000028213 - How to enable/disable HTTP login to the RSA Identity Governance and Lifecycle Access Certification Manager (ACM) UI

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 12, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000028213
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle, Aveksa
RSA Product/Service Type: ACM UI
ResolutionPlease review the Notes section of this article.  Before following the steps in this KB, the hostname and IP address for the server must be validated.  Additionally, network configurations for DNS, the gateway and the subnet mask must be shown to be configured correctly. The steps listed in this article will not work if the network configuration items are not set up properly

Overview


By default, RSA Aveksa appliances are shipped with HTTPS (SSL) enabled and HTTP (non-SSL) disabled. .
HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.
These are sometimes referred to as SSL (HTTPS) and non-SSL (HTTP).  Very simply put, HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text
 

What is the impact?



  • For HTTPS access to the UI


The Aveksa ACM/IAM application comes with a self-signed certificate. Unless a signed certificate from a recognized Signing Authority is obtained and installed, users accessing the ACM/IAM UI via HTTPS will see a browser warning that the certificate is not signed by a recognized signing authority. The user is then provided the opportunity to continue or not. There is no security problem continuing, but having to manually acknowledge the self-signed certificate each time the UI is accessed can be time consuming or confusing to some users. (Refer to Appendix A ("Working with Keystores and Certificates") in the RSA Identity Governance and Lifecycle V7.0.1 Installation Guide for specific details on obtaining and installing signed certificates.  To review installation guides for earlier versions, refer to the RSA Identity Governance and Lifecycle page on RSA Link.

 

  • For HTTP access to the UI, when HTTP is not enabled


Since HTTP access is not enabled by default, the user is not able to access the application from a browser using HTTP. Typically, attempted access results in an error message in the browser such as:

  • Cannot Display The Webpage
  • Connection Timed Out
  • Could Not Connect
  • Connection Refused

Enabling/Disabling HTTP access to ACM UI


There are times when the user would like to enable HTTP access to the UI for development or testing purposes. There are also some third-party authentication applications that make use of HTTP, so it may need to be enabled.
Note: It is it NOT recommended to enable HTTP except for specific development or testing environments and only after data transfer security impact has been considered and understood.

For Red Hat OS



  • Enable HTTP


To enable non-SSL access to the ACM UI using HTTP on Red Hat, change these setting in the iptables file and restart the iptables service. This edit and command execution must be done by the root user.

  1. Login as the root user.
  2. Navigate to the /etc/sysconfig directory:
# cd /etc/sysconfig

  1. Make a backup copy of the file iptables:
# cp iptables org_iptables

  1. Edit the file, iptables and remove the # sign from the following two lines. If these lines do not exist in the iptables file, add them:
    1. Add this line in the PREROUTING section after the existing PREROUTING commands in the iptables file:
-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

For example, change this:

-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444

to:

-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444
-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

  1. Add this line in the RH-Firewall section of the iptables file (recommended to put this entry before the line with dport 8081 for ease of user review):
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"

For example, change this:

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8081 -j ACCEPT

to::

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8081 -j ACCEPT

  1. Restart the iptables service with the command:
# service iptables restart

  1. The ACM UI should now be accessible via HTTP as well as HTTPS.

  • Disable HTTP


To disable HTTP on a system where it had been enabled, there are three options:

  1. Restore the original backup file,
  2. Remove the lines which were added in the examples above, or
  3. Include a # comment indicator at the beginning of each line, such as this:
#-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -m comment --comment "jboss http"

  1. The iptables service must be restarted after any changes.
# service iptables restart

For SuSE OS:
  • Enable HTTP
To enable non-SSL access to ACM UI using HTTP on SuSE OS, change settings in the SuSEfirewall2 file and restart the firewall services. This edit and command executions must be done by the root user.

  1. Login as the root user.
  2. Navigate to the /etc/sysconfig directory:
# cd /etc/sysconfig

  1. Copy the existing file as a backup:
# cp SuSEfirewall2 org_SuSEfirewall2

  1. Edit SuSEfirewall2, and make the bolded changes as noted to these two lines:
    1. Change the FW_SERVICES_EXT_TCP line by adding references for ports 80 and 8080.
    2. Change the FW_REDIRECT by adding tcp redirect for ports 80 and 8080.
For example, change this:

FW_SERVICES_EXT_TCP="1158 1555 21 22 5802 5902 8081 8082 8161 8443 8444 8585"

to:

FW_SERVICES_EXT_TCP="1158 1555 21 22 5802 5902 80 8080 8081 8082 8161 8443 8444 8585"

  1. Change from:
FW_REDIRECT="0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"

to:

FW_REDIRECT="0/0,0/0,tcp,80,8080 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,444,8444"

  1. Restart the SuSE firewall services by executing these two commands:
# /etc/init.d/SuSEfirewall2_init restart
# /etc/init.d/SuSEfirewall2_setup restart

  1. The ACM UI should now be accessible via HTTP as well as HTTPS.
  • Disable HTTP
To disable HTTP on a SuSE system where it had been enabled, there are two options:

  1. Restore the original backup file, or
  2. Remove the references to ports 80 and 8080 which were added in the examples above.
The services must be restarted after any changes, by executing these commands:

# /etc/init.d/SuSEfirewall2_init restart
# /etc/init.d/SuSEfirewall2_setup restart
NotesBefore using the steps in this KB, the information below is needed to validate that the hostname and IP address are correct, and that network configurations for DNS, gateway, subnet mask are configured correctly. Open a SSH session to the server and, as root, run the commands below to get this information. The steps listed in the Resolution section of this article will not work if the items below are not configured correctly.
more /etc/hosts
more /etc/resolv.conf
more /etc/sysconfig/network
more /etc/sysconfig/network-scripts/ifcfg-bond0

 

Attachments

    Outcomes