Load balancer is unable to access the unprotected monitoring or keep-alive page with SecureURL enabled in SPS
search cancel

Load balancer is unable to access the unprotected monitoring or keep-alive page with SecureURL enabled in SPS

book

Article ID: 403130

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Running CA Access Gateway (SPS) and trying to expose a simple HTML health check page (/hb/status.html) or keep-alive page that can be accessed by the  load balancer for monitoring purposes.

The page is not reliably accessible when SecureURL is enabled, and the  load balancer cannot retrieve the body of the response.

The load balancer gets HTTP code 500.

Since the keep-alive page throws 500 errors, the load balancer marks this CA Access Gateway (SPS) server down.

Cause

According to SiteMinder documentation, by design "Access Gateway does not support local content" (1).

The ability to place content on CA Access Gateway (SPS) is not exposed, and the CA Access Gateway (SPS) does not support proxy rules for providing access to local content.

However, an implementation project requires exposing a simple HTML health check page (mystatus.html) that can be accessed by the load balancer for monitoring CA Access Gateway (SPS).

This page must remain unprotected and accessible without authentication, and SecureURL is enabled in the Agent Configuration Object (ACO).

Resolution

There are at least three possible implementation options, and each works regardless ACO SecureURLs set to yes or no.

Only needs to choose one of them that is suitable to the business requirements.

  1. There is already a default servlet sits on CA Access Gateway (SPS) Tomcat, which is publicly available (non-protected) to validate Federation FWS service availability.

    The URL is: https://sps.example.com:port/affwebservices/assertionretriever

    The benefit of this approach is that there is no additional configuration steps required.

    However, there's a need to ensure a probing interval not too frequent for Tomcat server.
     
  2. Deploy a static mystatus.html file under CA Access Gateway (SPS) /{home_sps}/secure-proxy/Tomcat/webapps/affwebservices/public folder. 

    This file location is NOT protected.

    The access URL is:  https://sps.example.com:port/affwebservices/public/status.html

    The benefit of this approach is maintaining the same file content consistency for mystatus.html, but not the the URI path for /uri/mystatus.html

    Due to the page is served by Tomcat, it may have the same impact as option 1, but hopefully a .html file is less impactful than a servlet.

  3. Deploy the mystatus.html file under /{home_sps}/secure-proxy/Tomcat/webapps/affwebservices/public, at the same time using proxy rules.

    This way, there is no back end server (app team) involved.

    The actual back end server is the Tomcat (CA Access Gateway (SPS)) itself, but the Apache httpd will take the requests load.

    Potentially will tolerate a bit more frequent probes.

    The access URL is: https://sps.example.com:port/uri/mystatus.html

    This option maintains the same file content and the same URI path for the load balancer, but it goes through the entire proxy.

    It does require more configuration changes.

    - The proxyrules.xml needs to be adjusted, so that the request is proxied to CA Access Gateway (SPS)'s Tomcat;
    - The CA Access Gateway (SPS)'s server certificate chain needs to be put into "ca-bundle.cert" file to avoid the error "No trusted certificate found";

    Follow the KB 207673 to handle the certificate and https protocol (2).

    Example:

    proxyrules.xml:

    Replace the "sps.example.com:port" accordingly.

    <?xml version="1.0"?>
            <?cocoon-process type="xslt"?>
            <!DOCTYPE nete:proxyrules SYSTEM "file:////{home_sps}/proxy-engine/conf/dtd/proxyrules.dtd">
            <!-- Proxy Rules -->
            <!-- replace www.example.com with your namespace -->
            <nete:proxyrules xmlns:nete="http://www.example.com/">
               <nete:cond criteria="equals" type="uri">
                  <nete:case value="/uri/mystatus.html">
                     <nete:forward>https://sps.example.com:port/affwebservices/public/mystatus.html</nete:forward>
                  </nete:case>
                  <nete:default>
                     <nete:forward>https://www.example.com</nete:forward>
                  </nete:default>
               </nete:cond>
            </nete:proxyrules>

    Result:

    webagent trace.log

    [][20:52:54][20:52:54.695][7785][140389276837632][][CSmHttpPlugin::ProcessResource][Resolved URL: '/uri/mystatus.html'.]
    [...omitted for brevity...]
    [][20:52:54][20:52:54.695][7785][140389276837632][][IsResourceProtected][Resource is not protected from cache.]
    [][20:52:54][20:52:54.696][7785][140389276837632][][execute][Sending request to backend = sps.example.com url = https://sps.example.com/affwebservices/public/mystatus.html]
    [][20:52:54][20:52:54.696][7785][140389276837632][][requestConnection(): ][Get connection: {s}->https://sps.example.com:443, timeout = 180000]
    [][20:52:54][20:52:54.697][7785][140389276837632][][openConnection()][Connecting to sps.example.com/10.0.0.1:443]

Additional Information

Powered by Wolken Software