Using Load Balancer ENTM without Apache Reverse Proxy

book

Article ID: 37320

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Summary:

Typically, when implementing ENTM with Load Balancing feature it is required to utilise Apache Reverse Proxy.

The Apache Reverse Proxy is allowing to access ENTM using a common URL and is routing requests to the relevant ENTM node.

If this is not desired but each ENTM node should be accessible using its individual URL please follow these steps

 

Instructions:  

1. Stop Jboss

2. Take a backup of index.jsp available at jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\app

3. Edit the file index.jsp file at jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\app with a text editor and replace the full contents of the file with this

 

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

<%@ page import="com.netegrity.webapp.filter.*" %>

<%@ page import="java.util.*" %>

 

<%@ page import="java.util.Enumeration" %>

<%@ page import="org.owasp.esapi.ESAPI" %>

<%@ page import="org.owasp.csrfguard.*" %>

 

<%

    Enumeration httpNames = session.getAttributeNames();

    while (httpNames.hasMoreElements()) {

        String name = (String)httpNames.nextElement();

        Object value = session.getAttribute(name);

        if (value != null && value instanceof String) {

            String valueStr = (String)value;

            if (request.getSession().getAttribute(name) == null) {

                request.getSession().setAttribute(name, valueStr);

            }

        }

    } 

 

    String qs = request.getQueryString();

    if (qs != null && !("".equals(qs))) {

        qs = "?" + qs;

    } else {

        // [email protected]: fix CQ53984:Redirection to logout.jsp happens automatically 

        // merge zarina's fix for im60sp2 to im81.

        // zb:050206:53336:Self Registration : Accessing the Self Registration URL takes the user to the logout page on Solaris.

        // this issue was caused due to hte upgrade to WAS 5.1.1.9. changes were made to the getquerystring call.

        // ref :http://www-1.ibm.com/support/docview.wss?uid=swg21215961

        qs = "";

        if ("GET".equalsIgnoreCase(request.getMethod())) {

            boolean first = true;

            Enumeration paramNames = request.getParameterNames();

            while (paramNames.hasMoreElements()) {

                String curName = (String)paramNames.nextElement();

                String curValue = request.getParameter(curName);

                if (first) {

                    /* When building URL query string, only first item is started with '?'. All other are delimited with '&'. */

                    qs = "?" + curName + "=" + curValue;

                    first = false;

                } else {

                    qs = qs + "&" + curName + "=" + curValue;

                }

            }

 

        }

 

    }

 

    if (!qs.contains("passwordServices")) { 

        CsrfGuard csrfGuard = CsrfGuard.getInstance();

        String csrfURL = ("".equals(qs) ? "?" : "&") + csrfGuard.getTokenName() + "=" + csrfGuard.getTokenValue(request);

        response.setHeader("Location", "./ca12/index.jsp" + qs);

        response.setStatus(response.SC_MOVED_TEMPORARILY);

 

    } else {

        response.setHeader("Location", "./ca12/index.jsp" + qs);

        response.setStatus(response.SC_MOVED_TEMPORARILY);

    }

    String sanitizedJSessionID = (String)request.getParameter("jsessionid");

    sanitizedJSessionID = sanitizedJSessionID==null?"":sanitizedJSessionID;

    sanitizedJSessionID = ESAPI.encoder().encodeForHTMLAttribute(sanitizedJSessionID);

%>

<input type="hidden" name="jsessionid" value="<%=sanitizedJSessionID%>" />

 

<br>

<%--a href=<%= redirectURI %>>redirect</a--%>

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 

 

4. Delete tmp and work directory available at jboss-4.2.3.GA\server\default\ 

5. Start Jboss

6. Login to the ENTM Server using its own URL and verify all is working without issues

7. Repeat these steps for each ENTM / LB-ENTM server 

 

 

Additional Information: 

Load Balancing Deployment Architecture

 

 

 

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component:

Resolution

.