How to configure more than two IP addresses for an RSA Authentication Manager 8.2 Web Tier Virtual Host
Originally Published: 2016-09-02
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1, 8.2
Platform: VMware
RSA Product/Service Type: Authentication Manager Web Tier
O/S Version: Red Hat Enterprise Linux 5 (64-bit), 6 (64-bit), Microsoft Windows Server 2008 R2 (64-bit), Windows Server 2012 (64-bit) or Windows Server 2012 R2 (64-bit)
Issue
We noticed a success rate of less than 100%when logging into the SSC through the web tier from an F5 Internet connection. Failures all occur as soon as the user ID is entered. No time is given to enter the passcode. The browser reloads the /IMS-AA-IDP/InitialLogonDispatch.do page and prompts for the user to log in again. Sometimes it logs the user in, but the screen does not render completely. Sometimes it renders completely, but clicking a link and backing up throws the user back to the logon screen, displaying the Self-Service Console logon with the following error:
Invalid Request
Your request cannot be processed at this time. It either has been processed or is a bad request. Return to home and try again.
Your request cannot be processed at this time. It either has been processed or is a bad request. Return to home and try again.
The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a
load balancer/Proxy server that is not recognized by the system.Tasks
- Add the first two SNAT IP addresses to the Virtual Host through the Operations Console, using the steps in Resolution below.
- Add the third IP address to the ..\<WebTier>\utils\resource\ssofilter.properties file by copying and pasting the second address configuration and editing it.
Resolution
- Add the first two SNAT IP addresses for the F5, or the source IP addresses for packets from the F5 to the Web Tier in the Operations Console.
- From the Operations Console, select Deployment Configuration > Virtual Host and Load Balancing.
- Add the SNAT IP addresses to the Load Balancer Details list.
- Click Save when done.
- Be sure to update the web tier status to push these changes to the web tiers.
- From the Operations Console, select Deployment Configuration > Web Tier Deployments > Manage Existing.
- Under Status, click Update.
- Next, access your web tier, and edit the ..\Webtier\utils\resources\ssofilter.properties file. Be sure to note the path. Do not edit the ..\Webtier\pkg\ssofilter.properties file by mistake. Note that the Operations Console will reflect this addition, but you will not be able to edit and save the virtual host configuration.
- Find the following string:
-
trustedProxies=\ 66.232.235.198/32\=X-Forwarded-For 66.232.235.199/32\=X-Forwarded-For
- Add the third IP as in the example below to get the three IP addresses:
-
trustedProxies=\ 66.232.235.198/32\=X-Forwarded-For 66.232.235.199/32\=X-Forwarded-For 66.232.235.200/32\=X-Forwarded-For
Note that you will be able to see the addition in the Operations Console but will not be able to edit it.
Notes
trustedProxies=\ 103.21.xxx.1/32\=X-Forwarded-For 103.21.xxx.2/32\=X-Forwarded-For 103.21.xxx.3/32\=X-Forwarded-For 103.21.xxx.0/22\=X-Forwarded-For 103.22.xxx.0/22\=X-Forwarded-For 103.31.xxx.0/22\=X-Forwarded-For 104.xxx.0.0/12\=X-Forwarded-For 108.162.xxx.0/18\=X-Forwarded-For 131.0.xxx.0/22\=X-Forwarded-ForThis will add those subnets:
103.21.xxx.0/22 103.22.xxx.0/22 103.31.xxx.0/22 104.xxx.0.0/12 108.162.xxx.0/18 131.0.xxx.0/22
