Symantec Access Management

  • Private Community

  • 1.  Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 03:44 AM

    Issue:

     

    We are setting up CA Access Gateway into an existing CA SSO
    infrastructure.

     

    For security reason we need to bind the Tomcat HTTP/S and AJP to a
    specific address instead of having it listening on all interfaces.

    For this purpose we've set the parameter local.host inside the file
    server.conf to a local IP address (tried also with hostname) but this
    throws an exception on startup and the proxy engine does not come-up
    until I set back the parameter to its original value that is
    local.host=*. The errors in the logs file are:

    nohup.log

    ProxyServer initialization failed.
    Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')

    server.log

    [19/Apr/2018:14:40:31-499] [ERROR] - ProxyServer initialization failed.
    [19/Apr/2018:14:40:31-499] [ERROR] - Config File: '/opt/ca/secure-proxy/proxy-engine/conf/server.conf')

    proxyui.log

    2018-Apr-19 14:36:47,585 - ERROR - com.ca.sps.adminui.listener.SPSConfigLoadServlet - Unable to Initialize Proxy UI Configuration
    java.lang.NumberFormatException: null
    at java.lang.Integer.parseInt(Integer.java:542) ~[?:1.8.0_162]
    at java.lang.Integer.valueOf(Integer.java:766) ~[?:1.8.0_162]
    at com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO.loadCurrentProxyServerInfo(Unknown Source) ~[classes/:?]
    at com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO.getInstance(Unknown Source) ~[classes/:?]
    at com.ca.sps.adminui.listener.SPSConfigLoadServlet.init(Unknown Source) [classes/:?]
    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1269) [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5362) [catalina.jar:7.0.82]
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) [catalina.jar:7.0.82]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) [catalina.jar:7.0.82]
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1700) [catalina.jar:7.0.82]
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1690) [catalina.jar:7.0.82]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_162]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_162]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_162]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

     

    How can we configure this properly ?

     

    Resolution:

     

    At the moment, the functionality to modify the ports and addresses for
    the ProxyUI isn't documented and an idea to get it implemented is
    still not planned.

     

    Raise this Idea in the CA Single Sign-On Communities to get this
    possibility implemented out of the box.

    1. Go to the CA Security Overview Page :
    https://communities.ca.com/community/ca-security/ca-single-sign-on
    2. Click on the "Actions" drop-down menu and select "Create an
    idea."
    3. Give your idea a title and detailed description to encourage
    voting.
    4. Publish and vote on your idea!

     

    Please find below link to related content

     

    RFE - Restricting access to the SPS ProxyUI Admin Console
    https://communities.ca.com/ideas/235717668

     

    KB : KB000099443



  • 2.  Re: Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 04:02 AM

    Hi Patrick,  I remember this one from quite a while ago.

     

    local.host=localhost (or IP address ), was raised as a bug and fixed - I found it - below are the details from the case in 2015 :  

     

    Perhaps the fix did not make it into the head branch - maybe raise it as a regression then. 

     

    Resolution:

    In server.conf there are two settings : 
    local.host=localhost 
    local.http.port=8080 

    Those "should" determine the listen 
    but since about R12.5+ when they introduced proxyui 
    it has ignored the local.host setting 

    Engineering has provided the fix on 6/3 and customer tested it has successfully addressed the 8080 port disablement

     

    SE ticket update : Work Item 154314 

    XXXX changed on Tuesday, August 11, 2015 at 9:02:53 AM Eastern Daylight Time:
    Status: Implemented --> Verifying
    Resolution: Fixed --> Unresolved
    Comments:
    added: This Defect has been verified with 12.52 integration CR03 build, and found it is fixed. 
    Verified on Upgraded environment from 12.52 SP01 CR01 GA build tp 12/52 omtegratopm CR03 build and the issue is not reproducible
    Verified build version: FullVersion=12.52.0103.821

     

    Scenario 1: 
    Steps: 
    In SPS server.conf file change the local.host = "IP which is resolved from the SPS host" 
    Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf 
    tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

     

    Scenario 2: 
    In case of local.host= localhost below is the out put for netstat -an | grep 8080
    tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

     

    Issue is fixed in both upgrade and clean installation. Hence closing the issue 

     

    Cheers - Mark



  • 3.  Re: Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

    Broadcom Employee
    Posted Jun 06, 2018 04:13 AM

    Hi Mark, 

     

    Thanks for the note. Do you recall if this was changing also the listening port and address configuration for the AJP module ?

     

    Best Regards,

    Patrick