n o v d o c x ( e n AUTHORIZED DOCUMENTATION ) 1 6 A Access Gateway Guide p r il 2 0 1 0 Novell ® Access Manager 3.1 SP2 November 16, 2010 www.novell.com Novell Access Manager 3.1 SP2 Access Gateway Guide n o v d o c x ( e Legal Notices n ) 1 Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and 6 A specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. p r Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, il 2 without obligation to notify any person or entity of such revisions or changes. 0 1 0 Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright © 2006-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation). n o v d o c x ( e Novell Trademarks n ) 1 For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ 6 A trademarks/tmlist.html). p r il 2 Third-Party Materials 0 1 0 All third-party trademarks are the property of their respective owners. n o v d o c x ( e n ) 1 6 A p r il 2 0 1 0 4 Novell Access Manager 3.1 SP2 Access Gateway Guide n o v d o c x ( e Contents n ) 1 6 A p r il 2 About This Guide 11 0 1 0 1 Configuring the Access Gateway to Protect Web Resources 13 1.1 Managing Reverse Proxies and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.1.1 Creating a Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.2 Configuring a Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.1.3 Configuring Advanced Options for a Domain-Based Proxy Service . . . . . . . . . . . . . 21 1.2 Configuring the Web Servers of a Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.3 Configuring Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.3.1 Setting Up a Protected Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 1.3.2 Configuring an Authentication Procedure for Non-Redirected Login. . . . . . . . . . . . . 29 1.3.3 Assigning an Authorization Policy to a Protected Resource . . . . . . . . . . . . . . . . . . . 31 1.3.4 Assigning an Identity Injection Policy to a Protected Resource. . . . . . . . . . . . . . . . . 32 1.3.5 Assigning a Form Fill Policy to a Protected Resource. . . . . . . . . . . . . . . . . . . . . . . . 33 1.3.6 Assigning a Timeout Per Protected Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 1.3.7 Assigning a Policy to Multiple Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . 37 1.4 Configuring Protected Resources for Specific Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . 38 1.4.1 Configuring Protected Resource for a SharePoint Server . . . . . . . . . . . . . . . . . . . . 38 1.4.2 Configuring a Protected Resource for a SharePoint Server with an ADFS Server . . 39 1.4.3 Configuring a Protected Resource for Outlook Web Access. . . . . . . . . . . . . . . . . . . 42 1.4.4 Configuring a Protected Resource for a Novell Teaming 2.0 Server. . . . . . . . . . . . . 44 1.5 Configuring HTML Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 1.5.1 Understanding the Rewriting Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 1.5.2 Specifying the DNS Names to Rewrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 1.5.3 Defining the Requirements for the Rewriter Profile. . . . . . . . . . . . . . . . . . . . . . . . . . 54 1.5.4 Configuring the HTML Rewriter and Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 1.5.5 Creating or Modifying a Rewriter Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 1.5.6 Disabling the Rewriter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 1.6 Configuring Connection and Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 1.6.1 Configuring TCP Listen Options for Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 1.6.2 Configuring TCP Connect Options for Web Servers. . . . . . . . . . . . . . . . . . . . . . . . . 70 1.6.3 Configuring Connection and Session Persistence. . . . . . . . . . . . . . . . . . . . . . . . . . . 72 2 Server Configuration Settings 73 2.1 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 2.2 Saving, Applying, or Canceling Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 2.3 Managing Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 2.3.1 Viewing and Updating the Configuration Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 2.3.2 Scheduling a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 2.4 Managing General Details of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 2.4.1 Changing the Name of an Access Gateway and Modifying Other Server Details. . . 82 2.4.2 Upgrading the Access Gateway Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 2.4.3 Exporting and Importing an Access Gateway Configuration. . . . . . . . . . . . . . . . . . . 83 2.5 Setting Up a Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 2.6 Setting the Date and Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 2.7 Customizing Error Pages on the Access Gateway Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 91 2.7.1 Customizing the Error Pages by Using the Default Template. . . . . . . . . . . . . . . . . . 92 2.7.2 Customizing and Localizing Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 2.8 Customizing the Error Pages of the Access Gateway Service. . . . . . . . . . . . . . . . . . . . . . . . . 95 Contents 5 n o v d o c x ( e 2.9 Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 n ) 2.9.1 Viewing and Modifying Adapter Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 1 2.9.2 Viewing and Modifying Gateway Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 6 A 2.9.3 Viewing and Modifying DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 p r 2.9.4 Configuring Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 il 2 2.9.5 Adding New Network Interfaces to the Access Gateway Appliance . . . . . . . . . . . . 104 0 1 2.9.6 Adding a New IP Address to the Access Gateway Service. . . . . . . . . . . . . . . . . . . 105 0 2.10 Customizing Logout Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 2.10.1 Customizing Applications to Use the Access Gateway Logout Page . . . . . . . . . . . 105 2.10.2 Customizing the Access Gateway Logout Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 2.10.3 Configuring the Logout Disconnect Interval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 2.11 Configuring X-Forwarded-For Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 3 Configuring the Access Gateway for SSL and Other Security Features 109 3.1 Using SSL on the Access Gateway Communication Channels. . . . . . . . . . . . . . . . . . . . . . . 109 3.2 Prerequisites for SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 3.2.1 Prerequisites for SSL Communication between the Identity Server and the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 3.2.2 Prerequisites for SSL Communication between the Access Gateway and the Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 3.3 Configuring SSL Communication with the Browsers and the Identity Server . . . . . . . . . . . . 112 3.4 Configuring SSL between the Proxy Service and the Web Servers. . . . . . . . . . . . . . . . . . . . 115 3.5 Enabling Secure Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 3.5.1 Securing the Embedded Service Provider Session Cookie. . . . . . . . . . . . . . . . . . . 117 3.5.2 Securing the Proxy Session Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 3.6 Managing Access Gateway Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 3.6.1 Managing Embedded Service Provider Certificates . . . . . . . . . . . . . . . . . . . . . . . . 120 3.6.2 Managing Reverse Proxy and Web Server Certificates . . . . . . . . . . . . . . . . . . . . . 120 4 Access Gateway Maintenance 123 4.1 Access Gateway Appliance Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 4.1.1 Configuring Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 4.1.2 Interpreting Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.1.3 Configuring Logging of SOAP Messages and HTTP Headers . . . . . . . . . . . . . . . . 125 4.2 Access Gateway Service Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2.1 Managing Access Gateway Service Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2.2 Configuring a Log Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2.3 Managing Log Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.2.4 Configuring a Log Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4.2.5 Configuring a Log File for Troubleshooting Form Fill . . . . . . . . . . . . . . . . . . . . . . . 130 4.3 Configuring Logging for a Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4.3.1 Determining Logging Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 4.3.2 Calculating Rollover Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 4.3.3 Enabling Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 4.3.4 Configuring Common Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 4.3.5 Configuring Extended Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.3.6 Configuring the Size of the Log Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 4.4 Viewing Access Gateway Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 4.4.1 Server Activity Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 4.4.2 Server Benefits Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.4.3 Service Provider Activity Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 4.5 Viewing Cluster Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 4.6 Monitoring Access Gateway Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 4.6.1 Viewing Access Gateway Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 6 Novell Access Manager 3.1 SP2 Access Gateway Guide n o v d o c x ( e 4.6.2 Viewing Access Gateway Cluster Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 n ) 4.6.3 Managing Access Gateway Alert Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 1 4.6.4 Configuring an Alert Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 6 A 4.6.5 SNMP Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 p 44..66..76 CCoonnffiigguurriinngg aan L Eog-M Pariol fPilero.f i.l e. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 115565 ril 20 4.6.8 Configuring a Syslog Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 10 4.7 Enabling Access Gateway Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 4.8 Managing Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 4.8.1 Health States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 4.8.2 Monitoring the Health of an Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 4.8.3 Viewing the Health of an Access Gateway Cluster . . . . . . . . . . . . . . . . . . . . . . . . . 162 4.9 Viewing the Command Status of the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 4.9.1 Viewing the Status of Current Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 4.9.2 Viewing Detailed Command Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 4.10 Tuning the Access Gateway for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 4.10.1 Basic Tuning Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 4.10.2 Configuring a Specific IP Address for Proxied Requests. . . . . . . . . . . . . . . . . . . . . 166 4.10.3 Java Memory Allocations: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 5 Configuring the Content Settings 171 5.1 Configuring Caching Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 5.2 Controlling Browser Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 5.3 Configuring Custom Cache Control Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 5.3.1 Understanding How Custom Cache Control Headers Work . . . . . . . . . . . . . . . . . . 175 5.3.2 Enabling Custom Cache Control Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.4 Configuring a Pin List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 5.5 Configuring a Purge List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 5.6 Purging Cached Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 5.7 Advanced Access Gateway Service Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 6 Protecting Multiple Resources 183 6.1 Setting Up a Group of Web Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 6.2 Using Multi-Homing to Access Multiple Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 6.2.1 Domain-Based Multi-Homing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 6.2.2 Path-Based Multi-Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 6.2.3 Virtual Multi-Homing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 6.2.4 Creating a Second Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 6.2.5 Configuring a Path-Based Multi-Homing Proxy Service . . . . . . . . . . . . . . . . . . . . . 192 6.2.6 Configuring Advanced Options for Path-Based Multi-Homing. . . . . . . . . . . . . . . . . 194 6.3 Managing Multiple Reverse Proxies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 6.3.1 Managing Entries in the Reverse Proxy List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 6.3.2 Changing the Authentication Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 6.4 Managing a Cluster of Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 6.4.1 Creating a New Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 6.4.2 Managing the Servers in the Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 6.4.3 Managing Cluster Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 6.4.4 Editing Cluster Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 6.4.5 Changing the Primary Cluster Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 6.4.6 Applying Changes to Cluster Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 7 Troubleshooting the Access Gateway Appliance 203 7.1 Useful Tools for Troubleshooting the Access Gateway Appliance. . . . . . . . . . . . . . . . . . . . . 203 Contents 7 n o v d o c x ( e 7.1.1 Useful Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 n ) 7.1.2 Using the Linux Access Gateway Monitor Service . . . . . . . . . . . . . . . . . . . . . . . . . 205 1 7.1.3 Using the Access Gateway Appliance Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 6 A 7.1.4 Viewing Configuration Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 p 7.2 Using Log Files and Touch Files to Troubleshoot the Access Gateway Appliance. . . . . . . . 208 ril 2 7.2.1 Viewing Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 0 1 7.2.2 Using Touch Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 0 7.3 Protected Resource Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 7.3.1 HTML Frames Are Lost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 7.3.2 Troubleshooting HTTP 1.1 and GZIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 7.3.3 Protected Resources Reference Non-Existent Policies. . . . . . . . . . . . . . . . . . . . . . 219 7.3.4 Protected Resource Configuration Changes Are Not Applied. . . . . . . . . . . . . . . . . 219 7.3.5 Error AM#300101010 and Missing Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 7.3.6 Unable to View Contents of Mail When Outlook Web Access Is Protected by the Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 7.3.7 Redirection Issue with Internet Explorer 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 7.4 Hardware and Machine Resource Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 7.4.1 Error: novell-vmc-chroot Failed to Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 7.4.2 Mismatched SSL Certificates in a Cluster of Access Gateways . . . . . . . . . . . . . . . 220 7.4.3 Recovering from a Hardware Failure on an Access Gateway Machine. . . . . . . . . . 221 7.4.4 Reinstalling a Failed Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 7.4.5 COS Related Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 7.4.6 Memory Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 7.5 Rewriter Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.5.1 Discovering the Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.5.2 Rewriting Fails on a Page with Numerous HREFs . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.5.3 Links Are Broken Because the Rewriter Sends the Request to the Wrong Proxy Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.5.4 Reading Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 7.5.5 Rewriter Does Not Rewrite Content in Files with a Non-Default Extension. . . . . . . 226 7.5.6 An Additional DNS Name without a Scheme Is Not Rewritten . . . . . . . . . . . . . . . . 227 7.5.7 Rewriting a URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 7.5.8 The Access Gateway Rewrites a Host Header with a Port Number . . . . . . . . . . . . 228 7.6 Troubleshooting Crashes and Hangs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 7.6.1 Enable the Access Gateway Monitor Service for the Core Dump Logic to Work Correctly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 7.6.2 The Access Gateway Hangs When the Audit Server Comes Back Online . . . . . . . 230 7.6.3 The Access Gateway Crashes When Log Files Are Removed . . . . . . . . . . . . . . . . 231 7.6.4 Troubleshooting a Failed Access Gateway Configuration. . . . . . . . . . . . . . . . . . . . 231 7.6.5 Troubleshooting an Access Gateway Crash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 7.6.6 Access Gateway Not Responding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 7.6.7 Access Gateway Dumps Core After 10 Minutes When Non-Redirected Login Is Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 7.6.8 Linux Access Gateway Crashes When a Change Is Applied to the Server. . . . . . . 236 7.7 Connection and Authentication Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 7.7.1 Connection Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 7.7.2 Network Socket Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 7.7.3 Authentication Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 7.8 Form Fill Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 7.8.1 Form Fill Does Not Process Forms with Complicated JavaScript Functions When Data Is Auto-Submitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 7.8.2 Form Fill Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 7.8.3 Alert: SSO (Form Fill) Failed Due to Malformed HTML. . . . . . . . . . . . . . . . . . . . . . 240 7.8.4 Form Fill Failure Because of Incorrect Policy Configuration . . . . . . . . . . . . . . . . . . 240 7.8.5 Browser Spinning Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 7.9 Authorization and Identity Injection Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 7.9.1 Authorization and Identity Injection Error Messages . . . . . . . . . . . . . . . . . . . . . . . 241 7.9.2 Identity Injection Failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 8 Novell Access Manager 3.1 SP2 Access Gateway Guide n o v d o c x ( e 7.9.3 Identity Injection Problems When Using a Password Management Service. . . . . . 242 n ) 7.10 Incorrect Health Status Is Reported. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 1 7.11 YaST Becomes Non-Responsive When a Partition Is Deleted or Created . . . . . . . . . . . . . . 243 6 A 7.12 Using Curl to Download Large Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 p r 7.13 Reporting 504 Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 il 2 0 7.14 Reporting 403 Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 1 0 8 Troubleshooting the Access Gateway Service 245 8.1 Useful Troubleshooting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 8.1.1 Apache Logging Options for the Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . 246 8.1.2 The Access Gateway Service Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 8.2 Verifying That All Services Are Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 8.2.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 8.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 8.3 Troubleshooting SSL Connection Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 8.4 Enabling Debug Mode and Core Dumps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 8.4.1 Starting Apache in Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 8.4.2 Examining the Debug Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 8.4.3 Disabling Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 8.5 Useful Troubleshooting Tools for the Access Gateway Service. . . . . . . . . . . . . . . . . . . . . . . 254 8.5.1 Tools for the Windows Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . 255 8.5.2 Tools for the Linux Access Gateway Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 8.6 A Few Performance Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 8.7 Solving Apache Restart Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 8.7.1 Removing Any Advanced Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 257 8.7.2 Viewing the Logged Apache Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 8.7.3 Viewing the Errors as Apache Generates Them. . . . . . . . . . . . . . . . . . . . . . . . . . . 257 8.7.4 The ActiveMQ Module Fails to Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 8.8 Understanding the Authentication Process of the Access Gateway Service. . . . . . . . . . . . . 259 Contents 9 n o v d o c x ( e n ) 1 6 A p r il 2 0 1 0 10 Novell Access Manager 3.1 SP2 Access Gateway Guide
Description: