| Issue | Unable to login into the RSA Identity Governance and Lifecycle UI with secure HTTPS after completing the 7.0.1 installation on Red Hat, while RSA Identity Governance and Lifecycle is running. When you attempt to load a page, it takes too long to respond and times out with the following messages:
This site can't be reached
ERR_CONNECTION_TIMED_OUT
This article describes the procedure of how to apply the fix for the problem you encounter with running RSA Identity Governance and Lifecycle on WildFly due to a firewall issue, after initial deployment.
Note : There are some other scenarios/reasons that can prevent access to the Aveksa UI, which are discussed in the Notes section below.
|
| Resolution | Configure firewall to open and redirect the ports
Note: This section describes the firewall configuration procedure for Red Hat. The steps for firewall configuration for SUSE, are different.
- Log on to the appliance from the SSH console as the root user.
- Make sure iptables is enabled by executing the chkconfig command below. This command will let you see if the iptables service is set to be on or off, based on runlevels. In the example below, the iptables service is off on all runlevels.
[root@server ~]# chkconfig --list iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- If the iptables service is off, we need to turn it on using the chkconfig command below: In the example here, this will make the changes for runlevels 2, 3, 4 and 5.
[root@server ~]# chkconfig iptables on
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
- Backup the existing iptables file.
- Navigate to the directory below:
[root@server ~]# cd /etc/sysconfig/
- Take a backup of the iptables file, using the -p switch to preserve the specified attributes, such as default: mode, ownership, timestamps):
[root@server sysconfig]# cp -p iptables iptables_bk
- Open and edit the iptables file with a text editor, such as vi:
[root@server ~]# vi /etc/sysconfig/iptables
- Add the following lines, as in the example below, to the firewall section in iptables file to open the ports:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8444 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1555 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1158 -j ACCEPT
COMMIT
- Add a network address translation section, if you don’t have one, to perform port redirection from the standard https port. Note: The NAT section typically appears before the *filter section. If you already have a *nat section, add the two REDIRECT lines. In this case, the *nat section is not there so it was added this way with two REDIRECT lines, just above the *filter section.
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444
COMMIT
Note: If there is no bonding, and if you are not using bonded interfaces, then bond0 needs to be replaced with the primary network interface,you are using.
- Save the file. To exit from vi and save changes, press Esc then type :wq! to save and quit vi.
- Restart iptables with the command below. Make sure iptables restarts without any error.
[root@server ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: nat [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
- Verify the rules were applied correctly by listing the iptables rules in the table view with the list command below:
[root@server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:livelan
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:dbcontrol-oms
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
- Verify that the /etc/sysconfig/iptables file looks similar to the following. Use a cat command to view the file.
[root@server ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i bond0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -i bond0 -p tcp -m tcp --dport 444 -j REDIRECT --to-ports 8444
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8444 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1555 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1158 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
- Using the following URL: https://<installation_machine_IP_address>, log on to RSA Identity Governance and Lifecycle from any compatible web browser and verify it is now accessible. The RSA Identity Governance and Lifecycle login screen will appear.
- Enter the default credentials:
User: AveksaAdm
Password: aveksa123
- When prompted, change the password for the AveksaAdmin user.
- Enter your new password in the New Password box. Re-enter your new password in the Confirm Password box. Click OK. Valid passwords must consist of at least eight characters, one upper and one lower case character, and one number.
|
| Notes | Your server might have an existing file (that is, /etc/sysconfig/iptables) with some rules in it . Please take the backup of existing file, before editing new rules. For example, in this case we had an existing iptables file as in the example below (the number flag was set here to turn on line numbering):
[root@example.com ~]# cat /etc/sysconfig/iptables
1 # Firewall configuration written by system-config-firewall
2 # Manual customization of this file is not recommended.
3 *filter
4 :INPUT ACCEPT [0:0]
5 :FORWARD ACCEPT [0:0]
6 :OUTPUT ACCEPT [0:0]
7 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
8 -A INPUT -p icmp -j ACCEPT
9 -A INPUT -i lo -j ACCEPT
10 -A INPUT -j REJECT --reject-with icmp-host-prohibited
11 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
12 COMMIT
# We added the *nat section before the *filter section, and new rules to open and redirect required TCP ports were added after line 9 that is between line 9 to 10.
Important support note: There are other scenarios or reasons that can prevent Aveksa UI access. Please refer to the troubleshooting section below, based on the failure results:
Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS
Errors
The server.log file cites:
07/13/2012 16:22:11.516 INFO (main)
[org.apache.coyote.http11.Http11Protocol] Starting Coyote HTTP/1.1 on http-
0.0.0.0-8080
07/13/2012 16:22:11.557 ERROR (main)
[org.apache.coyote.http11.Http11Protocol] Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
Reason
The aveksa-standalone-full.xml file connection configuration has the wrong keystore password.
Solution
Edit the server.xml and correct the keystore information.
Unable to login into RSA Identity Governance and Lifecycle with secure HTTPS
Errors
The server.log file cites:
2012-07-17 07:29:50,431 INFO [org.apache.coyote.http11.Http11Protocol]
Initializing Coyote HTTP/1.1 on http-0.0.0.0-8080
2012-07-17 07:29:50,560 ERROR [org.apache.coyote.http11.Http11Protocol]
Error initializing endpoint
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init
(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket
(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1073)
at org.apache.catalina.core.StandardService.initialize
(StandardService.java:668)
Reason
The keystore password and server certificate passwords do not match.
Solution
Generate the keystore file with a server certificate with the same password. |
on Jan 5, 2017