This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
David
Frequent Contributor
Frequent Contributor
‎2021-03-16 10:31 AM

RSA AM Consoles URL aliases & redirections

Dear all,

 

First of all, I'd like to precise that I already have a case for this, opened 3 weeks ago, but, unfortunately for me, RSA support does not help me much.That's why I decided to post the thing here.

 

I know some guys that are used to test, reproduce, find and finally answer in a very good manner & time here 🙂
 @JayGuillette   @EdwardDavis   @TedBarbour   @_EricaChalfin


This thread is regarding the web access to the various RSA AM Consoles.

 

We recently upgraded our appliances to the 8.5 version.

When on old version (8.1, then 8.3), admins used to access the portals using a URL alias "admin-rsa.alias.stuff".
Consoles were thus accessible through :
- https://admin-rsa.alias.stuff/oc
- https://admin-rsa.alias.stuff/sc or https://admin-rsa.alias.stuff/
- https://admin-rsa.alias.stuff/ssc

 

After the upgrade, I was told that those URLs were not accessible anymore.
For proxy reason, the "https://host.corp.intra/" URL-style is filtered and not accessible for those admin teams.

 

I then try to access the consoles via the alias, and here is what happens :
- OC : https://admin-rsa.alias.stuff/oc rewrites to https://host.corp.intra:7072/operations-console/Index.jsp
- SC : https://admin-rsa.alias.stuff/sc (or https://admin-rsa.alias.stuff/) rewrites to https://host.corp.intra:7004/IMS-AA-IDP/InitialLogonDispatch.do

 

Digging a bit, I found that you may have to add the URL alias to a "trusted hosts whitelist" for being able to access you consoles through an aliased URL.

 

As per KB https://community.rsa.com/t5/rsa-securid-access-knowledge/alias-host-name-redirect-to-consoles-is-not-working-after/ta-p/6367, I issued the following command and restarted services :
​./rsautil store -a add_config ims.trustedhost.whitelist.custom "admin-rsa.alias.stuff" GLOBAL STRING

 

Moreover, I added the "admin-rsa.alias.stuff" entry in the host file, on the line of the Primary appliance itself entries.

At that point, the redirections still occurred...
The RSA support team was absolutely silent on this point, and still is.

 

So, I decided to dig more, and here is what I found.
URLs are being rewritten by a pseudo-HTTP router, configured through the file : /opt/rsa/am/utils/etc/redirector.properties
Below its default content :

 

#Servlet URL redirector mappings
#Wed Feb 03 20:29:21 CET 2021
/sc=https\://host.corp.intra\:7004/console-ims/
/oc=https\://host.corp.intra\:7072/operations-console/
/ss=https\://host.corp.intra\:7004/console-selfservice/
/=https\://host.corp.intra\:7004/console-ims/

 

 

Taking wget traces, I clearly understood that here was the "rewrite rules".
So I decided to change those ones to :

 

#Servlet URL redirector mappings
#Wed Feb 03 20:29:21 CET 2021
/sc=https\://admin-rsa.alias.stuff\:7004/console-ims/
/oc=https\://admin-rsa.alias.stuff\:7072/operations-console/
/ss=https\://admin-rsa.alias.stuff\:7004/console-selfservice/
/=https\://admin-rsa.alias.stuff\:7004/console-ims/

 


And now, here is what happens when trying to access the consoles:


1) Operations Console

 

wget --no-check-certificate https://admin-rsa.alias.stuff/oc

--2021-03-16 14:55:48-- https://admin-rsa.alias.stuff/oc
Resolving admin-rsa.alias.stuff (admin-rsa.alias.stuff)...
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:443... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7072/operations-console/ [following]
--2021-03-16 14:55:48-- https://admin-rsa.alias.stuff:7072/operations-console/
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:7072... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7072/operations-console/Index.jsp [following]
--2021-03-16 14:55:48-- https://admin-rsa.alias.stuff:7072/operations-console/Index.jsp
Reusing existing connection to admin-rsa.alias.stuff:7072.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘oc’

 

 

2) Self-Service Console

 

wget --no-check-certificate https://admin-rsa.alias.stuff/ssc

--2021-03-16 14:58:10-- https://admin-rsa.alias.stuff/ssc
Resolving admin-rsa.alias.stuff (admin-rsa.alias.stuff)...
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:443... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7004/console-selfservice/ [following]
--2021-03-16 14:58:10-- https://admin-rsa.alias.stuff:7004/console-selfservice/
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:7004... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7004/console-selfservice/SelfService.do [following]
--2021-03-16 14:58:10-- https://admin-rsa.alias.stuff:7004/console-selfservice/SelfService.do
Reusing existing connection to admin-rsa.alias.stuff:7004.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘ssc’

 

 

3) Security Console

 

wget --no-check-certificate https://admin-rsa.alias.stuff/sc

--2021-03-16 14:59:17-- https://admin-rsa.alias.stuff/sc
Resolving admin-rsa.alias.stuff (admin-rsa.alias.stuff)...
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:443... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7004/console-ims/ [following]
--2021-03-16 14:59:17-- https://admin-rsa.alias.stuff:7004/console-ims/
Connecting to admin-rsa.alias.stuff (admin-rsa.alias.stuff)||:7004... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://admin-rsa.alias.stuff:7004/console-ims/Index.jsp [following]
--2021-03-16 14:59:17-- https://admin-rsa.alias.stuff:7004/console-ims/Index.jsp
Reusing existing connection to admin-rsa.alias.stuff:7004.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://host.corp.intra:7004/IMS-AA-IDP/sso/logon?RequestID=86aa548f... [following]
--2021-03-16 14:59:17-- https://host.corp.intra:7004/IMS-AA-IDP/sso/logon?RequestID=86aa548f...
Resolving host.corp.intra (host.corp.intra)...
Connecting to host.corp.intra (host.corp.intra)||:7004... connected.
...
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://host.corp.intra:7004/IMS-AA-IDP/InitialLogonDispatch.do [following]
--2021-03-16 14:59:17-- https://host.corp.intra:7004/IMS-AA-IDP/InitialLogonDispatch.do
Reusing existing connection to host.corp.intra:7004.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘sc’

 

 

So, basically, Self-Service and Operations Consoles are showing the expected behavior, but not the Security Console.

 

I'm not getting why the URLs redirection when accessing Security Console is going through the following scheme:
1) https://admin-rsa.alias.stuff/sc 
2) https://admin-rsa.alias.stuff:7004/console-ims/ 
3) https://host.corp.intra:7004/IMS-AA-IDP/sso/logon?RequestID=86aa548f ... <<< here comes something SSO-related (???)
4) https://host.corp.intra:7004/IMS-AA-IDP/InitialLogonDispatch.do  <<< getting you finally loose the URL alias

 

I also found an interesting post, and especially the remark of @JayGuillette (2017-02-21 09:34 AM)
https://community.rsa.com/t5/rsa-securid-access-discussions/security-console-and-reverse-proxy/td-p/456455

As far as I know, the access to all Consoles was working prior to the upgrade.

 

Thanks for you help !

 

Kind Regards,

David

 

0 Likes
Reply
2 Replies
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2021-03-17 10:02 AM

I would start by making sure two things are well-defined:

  1. The Fully Qualified Host Name (FQHN) of the server.
  2. Clean resolution of the FQHN IP address.

The URLs are re-directed because there's an internal SAML IdP used for the Consoles. Effectively you have the SP as "admin-rsa.alias.stuff" and the IdP is "host.corp.intra".

 

If you really need to consoles to appear at "host.corp.intra" you probably need to "play" with the DNS and console certificates. 

Make sure that host.corp.intra and admin-rsa.alias.stuff both resolve to the same address. Create new console certificates with Subject-Alternate-Name (SAN) for the "host.corp.intra" FQHN (or whatever would be considered the "alternate".)

 

I would also undo the manual changes made to the redirector configuration file. The problem is that when you manually alter files that as a part of the appliance, you can end up breaking functionality. For example, the changes you made to the re-direction file could cause a processes performing a "Change FQHN" to not replace the prior name with the new name.

 

I would highly recommend opening a case and working with Customer Support to get this straightened out.

0 Likes
Reply
David
Frequent Contributor
Frequent Contributor
‎2021-03-17 11:17 AM

Hi @PiersB,

 

Thanks for your answer and details.

 

For the naming-related stuff:

1. FQDN is OK on the Primary, every of the 5 Replica resolve properly

2. The alias is declared in the Corp DNS server, as a CNAME for the A record of the Primary appliance

 

I suppose you meant "admin-rsa.alias.stuff" for what I really need   😉

For the console certificates, the all (Primary and Replicas) have the "admin-rsa.alias.stuff" as a SAN.

 

If I remove the tuning of the redirector file, I immediately loose the possibility of accessing Self-Service and Operations Consoles using the aliased URL.

 

The only last point is that IDR redirection when accessing the Security Console portal.

 

To tell you all, I found a "dirty" solution to achieve what we need.

This is by getting the final redirection page you have: "https://host.corp.intra:7004/IMS-AA-IDP/sso/logon?RequestID=86aa548f ..." with many parameters.

Then, you copy/paste exactly that string and fill the redirector.properties file with :

"/sc=https\://admin-rsa.alias.stuff\:7004/IMS-AA-IDP/sso/logon?RequestID=86aa548f ..."

 

By doing this, the redirection is trying to "replay" all these parameters, then failing, and then redirecting you to

https://admin-rsa.alias.stuff:7004/IMS-AA-IDP/InitialLogonDispatch.do, without any "Session expired" message shown.    🙂

Maybe "dummy" parameters could do the trick, but I don't know them. Every time I change a single letter here, I got the "Session expired" error message after redirection occurs.

 

So definitely, I need, and would like to understand how to avoid the rewrite by the IDR.

Moreover, I don't see where do disable that kind-of-SSO mecanism I'm not using

 

Case number is : 01742062 (opened 3 weeks ago)

 

Kind Regards,

David

 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.