search cancel

AdminUI protected by Reverse Proxy Web Agent redirection URL change

book

Article ID: 242611

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When configuring a second Reverse Proxy Web Agent to protect an AdminUI, the browser still gets back to the first Reverse Proxy Web Agent URL.

How can we change the Reverse Proxy Web Agent without having to re-register the AdminUI with the new Reverse Proxy Web Agent?

 

Environment

 

  AdminUI 12.8SP2 on RedHat 7;
  Web Agent 12.52SP1CR11 on Apache 2.4 on RedHat 7;

 

Cause

 

The Web Agent Reverse Proxy URL is written in binaries data for the AdminUI in one of the .dat files here:

  {home_adminui}/adminui/standalone/data/derby/siteminder/objectstore/seg0

As per documentation, only 1 AdminUI can be protected by 1 Web Agent (1).

 

Resolution

 

There's a custom workaround to modify the Base URL value from the AdminUI Derby database. This allows changing the Base URL to another DNS name. Note that it won't allow using both DNS names (old and new) simultaneously for the same AdminUI.

Take a backup of the entire repository:

  /opt/CA/siteminder/adminui/standalone/data

- Stop the AdminUI;

- Download db-derby-10.14.2.0-bin.tar.gz from https://db.apache.org/derby/releases/release-10_14_2_0.cgi

  [[email protected] ~]# cd /opt/db-derby-10.14.2.0-bin/bin
  [[email protected] bin]# export JAVA_HOME=/opt/jdk
  [[email protected] bin]# ./ij
  ij version 10.14
  ij> connect 'jdbc:derby:/opt/CA/siteminder/adminui/standalone/data/derby/siteminder/objectstore';
  ij> select attribute_value from IM_ENVIRONMENT_JDBC_LD where attribute_name = 'baseurl';

  ATTRIBUTE_VALUE

  --------------------------------------------------------------------------------------------------------------------------------

  https://myfirstadminui.training.com/iam/siteminder

  1 row selected

  ij> update IM_ENVIRONMENT_JDBC_LD set attribute_value = 'https://mysecondadminui.training.com/iam/siteminder' where attribute_name = 'baseurl';

  1 row inserted/updated/deleted

  ij> select attribute_value from IM_ENVIRONMENT_JDBC_LD where attribute_name = 'baseurl';

  ATTRIBUTE_VALUE

  --------------------------------------------------------------------------------------------------------------------------------

  https://mysecondadminui.training.com/iam/siteminder 

  1 row selected

  ij> commit;
  ij> disconnect;
  ij> exit;

- Start the AdminUI;

Then, the browser should be able to log in and be redirected to the AdminUI with the New URL Reverse Proxy Web Agent only.

 

Additional Information

 

(1)

    Configure an Apache Reverse Proxy Server to Proxy Requests to the UI

      If you have more than one Administrative UI to protect, protect
      each instance with a separate reverse proxy server.