000028213 - How to temporarily enable HTTP login to RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 29, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000028213
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
 
Issue

Overview


By default, RSA Identity Governance & Lifecycle appliances are shipped with the ability to access RSA Identity Governance & Lifecycle via HTTPS (SSL) enabled and the ability to access RSA Identity Governance & Lifecycle via HTTP (non-SSL) disabled.

HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. These are sometimes referred to as SSL (HTTPS) and non-SSL (HTTP). Very simply put, HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text.
 

Impact




  • HTTPS access to the user interface



The RSA Identity Governance & Lifecycle application comes with a self-signed certificate. Unless a signed certificate from a recognized Signing Authority is obtained and installed, users accessing the RSA Identity Governance & Lifecycle user interface via HTTPS will see a browser warning that the certificate is not signed by a recognized signing authority. The user is then provided the opportunity to continue or not. There is no security problem continuing, but having to manually acknowledge the self-signed certificate each time the user interface is accessed can be time consuming or confusing to some users. For details on obtaining and installing signed certificates, refer to the section entitled Working with Keystores and Certificates in Appendix A of the RSA Identity Governance & Lifecycle Installation Guide for your version.



  • HTTP access to the user interface when HTTP is not enabled (default)



Since HTTP access is not enabled by default, the user is not able to access the application from a browser using HTTP. Typically, attempted access results in error messages such as:
 


Cannot Display The Webpage


Connection Timed Out


Could Not Connect


Connection Refused



Enabling/Disabling HTTP access to the RSA Identity Governance & Lifecycle user interface


There may be times when HTTP access needs to be enabled for development or testing purposes or for use with some third-party authentication applications that make use of HTTP.
 

NOTE: It is it NOT recommended to enable HTTP except for specific development or testing environments and only after the data transfer security impact has been considered and understood.

Resolution

Before attempting to enable HTTP, the hostname and IP address of the server and the network configurations for DNS, the gateway and the subnet mask must be validated. The steps in this article will not work if any of these items are configured incorrectly.


To validate these configurations, open an SSH session to the server, login as the root user, and run the commands below to get this information.  


more /etc/hosts
more /etc/resolv.conf
more /etc/sysconfig/network
more /etc/sysconfig/network-scripts/ifcfg-bond0

 
Once the configurations have been validated, HTTP can be enabled. The steps to enable HTTP differ depending on the operating system. The steps below are for Red Hat and SuSE.


Red Hat Operating System:




  • Enable HTTP



To enable non-SSL access to the RSA Identity Governance & Lifecycle user interface using HTTP on Red Hat, change the following settings in the iptables file and restart the iptables service. These edits and command executions must be done by the root user.


  1. Login as the root user.
  2. Navigate to the /etc/sysconfig directory:


cd /etc/sysconfig


  1. Make a backup copy of the iptables file.


cp iptables iptables_backup_<date>


  1. Edit the iptables file:

  1. If the following two lines are commented out, remove the # from the beginning of each line. If these lines do not exist in the iptables file, add them.



-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444



  1. Add this line in the PREROUTING section after the existing PREROUTING commands in the iptables file:


-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080


For example, change from:



-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444


to:



-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444
-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080


  1. Add this line in the RH-Firewall section of the iptables file (it is recommended to put this entry before the line with dport 8081 for ease of user review):


-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"


For example, change from:



-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8081 -j ACCEPT


to::



-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8081 -j ACCEPT


  1. Restart the iptables service with the command:


service iptables restart


  1. The RSA Identity Governance & Lifecycle user interface should now be accessible via HTTP as well as HTTPS.


  • Disable HTTP



To disable HTTP on a system where it has been enabled, there are three options.


  1. Login as the root user.
  2. Choose from one of the following three options:

  1. Restore the original iptables file from the backup.
  2. Remove the lines which were added in the examples above, or
  3. Include a # comment indicator at the beginning of each line, such as this:


#-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"


  1. Restart the iptables service after choosing one of the above three options:


# service iptables restart


SuSE Operating System:

  • Enable HTTP

To enable non-SSL access to the RSA Identity Governance & Lifecycle user interface using HTTP on SuSE, change the following settings in the SuSEfirewall2 file and restart the firewall services. These edits and command executions must be done by the root user.


  1. Login as the root user.
  2. Navigate to the /etc/sysconfig directory:


# cd /etc/sysconfig


  1. Make a backup copy of the SuSEfirewall2 file.


# cp SuSEfirewall2 SuSEfirewall2_backup_<date>


  1. Edit the SuSEfirewall2  file, and make the bolded changes noted below.

  1. Change the FW_SERVICES_EXT_TCP line by adding references to ports 80 and 8080.

For example, change from:



FW_SERVICES_EXT_TCP="1158 1555 21 22 5802 5902 8081 8082 8161 8443 8444 8585"


to:



FW_SERVICES_EXT_TCP="1158 1555 21 22 5802 5902 80 8080 8081 8082 8161 8443 8444 8585"


  1. Change the FW_REDIRECT line by adding tcp redirect for ports 80 and 8080.

For example, change from:



FW_REDIRECT="0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"


to:



FW_REDIRECT="0/0,0/0,tcp,80,8080 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"


  1. Restart the SuSE firewall services by executing these two commands:


/etc/init.d/SuSEfirewall2_init restart
/etc/init.d/SuSEfirewall2_setup restart


  1. The RSA Identity Governance & Lifecycle user interface should now be accessible via HTTP as well as HTTPS.

  • Disable HTTP

To disable HTTP on a SuSE system where it has been enabled, there are two options:


  1. Login as the root user.
  2. Choose from one of the following two options:
    1. Restore the original SuSEfirewall2 file from the backup.
    2. Remove the references to ports 80 and 8080 which were added in the examples above.
  3. Restart the SuSE firewall services after choosing one of the above two options:


/etc/init.d/SuSEfirewall2_init restart
/etc/init.d/SuSEfirewall2_setup restart

Attachments

    Outcomes