"
    fedrootcontext="affwebservices"
    authurlcontext="siteminderagent/redirectjsp"
    protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
    </federation>
    #only one localapp tag should be there
    <localapp>
    enablelocalapp="yes"

    #Define the http & https listeners for LocalApplications
    #Default Value for local.host=*,local.http.port=8080
    #* indicates to listen on all available interfaces present
    # on local system
    #Note: If ipaddress / host name typed incorrectly or provided
    #input is not resolvable by java then SPS listens on all
    #interfaces available on local system
    local.host=*
    local.http.port=2000

    #Provide the name of keystore and put it in $$CAKEYPATH folder
    #Provide a password for keystore
    #To enable SSL for localapp uncomment next three parameters
    local.https.port=2001
    local.https.keyStoreFileName="ServerCertnew.jceks"

    #Set the SSL Enabled protocol version to support: TLSv1
    #NOTE: SSL version 2 and SSL version 3 are no longer supported
    local.https.sslEnabledProtocols="TLSv1"

    #n no of xml can be added in the localapp tag
    context_file="conf/ClaimsWS.xml"
    </localapp>

    # Root of location that the agent will resolve "/" to for
    # finding forms (fcc) and error files. Note: If document_root
    # is specified as a relative directory, it will be relative to
    # Tomcat/webapps/
    document_root="../../proxy-engine/examples"

    # Enable disable HTTPClient logging with value "yes" or "no".
    # Recommended to enable the logging for only debug purposes. Not recommended for production environment.
    httpclientlog="no"

    <sslparams>
    # Set the SSL protocol version to support: TLSv1, TLSv1.1, and TLSv1.2
    # NOTE: SSLv2 and SSLv3 are not recommended to be used
    versions="TLSv1"

    ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"

    fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"

    # Covalent SSL CA certificate bundle and certs path to be converted
    # The bundle and/or certs located at defined location will be converted
    # to binary (DER) format and loaded as SSLParams.
    # NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent
    # certificate directory.
    cacertpath="E:\CA\Agent-for-SharePoint\SSL\certs"
    cacertfilename="E:\CA\Agent-for-SharePoint\SSL\certs\ca-bundle.cert"

    # This certificate configured below is used as SPS client certificate for the backend servers when
    # SSL client authentication is enabled.
    # Location of the Key file : <install-dir>\SSL\clientcert\key\
    # Location of public certs : <install-dir>\SSL\clientcert\certs\
    # NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.
    # Client pass phrase should be encrypted using EncryptUtil tool.

    #ClientKeyFile=
    #ClientPassPhrase=
    # max cache time in milliseconds (Default: 120000 milliseconds)
    maxcachetime="120000"
    </sslparams>

    #This parameter is applicable to the cookie added by backend.
    #"yes"--- Default Value. Quotes will be added to the cookie parameter value
    #which contains special characters if the cookie version is other than "0"
    #"no" --- Quotes will not be added to the cookie.

    addquotestocookie="yes"

    # This parameter is applicable to the cookie sent to browser
    # Tomcat 5.5 and higher adds quotes to the cookie. Parameter "addquotestobrowsercookie" changes the default behavior of Tomcat.
    # "no" --- Default Value. Quotes will not be added to the cookie parameter value
    # "yes" --- Quotes will be added to the cookie.

    addquotestobrowsercookie="no"

    # This parameter is applicable to the equal (=) sign in the cookie.
    # Tomcat will allow = characters when parsing unquoted cookie values.
    # Tomcat 5.5 and higher adds quotes to the cookie. Parameter "allowequalsincookievalue" changes the default behavior of Tomcat.
    # "yes" --- Default Value. Cookie values are allowed to contain an equals character.
    # "no" --- Cookie values containing = will be terminated when the = is encountered and the remainder of the cookie value will be dropped.

    allowequalsincookievalue="yes"

    # This parameter needs to be set to the appropriate char-set based upon the locale of the users
    # This parameter is used by the HttpClient inside SPS to appropriately encode the headers that
    # will be sent to the backend server
    # For Example -
    # "US-ASCII"--- Default value, which is appropriate for default US English Locale
    # "Shift_JIS" --- Should be set for supporting Japanese locale and for supporting login using Japanese usernames
    requestheadercharset="US-ASCII"

    #This parameter is applicable to the caching of POST data.
    #"no"--- Post data ia not cached by SPS.
    #"yes"--- Default Value. POST data Caching enabled
    enablecachepostdata="yes"
    #This parameter defines that maximum size of POST data that is to be cached.
    #Size in Kb
    maxcachedpostdata="1024"

    # This parameter needs to be set to "yes" if request URL needs to be URLEncoded before sending the request to backend web server.
    # "no" --- The request URL will not be URLEncoded before sending the request to backend web server.
    # "yes" ---Default value.
    encodeurl="yes"

    # use of forcewritecookiedomain compatibility (backward) regarding how to handle domain= for host cookie
    forcewritecookiedomain="no"

    #Configurations related to custom error pages
    <customerrorpages>
    #possible values are: "yes", "no"
    #default value is "no"
    enable="no"

    #custom error pages implementation class
    class="com.netegrity.proxy.errorpages.ErrorPageImpl"

    #defines type of locale.
    #possible values are: "0" (for Server specific), "1" (for Browser specific)
    #default value is "0"
    locale_type="0"

    #this value should be the language code that will be understood by the java
    #locale object, say "zh" for Chinese, "fr" for French, "es" for Spanish, "en" for
    #english, etc.
    #default value is "en"
    locale_language="en"

    #this value should be the country/region code that will be understood by the
    #java locale object, say "CN" for China, "CH" for Switzerland, "AR" for
    #Argentina, "US" for United States.
    #default value is "US"
    locale_country="US"
    </customerrorpages>
    #Custom error pages configuration end

    # MAX buffer size for monitoring feature buffer size. Used only atleast on metric-reporter tag is enabled.
    # default value 1000 entries
    monitor_data_buffer_size="1000"
    </Server>

    #
    # Default metric reporter to monitor SPS with Wily
    # enabled - yes to enable and no to disable, default: no
    # endpoint - format: protocol://hostname:port/
    # hostname should be the hostname where Wily EPAgent is started
    # port network data port/HTTP port configured in Wily EPAgent based on protocol given
    # protocol - tcp, if network data port & http, if http port is configured on Wily EPAgent side
    #
    <metric-reporter name="WilyMetricReporter">
    class="com.ca.proxy.monitor.wily.WilyMetricReporter"
    enabled="no"
    endpoint="http://localhost:8886"
    </metric-reporter>

    <SessionStore>
    # Session Store Information
    class="com.netegrity.proxy.session.SimpleSessionStore"
    max_size="10000"
    clean_up_frequency="60"
    </SessionStore>

    # Service Dispatcher
    # This is new since proxy 6.0
    # Service Dispatcher is now a global server configuration parameter and is no longer
    # configured on a per virtual host basis.
    <ServiceDispatcher>
    class="com.netegrity.proxy.service.SmProxyRules"
    rules_file="E:\CA\Agent-for-SharePoint\proxy-engine\conf\proxyrules.xml"
    </ServiceDispatcher>


    # Proxy Service
    <Service name="forward">
    class="org.tigris.noodle.Noodle"

    # Enables support for multiple protocols if set to true. Currently only
    # http and https is supported. If set to false only http is supported.
    protocol.multiple="true"
    http_connection_pool_min_size="2"
    http_connection_pool_max_size="420"
    http_connection_pool_incremental_factor="2"

    # Timeout to be used to close idle connections in the pool. If no units are specified,
    # the default units are minutes
    http_connection_pool_connection_timeout="1 minute"

    # Timeout (in milliseconds) to be used to wait for an available connection.
    # A timeout of zero:
    # 1. causes the pool to wait for a connection until notified
    # 2. invalidates the use of max retries
    http_connection_pool_wait_timeout="0"

    # Number of attempts to obtain a connection.
    # A value of zero causes pool to attempt indefinitely.
    # Only applicable if wait timeout is not zero.
    http_connection_pool_max_attempts="3"

    # Timeout (in milliseconds) to be used for creating connections and reading
    # responses. The timeout will limit the time spent doing the host name
    # translation and establishing the connection with the server when creating
    # sockets.
    # A timeout of zero means wait indefinitely.
    http_connection_timeout="3 minutes"

    http_connection_stalecheck="true"

    # Timeout (in milliseconds) to be used for continous data connection.
    # If the data flow is interrupted for the specified timeout the connection
    # is regarded as stalled/broken. eg. if the value is set to 1, the socket
    # expects data to flow continuously at every 1 ms; WARNING: setting the
    # value to zero (0) will cause the idle socket to wait forever.
    http_socket_timeout="180000"

    # Pool configuration for connection oriented authentication backend
    # connections eg: NTLM.
    <connection-pool name="connection oriented authentication">
    connection-timeout="10 seconds"
    max-size="200"
    enabled="yes"
    </connection-pool>
    # Proxy filters may be defined here to perform pre/post processing tasks.
    # The following format must be used to configure filters:
    #
    # filter.<filter name>.class=<fully qualified filter class name> (required)
    # filter.<filter name>.init-param.<param name1>=<param value1> (optional)
    # filter.<filter name>.init-param.<param name2>=<param value2>
    # filter.<filter name>.init-param.<param name3>=<param value3>
    #
    # The filter name is used by the proxy rules to trigger a specific filter.
    # Filter names should be unique.
    # Filter jar files should be dropped in the <SPS_HOME>/Tomcat/lib directory
    # See the documentation for more details.
    #
    # The following are examples for use with the provided sample filters:
    # Defines a filter with name "filter1" whose class is "SamplePreFilter"
    #filter.filter1.class=SamplePreFilter
    #filter.filter1.init-param.header1="Header1"
    #filter.filter1.init-param.header2="header2"
    #filter.filter1.init-param.newheader="FILTER_GENERATED_HEADER"
    #
    # Defines a filter with name "filter2" whose class is "SamplePostFilter"
    #filter.filter2.class=SamplePostFilter
    #filter.filter2.init-param.oldStr="foo"
    #filter.filter2.init-param.newStr="bar"

    ##filter.myfilter.class=MyFilter
    ##filter.myfilter.init-param.oldStr="CA"
    ##filter.myfilter.init-param.newStr="Oracle"
    #
    # The following example illustrates the use of custom filters in a group
    # Defines filter groups with valid Custom filter names.
    # Defines a filter group with name "group1" by grouping Custom filters "filter1" and "filter2"
    #groupfilter.group1="filter1,filter2"

    # Defines a filter group with name "group2" by grouping Custom filters "myfilter" and "filter1"
    #groupfilter.group2="myfilter,filter1"
    </Service>

    # Redirect Service
    <Service name="redirect">
    class=com.netegrity.proxy.service.RedirectService
    </Service>

    #Session Schemes
    <SessionScheme name="default">
    class="com.netegrity.proxy.session.SessionCookieScheme"
    accepts_smsession_cookies="true"
    </SessionScheme>

    <SessionScheme name="ssl_id">
    class="com.netegrity.proxy.session.SSLIdSessionScheme"
    accepts_smsession_cookies="false"
    </SessionScheme>

    <SessionScheme name="simple_url">
    class="com.netegrity.proxy.session.SimpleURLSessionScheme"
    accepts_smsession_cookies="false"
    session_key_name="SMID"
    </SessionScheme>

    <SessionScheme name="minicookie">
    class="com.netegrity.proxy.session.MiniCookieSessionScheme"
    accepts_smsession_cookies="false"

    # The name of the small cookie to be stored in the client.
    cookie_name="SMID"
    </SessionScheme>

    <SessionScheme name="device_id">
    class="com.netegrity.proxy.session.DeviceIdSessionScheme"
    accepts_smsession_cookies="false"

    # The header name containing the device id of the wireless devices
    device_id_header_name="vendor_device_id_header_name"
    </SessionScheme>

    # TO-DO: Define Any User Agents, if you want to
    # use a different session scheme based on
    # the type of client accessing the server.
    #
    # NOTE: UserAgent matching is done in the order
    # in which the user agents are defined in this file.
    # <UserAgent name="user_agent_name_1">
    # header_name_1=some regular expression
    # </UserAgent>
    # <UserAgent name="user_agent_name_2">
    # header_name_1=some other regular expression
    # </UserAgent>

    <VirtualHostDefaults>
    # default session scheme
    defaultsessionscheme="default"
    enablerewritecookiepath="no"
    enablerewritecookiedomain="no"
    enableproxypreservehost="no"

    # specify the block size for request and response in KBs
    requestblocksize="4"
    responseblocksize="4"

    #TO-DO: Define any session scheme mappings
    #<SessionSchemeMappings>
    # user_agent_name=session_scheme_name
    #</SessionSchemeMappings>

    # Web Agent.conf
    <WebAgent>
    sminitfile="E:\CA\Agent-for-SharePoint\proxy-engine\conf\defaultagent\WebAgent.conf"
    </WebAgent>

    </VirtualHostDefaults>

    # Default Virtual Host
    <VirtualHost name="externalurl">
    #addresses="192.168.1.100"
    hostnames="externalurl"
    defaultsessionscheme="default"

    # specify the block size for request and response in KBs
    requestblocksize="4"
    responseblocksize="8"

    #The defaults can be overridden
    #not only for the Virtual Host
    #but for the WebAgent for that
    #virtual host as well
    #<WebAgent>
    #</WebAgent>
    </VirtualHost>

     

    ** In Virtual Host tag externalurl refers to end user url.**

     

    Thanks

    Anish