Incorrect WSDL URL; caim-srv-XX is in the wsdl
search cancel

Incorrect WSDL URL; caim-srv-XX is in the wsdl

book

Article ID: 124343

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

When our wsdl is published, we see this:

<soap:address location="http://caim-srv-XX:8080/iam/im/TEWS6/identityEnv"/>

This seems to be the standalone server for the UserStore, but our directory.xml has our LDAP server as userstore and we have been authenticating off of that.

Environment

Release:
Component: IDMGR

Cause

If you are  using the hostname without specifying 8080/8443 as a port, you are using the Apache proxy and not the IM wildfly, which knows the IM server by this internal name.

Please refer to the scenarios below..

Scenario 1:
vAPP proxy configured in app.config and with https url ( https://hostname or ipaddress/iam/im/TEWS6/widgetEnv?wsdl)
This does work fine

Request reaches VApp proxy in SSL mode which redirect internally to IDM service (caim-srv) in non-ssl mode.
caim-srv is internal to VApp and not exposed outside. Though request to VApp proxy to caim-srv is non-ssl but not vulnerable



Scenario 2:
IDM server should be directly reached. Configure SSL for IM Server and use port 8443 (https://hostname or ipaddress:8443/iam/im/TEWS6/widgetEnv?wsdl)

No proxy configuration required in app.config.


Scenario 3:
Without proxy using https with port 443
This should not work until the request is redirected directly from hostname to IDM service (caim-srv).
As proxy is not present, hostname can't resolve to which service (IDM, IP, IG), request can be redirected.

As it's working, it does mean, requests directly reach IDM server and can only be accessed with 443 port
You have to modify URL to use 443 port

Scenario 4:
Alternatively, use Layer 3 load balancer if you don't want to access IDM directly using IP and port

Resolution

By default, you access the vApp via it's proxy server using a URL like https://ipaddress/iam/im/TEWS6/identityEnv?wsdl, and the generated WSDL is like the following:

<service name="Tews6">
<port name="Tews6Port" binding="tns:Tews6SoapBinding">
<soap:address location="https://caim-srv-XX:8443/iam/im/TEWS6/identityEnv"/>
</port>
<port name="Tews6PublicPort" binding="tns:Tews6PublicSoapBinding">
<soap:address location="https://caim-srv-XX:8443/iam/im/TEWS6/pubidentityEnv"/>
</port>
</service>

But you can bypass the proxy server and access the IdM server directly using port 8080. There is nothing that needs to be changed on the vApp side but I added "100.xx.xx.195 myvappserver.domain.com" to my desktop machine's hosts file. My URL to retrieve the WSDL is http://myvappserver.domain.com:8080/iam/im/TEWS6/identityEnv?wsdl, and the SOAP address is successfully updated like the following:

<service name="Tews6">
<port name="Tews6Port" binding="tns:Tews6SoapBinding">
<soap:address location="http://myvappserver.domain.com:8080/iam/im/TEWS6/identityEnv"/>
</port>
<port name="Tews6PublicPort" binding="tns:Tews6PublicSoapBinding">
<soap:address location="http://myvappserver.domain.com:8080/iam/im/TEWS6/pubidentityEnv"/>
</port>
</service>

Powered by Wolken Software