000025827 - RSA ClearTrust Web Agents unable to contact Auth Server over NAT

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025827
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
Sun Solaris 2.8
IssueRSA ClearTrust Web Agents unable to contact Auth Server over NAT
RSA ClearTrust Web Agents unable to contact Auth Server over NAT
CauseThe back-end servers are sitting in a private network running the ClearTrust application (eserver, aserver and dispatcher). The Web servers are sitting on another network with public addresses. They pass through two firewalls to reach the back-end servers. The firewalls NAT the source and destination IP addresses. The problem is that the dispatcher sends back the true IP addresses of the auth servers to the Web Agents. The Web agents do not know how to get to the "true" 10.x.x.x addresses. The plugin goes to the dispatcher to get the auth server list first, and then goes to its own webagent.conf file to obtain the hard-coded auth server addresses, taking from 3 to 5 minutes.
ResolutionThere are two ways to fix this problem:

1. In webagent.conf file, find the parameter cleartrust.agent.dispatcher_list= . Then, make the parameter blank. This will tell the plugin not to go to the dispatcher for the auth server list, and to automatically use its own auth server list in the webagent.conf file.

2. The overall solution for NAT configuration with ClearTrust is indicated by the RSA ClearTrust 5.0.1 Servers Installation and Configuration Guide p.90.

To configure RSA ClearTrust for NAT, follow these steps:

1. Create an entry in the host file (or the internal DNS) of your Entitlements Server machine to make the Authorization Server hostname resolve to the internal IP address of the Authorization Server.
 - On Windows, the host file can be found in C:\WINNT\system32\drivers\etc\hosts
 - On UNIX, this file can be found in etc/hosts

2. Create an entry in the host file (or the external DNS) of your Web server machine to make the Authorization Server hostname resolve to the external IP address of the Authorization Server

3. Open the aserver.conf file for the Authorization Server and enter the hostname that should be published to the Web Agents and the other RSA ClearTrust Servers. If this parameter is left blank, the Authorization Server will be known by its internal IP address only.

4. Open the dispatcher.conf file and enter the hostname of the Authorization Server. This allows the Agents and Runtime API clients to contact this Authorization Server by its hostname instead of by its IP address.

5. Restart your Dispatcher and Authorization Servers for the new settings to take effect:

cleartrust.aserver.export_address=<authserver.domain.com>
cleartrust.dispatcher.plugin_auth_format=hostname
Legacy Article IDa17700

Attachments

    Outcomes