Openam apache policy agent and goto normalized from https to http

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Openam apache policy agent and goto normalized from https to http

Nirosan
Hi,
I'm having issue enabling protection for https://app.abc.com/p/.
Application have both http and https enabled on apache, agent also resides in the same environment.
--------------------------------------------------------------------------
Sun OpenSSO Enterprise Policy Agent for:
Apache Web Server 2.2.x
--------------------------------------------------------------------------
Version: 3.0-04

Build date: Fri Jul 29 00:05:09 BST 2011

With the current setup. 


PA logs when accessing https url.

2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all: get_normalized_url(): Original url: https://app.abc.com:443/p/test
2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all: get_normalized_url(): PathInfo: /test
2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all: get_normalized_url(): Using Full URI for policy evaluation.
2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all: get_normalized_url(): Normalized url: http://app.abc.com:80/p/test
2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all: am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.

why the https url is being normalized and processed ? What gone wrong in the configurations?

I have added both  http://agent.cde.com.sg:80/ and https://agent.cde.com.sg:443/  in Agent Root URL for CDSSO in openam console.

Thanks.
niro


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Bernhard Thalmayr
The url is changed by the agent code, because you told the agent to do this.

You most likely used (one of) the settings

Override Request URL Protocol
Override Request URL Host
Override Request URL Port

as you might use SSL-offloading ..., hard to tell without details.

-Bernhard


Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:

> Hi,
> I'm having issue enabling protection for https://app.abc.com/p/.
> Application have both http and https enabled on apache, agent also
> resides in the same environment.
> --------------------------------------------------------------------------
> Sun OpenSSO Enterprise Policy Agent for:
> Apache Web Server 2.2.x
> --------------------------------------------------------------------------
> Version: 3.0-04
>
> Build date: Fri Jul 29 00:05:09 BST 2011
> Build platform: constable.internal.forgerock.com
> <http://constable.internal.forgerock.com>
>
> With the current setup.
> When I access http://app.abc.com/p/test goto is
> "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>
> When I access https://app.abc.com/p/test goto is
> "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>
> PA logs when accessing https url.
>
> 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
> am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Original url: https://app.abc.com:443/p/test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): PathInfo: /test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Normalized url: http://app.abc.com:80/p/test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>
> why the https url is being normalized and processed ? What gone wrong in
> the configurations?
>
> I have added both  http://agent.cde.com.sg:80/
> <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
> <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in openam console.
>
> Thanks.
> niro
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Nirosan
Hi Bernard,

Yes, I'm using SSL-off loading.

This is my Load Balancer setting for the particular agent profile.

pasted1


I tried two scenarios.
1. Listening to http only 
Here, I configured agent notification uri & agent deployment uri prefix all in http. This one works perfectly.
2. Listening to https only
Here, I configured agent notification uri & agent deployment uri prefix all in https. This one also works.

Only problem arises, when listening to both http and https. 

Struggling in this for long time, glad if you could help.
- Niro

On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr <[hidden email]> wrote:
The url is changed by the agent code, because you told the agent to do this.

You most likely used (one of) the settings

Override Request URL Protocol
Override Request URL Host
Override Request URL Port

as you might use SSL-offloading ..., hard to tell without details.

-Bernhard


Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
> Hi,
> I'm having issue enabling protection for https://app.abc.com/p/.
> Application have both http and https enabled on apache, agent also
> resides in the same environment.
> --------------------------------------------------------------------------
> Sun OpenSSO Enterprise Policy Agent for:
> Apache Web Server 2.2.x
> --------------------------------------------------------------------------
> Version: 3.0-04
>
> Build date: Fri Jul 29 00:05:09 BST 2011
> Build platform: constable.internal.forgerock.com
> <http://constable.internal.forgerock.com>
>
> With the current setup.
> When I access http://app.abc.com/p/test goto is
> "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>
> When I access https://app.abc.com/p/test goto is
> "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>
> PA logs when accessing https url.
>
> 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
> am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Original url: https://app.abc.com:443/p/test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): PathInfo: /test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> get_normalized_url(): Normalized url: http://app.abc.com:80/p/test
> 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
> am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>
> why the https url is being normalized and processed ? What gone wrong in
> the configurations?
>
> I have added both  http://agent.cde.com.sg:80/
> <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
> <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in openam console.
>
> Thanks.
> niro
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Bernhard Thalmayr
There is no solution with Agent version 3.x as it does not support
virtual server based agent profile.

As there is only one profile, when should the agent know that it should
override the incoming request and when not?

It has no clue at all that SSL-offloading is perform somewhere.

Say you are doing this

client (browser) --> https --> LB (FQDN)--> http --> HTTP server with Agent

Which HTTP request does the client send?

E.g.

GET / HTTP/1.0
Host: FQDN

Which request does the HTTP server provide to the Agent? (if there is no
HTTP request manipulation at the LB)

GET / HTTP/1.0
Host: FQDN

However, you want the client to end up at https://FQDN/ after sucessful
authentication.

--> you need to set "Override Request URL Protocol" as this will append
TARGET=https://FQDN/ to the cdcservlet url instead of TARGET=http://FQDN/


Now the other scenario

client (browser) --> http --> LB (FQDN)--> http --> HTTP server with Agent

Which HTTP request does the client send?

E.g.

GET / HTTP/1.0
Host: FQDN

Which request does the HTTP server provide to the Agent? (if there is no
HTTP request manipulation at the LB)

GET / HTTP/1.0
Host: FQDN

--> now you must not set "Override Request URL Protocol" as this will
append TARGET=https://FQDN/ to the cdcservlet url instead of
TARGET=http://FQDN/


Potentially I did not fully understand your scenario ....

Only solution with Agent 3.x

LB (virtual server1: Port 443, SSL-endpoint) ---> http --> HTTP Server 1
with Agent

LB (virtual server2: Port 80, plain socket) --> http --> HTTP Server 2
with Agent

-Bernhard



Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:

> Hi Bernard,
>
> Yes, I'm using SSL-off loading.
>
> This is my Load Balancer setting for the particular agent profile.
>
> pasted1
>
>
> I tried two scenarios.
> 1. Listening to http only
> Here, I configured agent notification uri & agent deployment uri prefix
> all in http. This one works perfectly.
> 2. Listening to https only
> Here, I configured agent notification uri & agent deployment uri prefix
> all in https. This one also works.
>
> Only problem arises, when listening to both http and https.
>
> Struggling in this for long time, glad if you could help.
> - Niro
>
> On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     The url is changed by the agent code, because you told the agent to
>     do this.
>
>     You most likely used (one of) the settings
>
>     Override Request URL Protocol
>     Override Request URL Host
>     Override Request URL Port
>
>     as you might use SSL-offloading ..., hard to tell without details.
>
>     -Bernhard
>
>
>     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     > Hi,
>     > I'm having issue enabling protection for https://app.abc.com/p/.
>     > Application have both http and https enabled on apache, agent also
>     > resides in the same environment.
>     >
>     --------------------------------------------------------------------------
>     > Sun OpenSSO Enterprise Policy Agent for:
>     > Apache Web Server 2.2.x
>     >
>     --------------------------------------------------------------------------
>     > Version: 3.0-04
>     >
>     > Build date: Fri Jul 29 00:05:09 BST 2011
>     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     > <http://constable.internal.forgerock.com>
>     >
>     > With the current setup.
>     > When I access http://app.abc.com/p/test goto is
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >
>     > When I access https://app.abc.com/p/test goto is
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >
>     > PA logs when accessing https url.
>     >
>     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     > am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Original url: https://app.abc.com:443/p/test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): PathInfo: /test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Normalized url: http://app.abc.com:80/p/test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > am_web_is_access_allowed(): Processing url
>     http://app.abc.com:80/p/test.
>     >
>     > why the https url is being normalized and processed ? What gone
>     wrong in
>     > the configurations?
>     >
>     > I have added both  http://agent.cde.com.sg:80/
>     > <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
>     > <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in openam
>     console.
>     >
>     > Thanks.
>     > niro
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Nirosan
Hi Bernard,

Thanks a lot for the explanations. Please correct me, if I'm wrong.

1. SSL-offloaded on LB
This is the setup, we have to use on the production environment.
Possible solution - have to use two agents.
  1. Use two http servers with agents 3.x
  2. Use one http server with wpa 4.x which has the support for agent per vhost

2. Use ssl through application server - no offloading
I tried this case in our development environment setup. But the result is same.
I have tested with two agent profiles.
1. agent profile configuration 1 - [In this case, http and https is being normalized as https]
com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
agentRootURL=https://app.abc.com:443/
agentRootURL=http://app.abc.com:80/
accessing http://app.abc.com/p/test
PA Logs [accessing http://app.abc.com/p/test]
2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all: dsame_check_access(): starting...
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): hostname = app.abc.com
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Port is 0. Set to default port 80.
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): port = 80
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): query =
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Returning request URL = <a href="http://app.abc.com:80/p/test.
2017-02-21">http://app.abc.com:80/p/test.
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Method string is GET
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Apache method number corresponds to GET method
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url <a href="https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
2017-02-21">https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url <a href="https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
2017-02-21">https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie found: header [xtvrn=$566004$; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDire
ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0] next_cookie [NULL]
2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): Original url: http://app.abc.com:80/p/test
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): PathInfo: /test
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): Using Full URI for policy evaluation.
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): Normalized url: https://app.abc.com:443/p/test
2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_access_allowed(): Processing url https://app.abc.com:443/p/test.
----------------
2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg;Path=/.
2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: am_web_get_url_to_redirect: goto URL is https://app.abc.com:443/p/test
2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: find_active_login_server(): Trying server: <a href="https://amserver.cde.com:443/am/cdcservlet
2017-02-21">https://amserver.cde.com:443/am/cdcservlet
2017-02-21 15:39:40.141   Debug 18002:7f6240000e00 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/te
st] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]

PA Logs [accessing https://app.abc.com/p/test]
2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_request_url(): hostname = app.abc.com 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_request_url(): port = 443 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_request_url(): query = 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_request_url(): Returning request URL = <a href="https://app.abc.com:443/p/test. 2017-02-21">https://app.abc.com:443/p/test. 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_method_num(): Method string is GET 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: get_method_num(): Apache method number corresponds to GET method 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url <a href="https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false. 2017-02-21">https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false. 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url <a href="https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false. 2017-02-21">https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false. 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU LL] val_len [0] next_cookie [NULL] 2017-02-21 15:53:48.815 Debug 18003:7f6260009620 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): Original url: https://app.abc.com:443/p/test 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): PathInfo: /test 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): Using Full URI for policy evaluation. 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): Normalized url: https://app.abc.com:443/p/test 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_access_allowed(): Processing url https://app.abc.com:443/p/test.
--------
2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg;Path=/.
2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: am_web_get_url_to_redirect: goto URL is https://app.abc.com:443/p/test
2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: find_active_login_server(): Trying server: <a href="https://amserver.cde.com:443/am/cdcservlet
2017-02-21">https://amserver.cde.com:443/am/cdcservlet
2017-02-21 15:53:48.817   Debug 18003:7f6260009620 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/test] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]

2. agent profile configurations 2 - [In this case, http and https is being normalized as http]
com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent
com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
agentRootURL=https://app.abc.com:443/
agentRootURL=http://app.abc.com:80/
PA Logs [accessing https://app.abc.com/p/test]
2017-02-21 17:55:46.613 Info 31385:bd2b80 all: dsame_check_access(): starting... 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_request_url(): hostname = app.abc.com 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_request_url(): port = 443 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_request_url(): query = 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_request_url(): Returning request URL = <a href="https://app.abc.com:443/p/test. 2017-02-21">https://app.abc.com:443/p/test. 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_method_num(): Method string is GET 2017-02-21 17:55:46.613 Debug 31385:bd2b80 all: get_method_num(): Apache method number corresponds to GET method 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url <a href="http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false. 2017-02-21">http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false. 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url <a href="http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false. 2017-02-21">http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false. 2017-02-21 17:55:46.614 Debug 31385:bd2b80 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473 bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1; dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-; xtant=1] name [dsiPlanetDirectoryPro=; _ga=G A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL] val_len [0] next_cookie [NULL] 2017-02-21 17:55:46.614 Debug 31385:bd2b80 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): Original url: https://app.abc.com:443/p/test 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): PathInfo: /test 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): Using Full URI for policy evaluation. 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): Normalized url: http://app.abc.com:80/p/test 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test. -------- 2017-02-21 17:55:46.614 Debug 31385:bd2b80 all: am_web_do_cookie_domain_set(): setting cookie dsiPlanetDirectoryPro=;Domain=.stjobs.sg;Path=/. 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_get_url_to_redirect: goto URL is http://app.abc.com:80/p/test 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: find_active_login_server(): Trying server: <a href="https://amserver.cde.com:443/am/cdcservlet 2017-02-21">https://amserver.cde.com:443/am/cdcservlet 2017-02-21 17:55:46.615 Debug 31385:bd2b80 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test] [htt ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest] 2017-02-21 17:55:46.615 Debug 31385:bd2b80 all: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [<a href="https://amserver.cde.com:443/am/cdcservle t?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&amp;RequestID=1084165037&amp;MajorVersion=1&amp;MinorVersion=0&amp;ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&amp;IssueInstant=2 017-02-21T17%3A55%3A46Z">https://amserver.cde.com:443/am/cdcservle t?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2 017-02-21T17%3A55%3A46Z].
PA Logs [accessing http://app.abc.com/p/test]
2017-02-21 18:01:44.460 Info 31385:7f820c002cc0 all: dsame_check_access(): starting... 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_request_url(): hostname = app.abc.com 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_request_url(): Port is 0. Set to default port 80. 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_request_url(): port = 80 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_request_url(): query = 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_request_url(): Returning request URL = <a href="http://app.abc.com:80/p/test. 2017-02-21">http://app.abc.com:80/p/test. 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_method_num(): Method string is GET 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: get_method_num(): Apache method number corresponds to GET method 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url <a href="http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false. 2017-02-21">http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false. 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url <a href="http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false. 2017-02-21">http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false. 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; dsiPlanetDirectoryPro=; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0] next_cookie [NULL] 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): Original url: http://app.abc.com:80/p/test 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): PathInfo: /test 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): Using Full URI for policy evaluation. 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): Normalized url: http://app.abc.com:80/p/test 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test. ----- 2017-02-21 18:01:44.460 Debug 31385:7f820c002cc0 all: am_web_do_cookie_domain_set(): setting cookie dsiPlanetDirectoryPro=;Domain=.stjobs.sg;Path=/. 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: goto URL is http://app.abc.com:80/p/test 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: find_active_login_server(): Trying server: <a href="https://amserver.cde.com:443/am/cdcservlet 2017-02-21">https://amserver.cde.com:443/am/cdcservlet 2017-02-21 18:01:44.461 Debug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test ] [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest] Question: Based on which policy agent is doing the normalization. Is it based on the agent prefix uri?
Regards,
Niro
On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr <[hidden email]> wrote:
There is no solution with Agent version 3.x as it does not support
virtual server based agent profile.

As there is only one profile, when should the agent know that it should
override the incoming request and when not?

It has no clue at all that SSL-offloading is perform somewhere.

Say you are doing this

client (browser) --> https --> LB (FQDN)--> http --> HTTP server with Agent

Which HTTP request does the client send?

E.g.

GET / HTTP/1.0
Host: FQDN

Which request does the HTTP server provide to the Agent? (if there is no
HTTP request manipulation at the LB)

GET / HTTP/1.0
Host: FQDN

However, you want the client to end up at https://FQDN/ after sucessful
authentication.

--> you need to set "Override Request URL Protocol" as this will append
TARGET=https://FQDN/ to the cdcservlet url instead of TARGET=http://FQDN/


Now the other scenario

client (browser) --> http --> LB (FQDN)--> http --> HTTP server with Agent

Which HTTP request does the client send?

E.g.

GET / HTTP/1.0
Host: FQDN

Which request does the HTTP server provide to the Agent? (if there is no
HTTP request manipulation at the LB)

GET / HTTP/1.0
Host: FQDN

--> now you must not set "Override Request URL Protocol" as this will
append TARGET=https://FQDN/ to the cdcservlet url instead of
TARGET=http://FQDN/


Potentially I did not fully understand your scenario ....

Only solution with Agent 3.x

LB (virtual server1: Port 443, SSL-endpoint) ---> http --> HTTP Server 1
with Agent

LB (virtual server2: Port 80, plain socket) --> http --> HTTP Server 2
with Agent

-Bernhard



Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
> Hi Bernard,
>
> Yes, I'm using SSL-off loading.
>
> This is my Load Balancer setting for the particular agent profile.
>
> pasted1
>
>
> I tried two scenarios.
> 1. Listening to http only
> Here, I configured agent notification uri & agent deployment uri prefix
> all in http. This one works perfectly.
> 2. Listening to https only
> Here, I configured agent notification uri & agent deployment uri prefix
> all in https. This one also works.
>
> Only problem arises, when listening to both http and https.
>
> Struggling in this for long time, glad if you could help.
> - Niro
>
> On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     The url is changed by the agent code, because you told the agent to
>     do this.
>
>     You most likely used (one of) the settings
>
>     Override Request URL Protocol
>     Override Request URL Host
>     Override Request URL Port
>
>     as you might use SSL-offloading ..., hard to tell without details.
>
>     -Bernhard
>
>
>     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     > Hi,
>     > I'm having issue enabling protection for https://app.abc.com/p/.
>     > Application have both http and https enabled on apache, agent also
>     > resides in the same environment.
>     >
>     --------------------------------------------------------------------------
>     > Sun OpenSSO Enterprise Policy Agent for:
>     > Apache Web Server 2.2.x
>     >
>     --------------------------------------------------------------------------
>     > Version: 3.0-04
>     >
>     > Build date: Fri Jul 29 00:05:09 BST 2011
>     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     > <http://constable.internal.forgerock.com>
>     >
>     > With the current setup.
>     > When I access http://app.abc.com/p/test goto is
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >
>     > When I access https://app.abc.com/p/test goto is
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >
>     > PA logs when accessing https url.
>     >
>     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     > am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Original url: https://app.abc.com:443/p/test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): PathInfo: /test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > get_normalized_url(): Normalized url: http://app.abc.com:80/p/test
>     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     > am_web_is_access_allowed(): Processing url
>     http://app.abc.com:80/p/test.
>     >
>     > why the https url is being normalized and processed ? What gone
>     wrong in
>     > the configurations?
>     >
>     > I have added both  http://agent.cde.com.sg:80/
>     > <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
>     > <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in openam
>     console.
>     >
>     > Thanks.
>     > niro
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Bernhard Thalmayr
If you use 2 different 3.x agents (profiles) you don't need to mess
around with overriding.

Even the 'loadbalancer enable' is not needed ... I think I explained the
details in some JIRA.

Only the notification URL must point to the actual agent server.

                        Agent1
LB --> https -->
                        Agent2


                        Agent3
LB --> http -->
                        Agent4



2 agent groups

configure agent profiles to inherit properties from agent group ( execpt
log level).


the agent will be get the correct scheme (http vs. https) and HOST
header from the server env (e.g. Apache http server).

-Bernhard

Am 21/02/17 um 11:06 schrieb Nirosan Paramanathan:

> Hi Bernard,
>
> Thanks a lot for the explanations. Please correct me, if I'm wrong.
>
> 1. SSL-offloaded on LB
> This is the setup, we have to use on the production environment.
> Possible solution - have to use two agents.
>   1. Use two http servers with agents 3.x
>   2. Use one http server with wpa 4.x which has the support for agent
> per vhost
>
> 2. Use ssl through application server - no offloading
> I tried this case in our development environment setup. But the result
> is same.
> I have tested with two agent profiles.
> 1. agent profile configuration 1 - [In this case, http and https is
> being normalized as https]
>
> com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
>
> com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
> <https://fast.stjobs.sg:443/UpdateAgentCacheServlet?shortcircuit=false>
>
> agentRootURL=https://app.abc.com:443/
>
> agentRootURL=http://app.abc.com:80/
>
> accessing http://app.abc.com/p/test <http://app.abc.com:80/p/test>
>
> *PA Logs* [accessing http://app.abc.com/p/test <https://app.abc.com/p/test>]
>
> 2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all: dsame_check_access(): starting...
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Port is 0. Set to default port 80.
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): port = 80
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): query =
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Returning request URL = http://app.abc.com:80/p/test. 2017-02-21
> <http://app.abc.com:80/p/test.%0A2017-02-21> 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Method string is GET
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie found: header [xtvrn=$566004$; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDire
> ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_access_allowed(): *Processing url https://app.abc.com:443/p/test.*
>
> ----------------
>
> 2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
> 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 15:39:40.141   Debug 18002:7f6240000e00 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/te
> st] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>
> *PA Logs* [accessing https://app.abc.com/p/test]
>
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): port = 443
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): query =
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): Returning request URL = https://app.abc.com:443/p/test. 2017-02-21
> <https://app.abc.com:443/p/test.%0A2017-02-21> 15:53:48.815   Debug 18003:7f6260009620 all: get_method_num(): Method string is GET
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:53:48.815   Debug 18003:7f6260009620 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU
> LL] val_len [0] next_cookie [NULL]
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_access_allowed(): *Processing url https://app.abc.com:443/p/test.*
>
> --------
>
> 2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 15:53:48.817   Debug 18003:7f6260009620 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/test] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>
> 2. agent profile configurations 2 - [In this case, http and https is being normalized as http]
>
> com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent <https://app.abc.com/amagent>
>
> com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
> <https://fast.stjobs.sg/UpdateAgentCacheServlet?shortcircuit=false>
>
> agentRootURL=https://app.abc.com:443/ <https://app.abc.com/>
>
> agentRootURL=http://app.abc.com:80/ <http://app.abc.com/>
>
> *PA Logs* [accessing https://app.abc.com/p/test]
>
> 2017-02-21 17:55:46.613    Info 31385:bd2b80 all: dsame_check_access(): starting...
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): port = 443
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): query =
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): Returning request URL = https://app.abc.com:443/p/test. 2017-02-21
> <https://app.abc.com:443/p/test.%0A2017-02-21> 17:55:46.613   Debug 31385:bd2b80 all: get_method_num(): Method string is GET
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21> 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21> 17:55:46.614   Debug 31385:bd2b80 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473
> bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1; dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-; xtant=1] name [dsiPlanetDirectoryPro=; _ga=G
> A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_access_allowed(): *Processing url http://app.abc.com:80/p/test.*
>
> --------
>
> 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 17:55:46.615   Debug 31385:bd2b80 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test] [htt
> ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest
> <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>]
> 2017-02-21 17:55:46.615   Debug 31385:bd2b80 all: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [https://amserver.cde.com:443/am/cdcservle
> t?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2
> 017-02-21T17%3A55%3A46Z
> <https://amserver.cde.com:443/am/cdcservle%0At?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2%0A017-02-21T17%3A55%3A46Z>].
>
>
> *PA Logs* [accessing http://app.abc.com/p/test <https://app.abc.com/p/test>]
>
> 2017-02-21 18:01:44.460    Info 31385:7f820c002cc0 all: dsame_check_access(): starting...
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): Port is 0. Set to default port 80.
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): port = 80
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): query =
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): Returning request URL = http://app.abc.com:80/p/test. 2017-02-21
> <http://app.abc.com:80/p/test.%0A2017-02-21> 18:01:44.460   Debug 31385:7f820c002cc0 all: get_method_num(): Method string is GET
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21> 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21> 18:01:44.460   Debug 31385:7f820c002cc0 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b
> 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; dsiPlanetDirectoryPro=; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=; xtan=-;
>  xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>
> -----
>
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 18:01:44.461   Debug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test
> ] [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest]
>
>
> Question: Based on which policy agent is doing the normalization. Is it based on the agent prefix uri?
>
> Regards,
>
> Niro
>
> On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     There is no solution with Agent version 3.x as it does not support
>     virtual server based agent profile.
>
>     As there is only one profile, when should the agent know that it should
>     override the incoming request and when not?
>
>     It has no clue at all that SSL-offloading is perform somewhere.
>
>     Say you are doing this
>
>     client (browser) --> https --> LB (FQDN)--> http --> HTTP server
>     with Agent
>
>     Which HTTP request does the client send?
>
>     E.g.
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     Which request does the HTTP server provide to the Agent? (if there is no
>     HTTP request manipulation at the LB)
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     However, you want the client to end up at https://FQDN/ after sucessful
>     authentication.
>
>     --> you need to set "Override Request URL Protocol" as this will append
>     TARGET=https://FQDN/ to the cdcservlet url instead of
>     TARGET=http://FQDN/
>
>
>     Now the other scenario
>
>     client (browser) --> http --> LB (FQDN)--> http --> HTTP server with
>     Agent
>
>     Which HTTP request does the client send?
>
>     E.g.
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     Which request does the HTTP server provide to the Agent? (if there is no
>     HTTP request manipulation at the LB)
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     --> now you must not set "Override Request URL Protocol" as this will
>     append TARGET=https://FQDN/ to the cdcservlet url instead of
>     TARGET=http://FQDN/
>
>
>     Potentially I did not fully understand your scenario ....
>
>     Only solution with Agent 3.x
>
>     LB (virtual server1: Port 443, SSL-endpoint) ---> http --> HTTP Server 1
>     with Agent
>
>     LB (virtual server2: Port 80, plain socket) --> http --> HTTP Server 2
>     with Agent
>
>     -Bernhard
>
>
>
>     Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
>     > Hi Bernard,
>     >
>     > Yes, I'm using SSL-off loading.
>     >
>     > This is my Load Balancer setting for the particular agent profile.
>     >
>     > pasted1
>     >
>     >
>     > I tried two scenarios.
>     > 1. Listening to http only
>     > Here, I configured agent notification uri & agent deployment uri
>     prefix
>     > all in http. This one works perfectly.
>     > 2. Listening to https only
>     > Here, I configured agent notification uri & agent deployment uri
>     prefix
>     > all in https. This one also works.
>     >
>     > Only problem arises, when listening to both http and https.
>     >
>     > Struggling in this for long time, glad if you could help.
>     > - Niro
>     >
>     > On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     The url is changed by the agent code, because you told the
>     agent to
>     >     do this.
>     >
>     >     You most likely used (one of) the settings
>     >
>     >     Override Request URL Protocol
>     >     Override Request URL Host
>     >     Override Request URL Port
>     >
>     >     as you might use SSL-offloading ..., hard to tell without details.
>     >
>     >     -Bernhard
>     >
>     >
>     >     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     >     > Hi,
>     >     > I'm having issue enabling protection for https://app.abc.com/p/.
>     >     > Application have both http and https enabled on apache,
>     agent also
>     >     > resides in the same environment.
>     >     >
>     >  
>      --------------------------------------------------------------------------
>     >     > Sun OpenSSO Enterprise Policy Agent for:
>     >     > Apache Web Server 2.2.x
>     >     >
>     >  
>      --------------------------------------------------------------------------
>     >     > Version: 3.0-04
>     >     >
>     >     > Build date: Fri Jul 29 00:05:09 BST 2011
>     >     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     >     <http://constable.internal.forgerock.com>
>     >     > <http://constable.internal.forgerock.com>
>     >     >
>     >     > With the current setup.
>     >     > When I access http://app.abc.com/p/test goto is
>     >     >
>     >  
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >     >
>     >     > When I access https://app.abc.com/p/test goto is
>     >     >
>     >  
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >     >
>     >     > PA logs when accessing https url.
>     >     >
>     >     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     >     > am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Original url:
>     https://app.abc.com:443/p/test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): PathInfo: /test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Normalized url:
>     http://app.abc.com:80/p/test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > am_web_is_access_allowed(): Processing url
>     >     http://app.abc.com:80/p/test.
>     >     >
>     >     > why the https url is being normalized and processed ? What gone
>     >     wrong in
>     >     > the configurations?
>     >     >
>     >     > I have added both  http://agent.cde.com.sg:80/
>     >     > <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
>     >     > <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in
>     openam
>     >     console.
>     >     >
>     >     > Thanks.
>     >     > niro
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     >
>     >     This e-mail may contain confidential and/or privileged
>     information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this
>     e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the
>     material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Nirosan
Hi Bernard,

If you use 2 different 3.x agents (profiles) you don't need to mess
around with overriding.
>>> This means, I need to use 2 different Apache http server instances also, since 3.x doesn't support agent per vhost.

Only the notification URL must point to the actual agent server.
>>> Agent normalizes the Original URL, looking at the protocol (http or https) in the notification URL ?

                        Agent1
LB --> https -->
                        Agent2


                        Agent3
LB --> http -->
                        Agent4

>>> I didn't quiet get this diagram, need two agents for https & two agents for http?

2 agent groups
>>> I have never tried agent grouping. why do we need 2 agent groups?
configure agent profiles to inherit properties from agent group ( execpt
log level).


the agent will be get the correct scheme (http vs. https) and HOST
header from the server env (e.g. Apache http server).  

-
Niro

On Tue, Feb 21, 2017 at 10:20 PM Bernhard Thalmayr <[hidden email]> wrote:
If you use 2 different 3.x agents (profiles) you don't need to mess
around with overriding.

Even the 'loadbalancer enable' is not needed ... I think I explained the
details in some JIRA.

Only the notification URL must point to the actual agent server.

                        Agent1
LB --> https -->
                        Agent2


                        Agent3
LB --> http -->
                        Agent4



2 agent groups

configure agent profiles to inherit properties from agent group ( execpt
log level).


the agent will be get the correct scheme (http vs. https) and HOST
header from the server env (e.g. Apache http server).

-Bernhard

Am 21/02/17 um 11:06 schrieb Nirosan Paramanathan:
> Hi Bernard,
>
> Thanks a lot for the explanations. Please correct me, if I'm wrong.
>
> 1. SSL-offloaded on LB
> This is the setup, we have to use on the production environment.
> Possible solution - have to use two agents.
>   1. Use two http servers with agents 3.x
>   2. Use one http server with wpa 4.x which has the support for agent
> per vhost
>
> 2. Use ssl through application server - no offloading
> I tried this case in our development environment setup. But the result
> is same.
> I have tested with two agent profiles.
> 1. agent profile configuration 1 - [In this case, http and https is
> being normalized as https]
>
> com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
>
> com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
> <https://fast.stjobs.sg:443/UpdateAgentCacheServlet?shortcircuit=false>
>
> agentRootURL=https://app.abc.com:443/
>
> agentRootURL=http://app.abc.com:80/
>
> accessing http://app.abc.com/p/test <http://app.abc.com:80/p/test>
>
> *PA Logs* [accessing http://app.abc.com/p/test <https://app.abc.com/p/test>]
>
> 2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all: dsame_check_access(): starting...
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Port is 0. Set to default port 80.
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): port = 80
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): query =
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_request_url(): Returning request URL = http://app.abc.com:80/p/test. 2017-02-21
> <http://app.abc.com:80/p/test.%0A2017-02-21> 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Method string is GET
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie found: header [xtvrn=$566004$; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDire
> ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
> 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all: am_web_is_access_allowed(): *Processing url https://app.abc.com:443/p/test.*
>
> ----------------
>
> 2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
> 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 15:39:40.141   Debug 18002:7f6240000e00 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/te
> st] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>
> *PA Logs* [accessing https://app.abc.com/p/test]
>
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): port = 443
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): query =
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_request_url(): Returning request URL = https://app.abc.com:443/p/test. 2017-02-21
> <https://app.abc.com:443/p/test.%0A2017-02-21> 15:53:48.815   Debug 18003:7f6260009620 all: get_method_num(): Method string is GET
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_notification(): https://app.abc.com:443/p/test is not notification url https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
> 2017-02-21
> <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21> 15:53:48.815   Debug 18003:7f6260009620 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771; dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU
> LL] val_len [0] next_cookie [NULL]
> 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all: am_web_is_access_allowed(): *Processing url https://app.abc.com:443/p/test.*
>
> --------
>
> 2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
> 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 15:53:48.817   Debug 18003:7f6260009620 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [https://app.abc.com:443/p/test] [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>
> 2. agent profile configurations 2 - [In this case, http and https is being normalized as http]
>
> com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent <https://app.abc.com/amagent>
>
> com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
> <https://fast.stjobs.sg/UpdateAgentCacheServlet?shortcircuit=false>
>
> agentRootURL=https://app.abc.com:443/ <https://app.abc.com/>
>
> agentRootURL=http://app.abc.com:80/ <http://app.abc.com/>
>
> *PA Logs* [accessing https://app.abc.com/p/test]
>
> 2017-02-21 17:55:46.613    Info 31385:bd2b80 all: dsame_check_access(): starting...
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): port = 443
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): query =
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_request_url(): Returning request URL = https://app.abc.com:443/p/test. 2017-02-21
> <https://app.abc.com:443/p/test.%0A2017-02-21> 17:55:46.613   Debug 31385:bd2b80 all: get_method_num(): Method string is GET
> 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21> 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21> 17:55:46.614   Debug 31385:bd2b80 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473
> bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1; dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-; xtant=1] name [dsiPlanetDirectoryPro=; _ga=G
> A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_access_allowed(): *Processing url http://app.abc.com:80/p/test.*
>
> --------
>
> 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
> 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 17:55:46.615   Debug 31385:bd2b80 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test] [htt
> ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest
> <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>]
> 2017-02-21 17:55:46.615   Debug 31385:bd2b80 all: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [https://amserver.cde.com:443/am/cdcservle
> t?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2
> 017-02-21T17%3A55%3A46Z
> <https://amserver.cde.com:443/am/cdcservle%0At?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2%0A017-02-21T17%3A55%3A46Z>].
>
>
> *PA Logs* [accessing http://app.abc.com/p/test <https://app.abc.com/p/test>]
>
> 2017-02-21 18:01:44.460    Info 31385:7f820c002cc0 all: dsame_check_access(): starting...
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): hostname = app.abc.com <http://app.abc.com>
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): Port is 0. Set to default port 80.
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): port = 80
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): query =
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_request_url(): Returning request URL = http://app.abc.com:80/p/test. 2017-02-21
> <http://app.abc.com:80/p/test.%0A2017-02-21> 18:01:44.460   Debug 31385:7f820c002cc0 all: get_method_num(): Method string is GET
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: get_method_num(): Apache method number corresponds to GET method
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21> 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_notification(): http://app.abc.com:80/p/test is not notification url http://app.abc.com:80/UpdateA gentCacheServlet?shortcircuit=false.
> 2017-02-21
> <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21> 18:01:44.460   Debug 31385:7f820c002cc0 all: find_cookie(): cookie found: header [xtvrn=$566004$; _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b
> 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; dsiPlanetDirectoryPro=; xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=; xtan=-;
>  xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0] next_cookie [NULL]
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): PathInfo: /test
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): Using Full URI for policy evaluation.
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>
> -----
>
> 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all: am_web_do_cookie_domain_set(): setting cookie  dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>;Path=/.
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
> 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all: find_active_login_server(): Trying server: https://amserver.cde.com:443/am/cdcservlet 2017-02-21
> <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21> 18:01:44.461   Debug 31385:7f820c002cc0 all: am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://app.abc.com:80/p/test
> ] [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest]
>
>
> Question: Based on which policy agent is doing the normalization. Is it based on the agent prefix uri?
>
> Regards,
>
> Niro
>
> On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     There is no solution with Agent version 3.x as it does not support
>     virtual server based agent profile.
>
>     As there is only one profile, when should the agent know that it should
>     override the incoming request and when not?
>
>     It has no clue at all that SSL-offloading is perform somewhere.
>
>     Say you are doing this
>
>     client (browser) --> https --> LB (FQDN)--> http --> HTTP server
>     with Agent
>
>     Which HTTP request does the client send?
>
>     E.g.
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     Which request does the HTTP server provide to the Agent? (if there is no
>     HTTP request manipulation at the LB)
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     However, you want the client to end up at https://FQDN/ after sucessful
>     authentication.
>
>     --> you need to set "Override Request URL Protocol" as this will append
>     TARGET=https://FQDN/ to the cdcservlet url instead of
>     TARGET=http://FQDN/
>
>
>     Now the other scenario
>
>     client (browser) --> http --> LB (FQDN)--> http --> HTTP server with
>     Agent
>
>     Which HTTP request does the client send?
>
>     E.g.
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     Which request does the HTTP server provide to the Agent? (if there is no
>     HTTP request manipulation at the LB)
>
>     GET / HTTP/1.0
>     Host: FQDN
>
>     --> now you must not set "Override Request URL Protocol" as this will
>     append TARGET=https://FQDN/ to the cdcservlet url instead of
>     TARGET=http://FQDN/
>
>
>     Potentially I did not fully understand your scenario ....
>
>     Only solution with Agent 3.x
>
>     LB (virtual server1: Port 443, SSL-endpoint) ---> http --> HTTP Server 1
>     with Agent
>
>     LB (virtual server2: Port 80, plain socket) --> http --> HTTP Server 2
>     with Agent
>
>     -Bernhard
>
>
>
>     Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
>     > Hi Bernard,
>     >
>     > Yes, I'm using SSL-off loading.
>     >
>     > This is my Load Balancer setting for the particular agent profile.
>     >
>     > pasted1
>     >
>     >
>     > I tried two scenarios.
>     > 1. Listening to http only
>     > Here, I configured agent notification uri & agent deployment uri
>     prefix
>     > all in http. This one works perfectly.
>     > 2. Listening to https only
>     > Here, I configured agent notification uri & agent deployment uri
>     prefix
>     > all in https. This one also works.
>     >
>     > Only problem arises, when listening to both http and https.
>     >
>     > Struggling in this for long time, glad if you could help.
>     > - Niro
>     >
>     > On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     The url is changed by the agent code, because you told the
>     agent to
>     >     do this.
>     >
>     >     You most likely used (one of) the settings
>     >
>     >     Override Request URL Protocol
>     >     Override Request URL Host
>     >     Override Request URL Port
>     >
>     >     as you might use SSL-offloading ..., hard to tell without details.
>     >
>     >     -Bernhard
>     >
>     >
>     >     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     >     > Hi,
>     >     > I'm having issue enabling protection for https://app.abc.com/p/.
>     >     > Application have both http and https enabled on apache,
>     agent also
>     >     > resides in the same environment.
>     >     >
>     >
>      --------------------------------------------------------------------------
>     >     > Sun OpenSSO Enterprise Policy Agent for:
>     >     > Apache Web Server 2.2.x
>     >     >
>     >
>      --------------------------------------------------------------------------
>     >     > Version: 3.0-04
>     >     >
>     >     > Build date: Fri Jul 29 00:05:09 BST 2011
>     >     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     >     <http://constable.internal.forgerock.com>
>     >     > <http://constable.internal.forgerock.com>
>     >     >
>     >     > With the current setup.
>     >     > When I access http://app.abc.com/p/test goto is
>     >     >
>     >
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >     >
>     >     > When I access https://app.abc.com/p/test goto is
>     >     >
>     >
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >     >
>     >     > PA logs when accessing https url.
>     >     >
>     >     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     >     > am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Original url:
>     https://app.abc.com:443/p/test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): PathInfo: /test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > get_normalized_url(): Normalized url:
>     http://app.abc.com:80/p/test
>     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     > am_web_is_access_allowed(): Processing url
>     >     http://app.abc.com:80/p/test.
>     >     >
>     >     > why the https url is being normalized and processed ? What gone
>     >     wrong in
>     >     > the configurations?
>     >     >
>     >     > I have added both  http://agent.cde.com.sg:80/
>     >     > <http://agent.cde.com.sg/> and https://agent.cde.com.sg:443/
>     >     > <https://agent.cde.com.sg/>  in Agent Root URL for CDSSO in
>     openam
>     >     console.
>     >     >
>     >     > Thanks.
>     >     > niro
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     >
>     >     This e-mail may contain confidential and/or privileged
>     information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this
>     e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the
>     material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Bernhard Thalmayr
Am 22/02/17 um 02:02 schrieb Nirosan Paramanathan:
> Hi Bernard,
>
> If you use 2 different 3.x agents (profiles) you don't need to mess
> around with overriding.
>>>> This means, I need to use 2 different Apache http server instances
> also, since 3.x doesn't support agent per vhost.

BT> yes , see the 'clumsy' diagram below

>
> Only the notification URL must point to the actual agent server.
>>>> Agent normalizes the Original URL, looking at the protocol (http or
> https) in the notification URL ?

BT> If agents are run in notification mode (that's the default) OpenAM
will send out a notification to the registered notification URL. This
URL must not point to the LB but to the actual server housing the agent
otherwise only one Agent's caches are cleaned up (the LB does not
multiply the request, it just selects one 'realserver' to handle it).


>
>                         Agent1
> LB --> https -->
>                         Agent2
>
>
>                         Agent3
> LB --> http -->
>                         Agent4
>
>>>> I didn't quiet get this diagram, need two agents for https & two
> agents for http?


BT> Yes, otherwise a loadbalancer would not make sense. I refused to
send out an image to an alias. You may contact me privately for further
details.

>
> 2 agent groups
>>>> I have never tried agent grouping. why do we need 2 agent groups?

BT> You could also use just one agent group. For additional flexibility
you may group the agents "serving" the same "virutal server" on the LB

> configure agent profiles to inherit properties from agent group ( execpt
> log level).
>
>
> the agent will be get the correct scheme (http vs. https) and HOST
> header from the server env (e.g. Apache http server).  
>
> -
> Niro
>
> On Tue, Feb 21, 2017 at 10:20 PM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     If you use 2 different 3.x agents (profiles) you don't need to mess
>     around with overriding.
>
>     Even the 'loadbalancer enable' is not needed ... I think I explained the
>     details in some JIRA.
>
>     Only the notification URL must point to the actual agent server.
>
>                             Agent1
>     LB --> https -->
>                             Agent2
>
>
>                             Agent3
>     LB --> http -->
>                             Agent4
>
>
>
>     2 agent groups
>
>     configure agent profiles to inherit properties from agent group ( execpt
>     log level).
>
>
>     the agent will be get the correct scheme (http vs. https) and HOST
>     header from the server env (e.g. Apache http server).
>
>     -Bernhard
>
>     Am 21/02/17 um 11:06 schrieb Nirosan Paramanathan:
>     > Hi Bernard,
>     >
>     > Thanks a lot for the explanations. Please correct me, if I'm wrong.
>     >
>     > 1. SSL-offloaded on LB
>     > This is the setup, we have to use on the production environment.
>     > Possible solution - have to use two agents.
>     >   1. Use two http servers with agents 3.x
>     >   2. Use one http server with wpa 4.x which has the support for agent
>     > per vhost
>     >
>     > 2. Use ssl through application server - no offloading
>     > I tried this case in our development environment setup. But the result
>     > is same.
>     > I have tested with two agent profiles.
>     > 1. agent profile configuration 1 - [In this case, http and https is
>     > being normalized as https]
>     >
>     >
>     com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
>     >
>     >
>     com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
>     >
>     <https://fast.stjobs.sg:443/UpdateAgentCacheServlet?shortcircuit=false>
>     >
>     > agentRootURL=https://app.abc.com:443/
>     >
>     > agentRootURL=http://app.abc.com:80/
>     >
>     > accessing http://app.abc.com/p/test <http://app.abc.com:80/p/test>
>     >
>     > *PA Logs* [accessing http://app.abc.com/p/test
>     <https://app.abc.com/p/test>]
>     >
>     > 2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): Port is 0. Set to default port 80.
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): port = 80
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): query =
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): Returning request URL =
>     http://app.abc.com:80/p/test. 2017-02-21
>     > <http://app.abc.com:80/p/test.%0A2017-02-21> 15:39:40.139   Debug
>     18002:7f6240000e00 all: get_method_num(): Method string is GET
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$; xtan=-; xtant=1;
>     _ga=GA1.2.28895626.1487239771; dsiPlanetDire
>     > ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_access_allowed(): *Processing url
>     https://app.abc.com:443/p/test.*
>     >
>     > ----------------
>     >
>     > 2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
>     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     15:39:40.141   Debug 18002:7f6240000e00 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [https://app.abc.com:443/p/te
>     > st]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >
>     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): port = 443
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): query =
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): Returning request URL =
>     https://app.abc.com:443/p/test. 2017-02-21
>     > <https://app.abc.com:443/p/test.%0A2017-02-21> 15:53:48.815
>      Debug 18003:7f6260009620 all: get_method_num(): Method string is GET
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:53:48.815   Debug 18003:7f6260009620 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771;
>     dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU
>     > LL] val_len [0] next_cookie [NULL]
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_access_allowed(): *Processing url
>     https://app.abc.com:443/p/test.*
>     >
>     > --------
>     >
>     > 2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     15:53:48.817   Debug 18003:7f6260009620 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [https://app.abc.com:443/p/test]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >
>     > 2. agent profile configurations 2 - [In this case, http and https
>     is being normalized as http]
>     >
>     >
>     com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent
>     <https://app.abc.com/amagent>
>     >
>     >
>     com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
>     > <https://fast.stjobs.sg/UpdateAgentCacheServlet?shortcircuit=false>
>     >
>     > agentRootURL=https://app.abc.com:443/ <https://app.abc.com/>
>     >
>     > agentRootURL=http://app.abc.com:80/ <http://app.abc.com/>
>     >
>     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >
>     > 2017-02-21 17:55:46.613    Info 31385:bd2b80 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): port = 443
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): query =
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): Returning request URL =
>     https://app.abc.com:443/p/test. 2017-02-21
>     > <https://app.abc.com:443/p/test.%0A2017-02-21> 17:55:46.613
>      Debug 31385:bd2b80 all: get_method_num(): Method string is GET
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateAgentCa
>     cheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification():
>     http://app.abc.com:80/p/test is not notification url
>     http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     17:55:46.614   Debug 31385:bd2b80 all: find_cookie(): cookie found:
>     header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473
>     > bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1;
>     dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-;
>     xtant=1] name [dsiPlanetDirectoryPro=; _ga=G
>     > A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_is_access_allowed(): *Processing url
>     http://app.abc.com:80/p/test.*
>     >
>     > --------
>     >
>     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     17:55:46.615   Debug 31385:bd2b80 all: am_web_get_url_to_redirect:
>     The goto_url and url before appending cdsso elements:
>     [http://app.abc.com:80/p/test] [htt
>     >
>     ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest
>     <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>
>     >
>     <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>]
>     > 2017-02-21 17:55:46.615   Debug 31385:bd2b80 all:
>     process_access_redirect(): get redirect url returned AM_SUCCESS,
>     redirect url [https://amserver.cde.com:443/am/cdcservle
>     > t?goto=http%3A%2F%2Fapp.abc.com
>     <http://2Fapp.abc.com>%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com
>     <http://2Fapp.abc.com>%3A80%2Famagent&IssueInstant=2
>     > 017-02-21T17%3A55%3A46Z
>     >
>     <https://amserver.cde.com:443/am/cdcservle%0At?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2%0A017-02-21T17%3A55%3A46Z>].
>     >
>     >
>     > *PA Logs* [accessing http://app.abc.com/p/test
>     <https://app.abc.com/p/test>]
>     >
>     > 2017-02-21 18:01:44.460    Info 31385:7f820c002cc0 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): Port is 0. Set to default port 80.
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): port = 80
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): query =
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): Returning request URL =
>     http://app.abc.com:80/p/test. 2017-02-21
>     > <http://app.abc.com:80/p/test.%0A2017-02-21> 18:01:44.460   Debug
>     31385:7f820c002cc0 all: get_method_num(): Method string is GET
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateA
>     gentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateA
>     gentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     18:01:44.460   Debug 31385:7f820c002cc0 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b
>     > 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     dsiPlanetDirectoryPro=; xtan=-; xtant=1;
>     _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=; xtan=-;
>     >  xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>     >
>     > -----
>     >
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     18:01:44.461   Debug 31385:7f820c002cc0 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [http://app.abc.com:80/p/test
>     > ]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest]
>     >
>     >
>     > Question: Based on which policy agent is doing the normalization.
>     Is it based on the agent prefix uri?
>     >
>     > Regards,
>     >
>     > Niro
>     >
>     > On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     There is no solution with Agent version 3.x as it does not support
>     >     virtual server based agent profile.
>     >
>     >     As there is only one profile, when should the agent know that
>     it should
>     >     override the incoming request and when not?
>     >
>     >     It has no clue at all that SSL-offloading is perform somewhere.
>     >
>     >     Say you are doing this
>     >
>     >     client (browser) --> https --> LB (FQDN)--> http --> HTTP server
>     >     with Agent
>     >
>     >     Which HTTP request does the client send?
>     >
>     >     E.g.
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     Which request does the HTTP server provide to the Agent? (if
>     there is no
>     >     HTTP request manipulation at the LB)
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     However, you want the client to end up at https://FQDN/ after
>     sucessful
>     >     authentication.
>     >
>     >     --> you need to set "Override Request URL Protocol" as this
>     will append
>     >     TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     TARGET=http://FQDN/
>     >
>     >
>     >     Now the other scenario
>     >
>     >     client (browser) --> http --> LB (FQDN)--> http --> HTTP
>     server with
>     >     Agent
>     >
>     >     Which HTTP request does the client send?
>     >
>     >     E.g.
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     Which request does the HTTP server provide to the Agent? (if
>     there is no
>     >     HTTP request manipulation at the LB)
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     --> now you must not set "Override Request URL Protocol" as
>     this will
>     >     append TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     TARGET=http://FQDN/
>     >
>     >
>     >     Potentially I did not fully understand your scenario ....
>     >
>     >     Only solution with Agent 3.x
>     >
>     >     LB (virtual server1: Port 443, SSL-endpoint) ---> http -->
>     HTTP Server 1
>     >     with Agent
>     >
>     >     LB (virtual server2: Port 80, plain socket) --> http --> HTTP
>     Server 2
>     >     with Agent
>     >
>     >     -Bernhard
>     >
>     >
>     >
>     >     Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
>     >     > Hi Bernard,
>     >     >
>     >     > Yes, I'm using SSL-off loading.
>     >     >
>     >     > This is my Load Balancer setting for the particular agent
>     profile.
>     >     >
>     >     > pasted1
>     >     >
>     >     >
>     >     > I tried two scenarios.
>     >     > 1. Listening to http only
>     >     > Here, I configured agent notification uri & agent deployment uri
>     >     prefix
>     >     > all in http. This one works perfectly.
>     >     > 2. Listening to https only
>     >     > Here, I configured agent notification uri & agent deployment uri
>     >     prefix
>     >     > all in https. This one also works.
>     >     >
>     >     > Only problem arises, when listening to both http and https.
>     >     >
>     >     > Struggling in this for long time, glad if you could help.
>     >     > - Niro
>     >     >
>     >     > On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
>     >     > <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     > <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >     The url is changed by the agent code, because you told the
>     >     agent to
>     >     >     do this.
>     >     >
>     >     >     You most likely used (one of) the settings
>     >     >
>     >     >     Override Request URL Protocol
>     >     >     Override Request URL Host
>     >     >     Override Request URL Port
>     >     >
>     >     >     as you might use SSL-offloading ..., hard to tell
>     without details.
>     >     >
>     >     >     -Bernhard
>     >     >
>     >     >
>     >     >     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     >     >     > Hi,
>     >     >     > I'm having issue enabling protection for
>     https://app.abc.com/p/.
>     >     >     > Application have both http and https enabled on apache,
>     >     agent also
>     >     >     > resides in the same environment.
>     >     >     >
>     >     >
>     >    
>     --------------------------------------------------------------------------
>     >     >     > Sun OpenSSO Enterprise Policy Agent for:
>     >     >     > Apache Web Server 2.2.x
>     >     >     >
>     >     >
>     >    
>     --------------------------------------------------------------------------
>     >     >     > Version: 3.0-04
>     >     >     >
>     >     >     > Build date: Fri Jul 29 00:05:09 BST 2011
>     >     >     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     >     <http://constable.internal.forgerock.com>
>     >     >     <http://constable.internal.forgerock.com>
>     >     >     > <http://constable.internal.forgerock.com>
>     >     >     >
>     >     >     > With the current setup.
>     >     >     > When I access http://app.abc.com/p/test goto is
>     >     >     >
>     >     >
>     >    
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >     >     >
>     >     >     > When I access https://app.abc.com/p/test goto is
>     >     >     >
>     >     >
>     >    
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >     >     >
>     >     >     > PA logs when accessing https url.
>     >     >     >
>     >     >     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     >     >     > am_web_set_host_ip_in_env_map(): map_insert:
>     >     client_ip=172.19.212.6
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Original url:
>     >     https://app.abc.com:443/p/test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): PathInfo: /test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Using Full URI for policy
>     evaluation.
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Normalized url:
>     >     http://app.abc.com:80/p/test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > am_web_is_access_allowed(): Processing url
>     >     >     http://app.abc.com:80/p/test.
>     >     >     >
>     >     >     > why the https url is being normalized and processed ?
>     What gone
>     >     >     wrong in
>     >     >     > the configurations?
>     >     >     >
>     >     >     > I have added both  http://agent.cde.com.sg:80/
>     >     >     > <http://agent.cde.com.sg/> and
>     https://agent.cde.com.sg:443/
>     >     >     > <https://agent.cde.com.sg/>  in Agent Root URL for
>     CDSSO in
>     >     openam
>     >     >     console.
>     >     >     >
>     >     >     > Thanks.
>     >     >     > niro
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     > OpenAM mailing list
>     >     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     Painstaking Minds
>     >     >     IT-Consulting Bernhard Thalmayr
>     >     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     >     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     <tel:+49%208062%207769174>
>     >     >     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >     <tel:+49%20176%2055060699>
>     >     >
>     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>> - Solution Architect
>     >     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     >     http://de.linkedin.com/in/bernhardthalmayr
>     >     >
>     >     >     This e-mail may contain confidential and/or privileged
>     >     information.If
>     >     >     you are not the intended recipient (or have received
>     this email in
>     >     >     error) please notify the sender immediately and delete this
>     >     e-mail. Any
>     >     >     unauthorized copying, disclosure or distribution of the
>     >     material in this
>     >     >     e-mail is strictly forbidden.
>     >     >     _______________________________________________
>     >     >     Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     OpenAM mailing list
>     >     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     >
>     >     This e-mail may contain confidential and/or privileged
>     information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this
>     e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the
>     material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Nirosan
Hi Bernard,

Thank you. 

Loadbalancer can send X-Forwarded-Proto to identify the protocol (HTTP or HTTPS) that a client used to connect. Can't openam agent make use of that?

Regards,
Niro

On Wed, Feb 22, 2017 at 7:14 PM Bernhard Thalmayr <[hidden email]> wrote:
Am 22/02/17 um 02:02 schrieb Nirosan Paramanathan:
> Hi Bernard,
>
> If you use 2 different 3.x agents (profiles) you don't need to mess
> around with overriding.
>>>> This means, I need to use 2 different Apache http server instances
> also, since 3.x doesn't support agent per vhost.

BT> yes , see the 'clumsy' diagram below

>
> Only the notification URL must point to the actual agent server.
>>>> Agent normalizes the Original URL, looking at the protocol (http or
> https) in the notification URL ?

BT> If agents are run in notification mode (that's the default) OpenAM
will send out a notification to the registered notification URL. This
URL must not point to the LB but to the actual server housing the agent
otherwise only one Agent's caches are cleaned up (the LB does not
multiply the request, it just selects one 'realserver' to handle it).


>
>                         Agent1
> LB --> https -->
>                         Agent2
>
>
>                         Agent3
> LB --> http -->
>                         Agent4
>
>>>> I didn't quiet get this diagram, need two agents for https & two
> agents for http?


BT> Yes, otherwise a loadbalancer would not make sense. I refused to
send out an image to an alias. You may contact me privately for further
details.

>
> 2 agent groups
>>>> I have never tried agent grouping. why do we need 2 agent groups?

BT> You could also use just one agent group. For additional flexibility
you may group the agents "serving" the same "virutal server" on the LB

> configure agent profiles to inherit properties from agent group ( execpt
> log level).
>
>
> the agent will be get the correct scheme (http vs. https) and HOST
> header from the server env (e.g. Apache http server).
>
> -
> Niro
>
> On Tue, Feb 21, 2017 at 10:20 PM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     If you use 2 different 3.x agents (profiles) you don't need to mess
>     around with overriding.
>
>     Even the 'loadbalancer enable' is not needed ... I think I explained the
>     details in some JIRA.
>
>     Only the notification URL must point to the actual agent server.
>
>                             Agent1
>     LB --> https -->
>                             Agent2
>
>
>                             Agent3
>     LB --> http -->
>                             Agent4
>
>
>
>     2 agent groups
>
>     configure agent profiles to inherit properties from agent group ( execpt
>     log level).
>
>
>     the agent will be get the correct scheme (http vs. https) and HOST
>     header from the server env (e.g. Apache http server).
>
>     -Bernhard
>
>     Am 21/02/17 um 11:06 schrieb Nirosan Paramanathan:
>     > Hi Bernard,
>     >
>     > Thanks a lot for the explanations. Please correct me, if I'm wrong.
>     >
>     > 1. SSL-offloaded on LB
>     > This is the setup, we have to use on the production environment.
>     > Possible solution - have to use two agents.
>     >   1. Use two http servers with agents 3.x
>     >   2. Use one http server with wpa 4.x which has the support for agent
>     > per vhost
>     >
>     > 2. Use ssl through application server - no offloading
>     > I tried this case in our development environment setup. But the result
>     > is same.
>     > I have tested with two agent profiles.
>     > 1. agent profile configuration 1 - [In this case, http and https is
>     > being normalized as https]
>     >
>     >
>     com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
>     >
>     >
>     com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
>     >
>     <https://fast.stjobs.sg:443/UpdateAgentCacheServlet?shortcircuit=false>
>     >
>     > agentRootURL=https://app.abc.com:443/
>     >
>     > agentRootURL=http://app.abc.com:80/
>     >
>     > accessing http://app.abc.com/p/test <http://app.abc.com:80/p/test>
>     >
>     > *PA Logs* [accessing http://app.abc.com/p/test
>     <https://app.abc.com/p/test>]
>     >
>     > 2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): Port is 0. Set to default port 80.
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): port = 80
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): query =
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_request_url(): Returning request URL =
>     http://app.abc.com:80/p/test. 2017-02-21
>     > <http://app.abc.com:80/p/test.%0A2017-02-21> 15:39:40.139   Debug
>     18002:7f6240000e00 all: get_method_num(): Method string is GET
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$; xtan=-; xtant=1;
>     _ga=GA1.2.28895626.1487239771; dsiPlanetDire
>     > ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     am_web_is_access_allowed(): *Processing url
>     https://app.abc.com:443/p/test.*
>     >
>     > ----------------
>     >
>     > 2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
>     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     15:39:40.141   Debug 18002:7f6240000e00 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [https://app.abc.com:443/p/te
>     > st]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >
>     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): port = 443
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): query =
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_request_url(): Returning request URL =
>     https://app.abc.com:443/p/test. 2017-02-21
>     > <https://app.abc.com:443/p/test.%0A2017-02-21> 15:53:48.815
>      Debug 18003:7f6260009620 all: get_method_num(): Method string is GET
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     notification url
>     https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     15:53:48.815   Debug 18003:7f6260009620 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771;
>     dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU
>     > LL] val_len [0] next_cookie [NULL]
>     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     get_normalized_url(): *Normalized url: https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     am_web_is_access_allowed(): *Processing url
>     https://app.abc.com:443/p/test.*
>     >
>     > --------
>     >
>     > 2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     am_web_get_url_to_redirect: *goto URL is https://app.abc.com:443/p/test*
>     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     15:53:48.817   Debug 18003:7f6260009620 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [https://app.abc.com:443/p/test]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >
>     > 2. agent profile configurations 2 - [In this case, http and https
>     is being normalized as http]
>     >
>     >
>     com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent
>     <https://app.abc.com/amagent>
>     >
>     >
>     com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
>     > <https://fast.stjobs.sg/UpdateAgentCacheServlet?shortcircuit=false>
>     >
>     > agentRootURL=https://app.abc.com:443/ <https://app.abc.com/>
>     >
>     > agentRootURL=http://app.abc.com:80/ <http://app.abc.com/>
>     >
>     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >
>     > 2017-02-21 17:55:46.613    Info 31385:bd2b80 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): port = 443
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): query =
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_request_url(): Returning request URL =
>     https://app.abc.com:443/p/test. 2017-02-21
>     > <https://app.abc.com:443/p/test.%0A2017-02-21> 17:55:46.613
>      Debug 31385:bd2b80 all: get_method_num(): Method string is GET
>     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateAgentCa
>     cheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification():
>     http://app.abc.com:80/p/test is not notification url
>     http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     17:55:46.614   Debug 31385:bd2b80 all: find_cookie(): cookie found:
>     header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473
>     > bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1;
>     dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-;
>     xtant=1] name [dsiPlanetDirectoryPro=; _ga=G
>     > A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): *Original url: https://app.abc.com:443/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_is_access_allowed(): *Processing url
>     http://app.abc.com:80/p/test.*
>     >
>     > --------
>     >
>     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
>     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     17:55:46.615   Debug 31385:bd2b80 all: am_web_get_url_to_redirect:
>     The goto_url and url before appending cdsso elements:
>     [http://app.abc.com:80/p/test] [htt
>     >
>     ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest
>     <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>
>     >
>     <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>]
>     > 2017-02-21 17:55:46.615   Debug 31385:bd2b80 all:
>     process_access_redirect(): get redirect url returned AM_SUCCESS,
>     redirect url [https://amserver.cde.com:443/am/cdcservle
>     > t?goto=http%3A%2F%2Fapp.abc.com
>     <http://2Fapp.abc.com>%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com
>     <http://2Fapp.abc.com>%3A80%2Famagent&IssueInstant=2
>     > 017-02-21T17%3A55%3A46Z
>     >
>     <https://amserver.cde.com:443/am/cdcservle%0At?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2%0A017-02-21T17%3A55%3A46Z>].
>     >
>     >
>     > *PA Logs* [accessing http://app.abc.com/p/test
>     <https://app.abc.com/p/test>]
>     >
>     > 2017-02-21 18:01:44.460    Info 31385:7f820c002cc0 all:
>     dsame_check_access(): starting...
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): Port is 0. Set to default port 80.
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): port = 80
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): query =
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_request_url(): Returning request URL =
>     http://app.abc.com:80/p/test. 2017-02-21
>     > <http://app.abc.com:80/p/test.%0A2017-02-21> 18:01:44.460   Debug
>     31385:7f820c002cc0 all: get_method_num(): Method string is GET
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     get_method_num(): Apache method number corresponds to GET method
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateA
>     gentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     notification url http://app.abc.com:80/UpdateA
>     gentCacheServlet?shortcircuit=false.
>     > 2017-02-21
>     >
>     <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     18:01:44.460   Debug 31385:7f820c002cc0 all: find_cookie(): cookie
>     found: header [xtvrn=$566004$;
>     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b
>     > 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     dsiPlanetDirectoryPro=; xtan=-; xtant=1;
>     _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=; xtan=-;
>     >  xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0]
>     next_cookie [NULL]
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     am_web_set_host_ip_in_env_map(): map_insert: client_ip=172.19.212.6
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): PathInfo: /test
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): Using Full URI for policy evaluation.
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     get_normalized_url(): *Normalized url: http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_is_access_allowed(): Processing url http://app.abc.com:80/p/test.
>     >
>     > -----
>     >
>     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     am_web_do_cookie_domain_set(): setting cookie
>     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>;Path=/.
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     am_web_get_url_to_redirect: *goto URL is http://app.abc.com:80/p/test*
>     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     find_active_login_server(): Trying server:
>     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     18:01:44.461   Debug 31385:7f820c002cc0 all:
>     am_web_get_url_to_redirect: The goto_url and url before appending
>     cdsso elements: [http://app.abc.com:80/p/test
>     > ]
>     [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest]
>     >
>     >
>     > Question: Based on which policy agent is doing the normalization.
>     Is it based on the agent prefix uri?
>     >
>     > Regards,
>     >
>     > Niro
>     >
>     > On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     There is no solution with Agent version 3.x as it does not support
>     >     virtual server based agent profile.
>     >
>     >     As there is only one profile, when should the agent know that
>     it should
>     >     override the incoming request and when not?
>     >
>     >     It has no clue at all that SSL-offloading is perform somewhere.
>     >
>     >     Say you are doing this
>     >
>     >     client (browser) --> https --> LB (FQDN)--> http --> HTTP server
>     >     with Agent
>     >
>     >     Which HTTP request does the client send?
>     >
>     >     E.g.
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     Which request does the HTTP server provide to the Agent? (if
>     there is no
>     >     HTTP request manipulation at the LB)
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     However, you want the client to end up at https://FQDN/ after
>     sucessful
>     >     authentication.
>     >
>     >     --> you need to set "Override Request URL Protocol" as this
>     will append
>     >     TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     TARGET=http://FQDN/
>     >
>     >
>     >     Now the other scenario
>     >
>     >     client (browser) --> http --> LB (FQDN)--> http --> HTTP
>     server with
>     >     Agent
>     >
>     >     Which HTTP request does the client send?
>     >
>     >     E.g.
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     Which request does the HTTP server provide to the Agent? (if
>     there is no
>     >     HTTP request manipulation at the LB)
>     >
>     >     GET / HTTP/1.0
>     >     Host: FQDN
>     >
>     >     --> now you must not set "Override Request URL Protocol" as
>     this will
>     >     append TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     TARGET=http://FQDN/
>     >
>     >
>     >     Potentially I did not fully understand your scenario ....
>     >
>     >     Only solution with Agent 3.x
>     >
>     >     LB (virtual server1: Port 443, SSL-endpoint) ---> http -->
>     HTTP Server 1
>     >     with Agent
>     >
>     >     LB (virtual server2: Port 80, plain socket) --> http --> HTTP
>     Server 2
>     >     with Agent
>     >
>     >     -Bernhard
>     >
>     >
>     >
>     >     Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
>     >     > Hi Bernard,
>     >     >
>     >     > Yes, I'm using SSL-off loading.
>     >     >
>     >     > This is my Load Balancer setting for the particular agent
>     profile.
>     >     >
>     >     > pasted1
>     >     >
>     >     >
>     >     > I tried two scenarios.
>     >     > 1. Listening to http only
>     >     > Here, I configured agent notification uri & agent deployment uri
>     >     prefix
>     >     > all in http. This one works perfectly.
>     >     > 2. Listening to https only
>     >     > Here, I configured agent notification uri & agent deployment uri
>     >     prefix
>     >     > all in https. This one also works.
>     >     >
>     >     > Only problem arises, when listening to both http and https.
>     >     >
>     >     > Struggling in this for long time, glad if you could help.
>     >     > - Niro
>     >     >
>     >     > On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
>     >     > <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     > <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >     The url is changed by the agent code, because you told the
>     >     agent to
>     >     >     do this.
>     >     >
>     >     >     You most likely used (one of) the settings
>     >     >
>     >     >     Override Request URL Protocol
>     >     >     Override Request URL Host
>     >     >     Override Request URL Port
>     >     >
>     >     >     as you might use SSL-offloading ..., hard to tell
>     without details.
>     >     >
>     >     >     -Bernhard
>     >     >
>     >     >
>     >     >     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     >     >     > Hi,
>     >     >     > I'm having issue enabling protection for
>     https://app.abc.com/p/.
>     >     >     > Application have both http and https enabled on apache,
>     >     agent also
>     >     >     > resides in the same environment.
>     >     >     >
>     >     >
>     >
>     --------------------------------------------------------------------------
>     >     >     > Sun OpenSSO Enterprise Policy Agent for:
>     >     >     > Apache Web Server 2.2.x
>     >     >     >
>     >     >
>     >
>     --------------------------------------------------------------------------
>     >     >     > Version: 3.0-04
>     >     >     >
>     >     >     > Build date: Fri Jul 29 00:05:09 BST 2011
>     >     >     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     >     <http://constable.internal.forgerock.com>
>     >     >     <http://constable.internal.forgerock.com>
>     >     >     > <http://constable.internal.forgerock.com>
>     >     >     >
>     >     >     > With the current setup.
>     >     >     > When I access http://app.abc.com/p/test goto is
>     >     >     >
>     >     >
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >     >     >
>     >     >     > When I access https://app.abc.com/p/test goto is
>     >     >     >
>     >     >
>     >
>     "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >     >     >
>     >     >     > PA logs when accessing https url.
>     >     >     >
>     >     >     > 2017-02-20 08:49:00.102   Debug 12161:7f4fa40099e0 all:
>     >     >     > am_web_set_host_ip_in_env_map(): map_insert:
>     >     client_ip=172.19.212.6
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Original url:
>     >     https://app.abc.com:443/p/test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): PathInfo: /test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Using Full URI for policy
>     evaluation.
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > get_normalized_url(): Normalized url:
>     >     http://app.abc.com:80/p/test
>     >     >     > 2017-02-20 08:49:00.102MaxDebug 12161:7f4fa40099e0 all:
>     >     >     > am_web_is_access_allowed(): Processing url
>     >     >     http://app.abc.com:80/p/test.
>     >     >     >
>     >     >     > why the https url is being normalized and processed ?
>     What gone
>     >     >     wrong in
>     >     >     > the configurations?
>     >     >     >
>     >     >     > I have added both  http://agent.cde.com.sg:80/
>     >     >     > <http://agent.cde.com.sg/> and
>     https://agent.cde.com.sg:443/
>     >     >     > <https://agent.cde.com.sg/>  in Agent Root URL for
>     CDSSO in
>     >     openam
>     >     >     console.
>     >     >     >
>     >     >     > Thanks.
>     >     >     > niro
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     > OpenAM mailing list
>     >     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     Painstaking Minds
>     >     >     IT-Consulting Bernhard Thalmayr
>     >     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     >     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     <tel:+49%208062%207769174>
>     >     >     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >     <tel:+49%20176%2055060699>
>     >     >
>     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>> - Solution Architect
>     >     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     >     http://de.linkedin.com/in/bernhardthalmayr
>     >     >
>     >     >     This e-mail may contain confidential and/or privileged
>     >     information.If
>     >     >     you are not the intended recipient (or have received
>     this email in
>     >     >     error) please notify the sender immediately and delete this
>     >     e-mail. Any
>     >     >     unauthorized copying, disclosure or distribution of the
>     >     material in this
>     >     >     e-mail is strictly forbidden.
>     >     >     _______________________________________________
>     >     >     Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     OpenAM mailing list
>     >     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     >
>     >     This e-mail may contain confidential and/or privileged
>     information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this
>     e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the
>     material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: <a href="tel:+49%208062%207769174" value="+4980627769174" class="gmail_msg" target="_blank">+49 (0)8062 7769174
Mobile: <a href="tel:+49%20176%2055060699" value="+4917655060699" class="gmail_msg" target="_blank">+49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openam apache policy agent and goto normalized from https to http

Bernhard Thalmayr
Am 24/02/17 um 02:30 schrieb Nirosan Paramanathan:
> Hi Bernard,
>
> Thank you.
>
> Loadbalancer can send X-Forwarded-Proto to identify the protocol (HTTP
> or HTTPS) that a client used to connect. Can't openam agent make use of
> that?

no (or not yet)

-Bernhard

>
> Regards,
> Niro
>
> On Wed, Feb 22, 2017 at 7:14 PM Bernhard Thalmayr
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Am 22/02/17 um 02:02 schrieb Nirosan Paramanathan:
>     > Hi Bernard,
>     >
>     > If you use 2 different 3.x agents (profiles) you don't need to mess
>     > around with overriding.
>     >>>> This means, I need to use 2 different Apache http server instances
>     > also, since 3.x doesn't support agent per vhost.
>
>     BT> yes , see the 'clumsy' diagram below
>
>     >
>     > Only the notification URL must point to the actual agent server.
>     >>>> Agent normalizes the Original URL, looking at the protocol (http or
>     > https) in the notification URL ?
>
>     BT> If agents are run in notification mode (that's the default) OpenAM
>     will send out a notification to the registered notification URL. This
>     URL must not point to the LB but to the actual server housing the agent
>     otherwise only one Agent's caches are cleaned up (the LB does not
>     multiply the request, it just selects one 'realserver' to handle it).
>
>
>     >
>     >                         Agent1
>     > LB --> https -->
>     >                         Agent2
>     >
>     >
>     >                         Agent3
>     > LB --> http -->
>     >                         Agent4
>     >
>     >>>> I didn't quiet get this diagram, need two agents for https & two
>     > agents for http?
>
>
>     BT> Yes, otherwise a loadbalancer would not make sense. I refused to
>     send out an image to an alias. You may contact me privately for further
>     details.
>
>     >
>     > 2 agent groups
>     >>>> I have never tried agent grouping. why do we need 2 agent groups?
>
>     BT> You could also use just one agent group. For additional flexibility
>     you may group the agents "serving" the same "virutal server" on the LB
>
>     > configure agent profiles to inherit properties from agent group (
>     execpt
>     > log level).
>     >
>     >
>     > the agent will be get the correct scheme (http vs. https) and HOST
>     > header from the server env (e.g. Apache http server).
>     >
>     > -
>     > Niro
>     >
>     > On Tue, Feb 21, 2017 at 10:20 PM Bernhard Thalmayr
>     > <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email]
>     <mailto:[hidden email]>>> wrote:
>     >
>     >     If you use 2 different 3.x agents (profiles) you don't need to
>     mess
>     >     around with overriding.
>     >
>     >     Even the 'loadbalancer enable' is not needed ... I think I
>     explained the
>     >     details in some JIRA.
>     >
>     >     Only the notification URL must point to the actual agent server.
>     >
>     >                             Agent1
>     >     LB --> https -->
>     >                             Agent2
>     >
>     >
>     >                             Agent3
>     >     LB --> http -->
>     >                             Agent4
>     >
>     >
>     >
>     >     2 agent groups
>     >
>     >     configure agent profiles to inherit properties from agent
>     group ( execpt
>     >     log level).
>     >
>     >
>     >     the agent will be get the correct scheme (http vs. https) and HOST
>     >     header from the server env (e.g. Apache http server).
>     >
>     >     -Bernhard
>     >
>     >     Am 21/02/17 um 11:06 schrieb Nirosan Paramanathan:
>     >     > Hi Bernard,
>     >     >
>     >     > Thanks a lot for the explanations. Please correct me, if I'm
>     wrong.
>     >     >
>     >     > 1. SSL-offloaded on LB
>     >     > This is the setup, we have to use on the production environment.
>     >     > Possible solution - have to use two agents.
>     >     >   1. Use two http servers with agents 3.x
>     >     >   2. Use one http server with wpa 4.x which has the support
>     for agent
>     >     > per vhost
>     >     >
>     >     > 2. Use ssl through application server - no offloading
>     >     > I tried this case in our development environment setup. But
>     the result
>     >     > is same.
>     >     > I have tested with two agent profiles.
>     >     > 1. agent profile configuration 1 - [In this case, http and
>     https is
>     >     > being normalized as https]
>     >     >
>     >     >
>     >  
>      com.sun.identity.agents.config.agenturi.prefix=https://app.abc.com:443/amagent
>     >     >
>     >     >
>     >  
>      com.sun.identity.client.notification.url=https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false
>     >     >
>     >  
>      <https://fast.stjobs.sg:443/UpdateAgentCacheServlet?shortcircuit=false>
>     >     >
>     >     > agentRootURL=https://app.abc.com:443/
>     >     >
>     >     > agentRootURL=http://app.abc.com:80/
>     >     >
>     >     > accessing http://app.abc.com/p/test
>     <http://app.abc.com:80/p/test>
>     >     >
>     >     > *PA Logs* [accessing http://app.abc.com/p/test
>     >     <https://app.abc.com/p/test>]
>     >     >
>     >     > 2017-02-21 15:39:40.139    Info 18002:7f6240000e00 all:
>     >     dsame_check_access(): starting...
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     >     <http://app.abc.com>
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_request_url(): Port is 0. Set to default port 80.
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_request_url(): port = 80
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_request_url(): query =
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_request_url(): Returning request URL =
>     >     http://app.abc.com:80/p/test. 2017-02-21
>     >     > <http://app.abc.com:80/p/test.%0A2017-02-21> 15:39:40.139
>      Debug
>     >     18002:7f6240000e00 all: get_method_num(): Method string is GET
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     get_method_num(): Apache method number corresponds to GET method
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     >     notification url
>     >  
>      https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     >     notification url
>     >  
>      https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     15:39:40.139   Debug 18002:7f6240000e00 all: find_cookie(): cookie
>     >     found: header [xtvrn=$566004$; xtan=-; xtant=1;
>     >     _ga=GA1.2.28895626.1487239771; dsiPlanetDire
>     >     > ctoryPro=] name [dsiPlanetDirectoryPro=] val [NULL] val_len [0]
>     >     next_cookie [NULL]
>     >     > 2017-02-21 15:39:40.139   Debug 18002:7f6240000e00 all:
>     >     am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     get_normalized_url(): PathInfo: /test
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     get_normalized_url(): *Normalized url:
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 15:39:40.139MaxDebug 18002:7f6240000e00 all:
>     >     am_web_is_access_allowed(): *Processing url
>     >     https://app.abc.com:443/p/test.*
>     >     >
>     >     > ----------------
>     >     >
>     >     > 2017-02-21 15:39:40.140   Debug 18002:7f6240000e00 all:
>     >     am_web_do_cookie_domain_set(): setting cookie
>     >     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>
>     >     <http://stjobs.sg>;Path=/.
>     >     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     >     am_web_get_url_to_redirect: *goto URL is
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 15:39:40.140MaxDebug 18002:7f6240000e00 all:
>     >     find_active_login_server(): Trying server:
>     >     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     >     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     >     15:39:40.141   Debug 18002:7f6240000e00 all:
>     >     am_web_get_url_to_redirect: The goto_url and url before appending
>     >     cdsso elements: [https://app.abc.com:443/p/te
>     >     > st]
>     >  
>      [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >     >
>     >     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >     >
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     >     <http://app.abc.com>
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     get_request_url(): port = 443
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     get_request_url(): query =
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     get_request_url(): Returning request URL =
>     >     https://app.abc.com:443/p/test. 2017-02-21
>     >     > <https://app.abc.com:443/p/test.%0A2017-02-21> 15:53:48.815
>     >      Debug 18003:7f6260009620 all: get_method_num(): Method string
>     is GET
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     get_method_num(): Apache method number corresponds to GET method
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     >     notification url
>     >  
>      https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     am_web_is_notification(): https://app.abc.com:443/p/test is not
>     >     notification url
>     >  
>      https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <https://app.abc.com:443/UpdateAgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     15:53:48.815   Debug 18003:7f6260009620 all: find_cookie(): cookie
>     >     found: header [xtvrn=$566004$;
>     >  
>      _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     >     xtan=-; xtant=1; _ga=GA1.2.28895626.1487239771;
>     >     dsiPlanetDirectoryPro=] name [dsiPlanetDirectoryPro=] val [NU
>     >     > LL] val_len [0] next_cookie [NULL]
>     >     > 2017-02-21 15:53:48.815   Debug 18003:7f6260009620 all:
>     >     am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     get_normalized_url(): *Original url:
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     get_normalized_url(): PathInfo: /test
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     get_normalized_url(): *Normalized url:
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 15:53:48.815MaxDebug 18003:7f6260009620 all:
>     >     am_web_is_access_allowed(): *Processing url
>     >     https://app.abc.com:443/p/test.*
>     >     >
>     >     > --------
>     >     >
>     >     > 2017-02-21 15:53:48.816   Debug 18003:7f6260009620 all:
>     >     am_web_do_cookie_domain_set(): setting cookie
>     >     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>
>     >     <http://stjobs.sg>;Path=/.
>     >     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     >     am_web_get_url_to_redirect: *goto URL is
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 15:53:48.816MaxDebug 18003:7f6260009620 all:
>     >     find_active_login_server(): Trying server:
>     >     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     >     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     >     15:53:48.817   Debug 18003:7f6260009620 all:
>     >     am_web_get_url_to_redirect: The goto_url and url before appending
>     >     cdsso elements: [https://app.abc.com:443/p/test]
>     >  
>      [https://amserver.cde.com:443/am/cdcservlet?goto=https%3A%2F%2Fapp.abc.com%3A443%2Fp%2Ftest]
>     >     >
>     >     > 2. agent profile configurations 2 - [In this case, http and
>     https
>     >     is being normalized as http]
>     >     >
>     >     >
>     >  
>      com.sun.identity.agents.config.agenturi.prefix=http://app.abc.com:80/amagent
>     >     <https://app.abc.com/amagent>
>     >     >
>     >     >
>     >  
>      com.sun.identity.client.notification.url=http://app.abc.com:80/UpdateAgentCacheServlet?shortcircuit=false
>     >     >
>     <https://fast.stjobs.sg/UpdateAgentCacheServlet?shortcircuit=false>
>     >     >
>     >     > agentRootURL=https://app.abc.com:443/ <https://app.abc.com/>
>     >     >
>     >     > agentRootURL=http://app.abc.com:80/ <http://app.abc.com/>
>     >     >
>     >     > *PA Logs* [accessing https://app.abc.com/p/test]
>     >     >
>     >     > 2017-02-21 17:55:46.613    Info 31385:bd2b80 all:
>     >     dsame_check_access(): starting...
>     >     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     >     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     >     <http://app.abc.com>
>     >     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     >     get_request_url(): port = 443
>     >     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     >     get_request_url(): query =
>     >     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     >     get_request_url(): Returning request URL =
>     >     https://app.abc.com:443/p/test. 2017-02-21
>     >     > <https://app.abc.com:443/p/test.%0A2017-02-21> 17:55:46.613
>     >      Debug 31385:bd2b80 all: get_method_num(): Method string is GET
>     >     > 2017-02-21 17:55:46.613   Debug 31385:bd2b80 all:
>     >     get_method_num(): Apache method number corresponds to GET method
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     >     notification url http://app.abc.com:80/UpdateAgentCa
>     >     cheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     >     17:55:46.614MaxDebug 31385:bd2b80 all: am_web_is_notification():
>     >     http://app.abc.com:80/p/test is not notification url
>     >     http://app.abc.com:80/UpdateAgentCa cheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <http://app.abc.com:80/UpdateAgentCa%0AcheServlet?shortcircuit=false.%0A2017-02-21>
>     >     17:55:46.614   Debug 31385:bd2b80 all: find_cookie(): cookie
>     found:
>     >     header [xtvrn=$566004$;
>     >  
>      _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b8da473
>     >     > bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B; _gat=1;
>     >     dsiPlanetDirectoryPro=; _ga=GA1.2.28895626.1487239771; xtan=-;
>     >     xtant=1] name [dsiPlanetDirectoryPro=; _ga=G
>     >     > A1.2.28895626.1487239771; xtan=-; xtant=1] val [NULL]
>     val_len [0]
>     >     next_cookie [NULL]
>     >     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     >     am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     get_normalized_url(): *Original url:
>     https://app.abc.com:443/p/test*
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     get_normalized_url(): PathInfo: /test
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     get_normalized_url(): *Normalized url:
>     http://app.abc.com:80/p/test*
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     am_web_is_access_allowed(): *Processing url
>     >     http://app.abc.com:80/p/test.*
>     >     >
>     >     > --------
>     >     >
>     >     > 2017-02-21 17:55:46.614   Debug 31385:bd2b80 all:
>     >     am_web_do_cookie_domain_set(): setting cookie
>     >     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>
>     >     <http://stjobs.sg>;Path=/.
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     am_web_get_url_to_redirect: *goto URL is
>     http://app.abc.com:80/p/test*
>     >     > 2017-02-21 17:55:46.614MaxDebug 31385:bd2b80 all:
>     >     find_active_login_server(): Trying server:
>     >     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     >     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     >     17:55:46.615   Debug 31385:bd2b80 all: am_web_get_url_to_redirect:
>     >     The goto_url and url before appending cdsso elements:
>     >     [http://app.abc.com:80/p/test] [htt
>     >     >
>     >  
>      ps://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest
>     <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>
>     >  
>      <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>
>     >     >
>     >  
>      <http://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest>]
>     >     > 2017-02-21 17:55:46.615   Debug 31385:bd2b80 all:
>     >     process_access_redirect(): get redirect url returned AM_SUCCESS,
>     >     redirect url [https://amserver.cde.com:443/am/cdcservle
>     >     > t?goto=http%3A%2F%2Fapp.abc.com <http://2Fapp.abc.com>
>     >  
>      <http://2Fapp.abc.com>%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com
>     <http://2Fapp.abc.com>
>     >     <http://2Fapp.abc.com>%3A80%2Famagent&IssueInstant=2
>     >     > 017-02-21T17%3A55%3A46Z
>     >     >
>     >  
>      <https://amserver.cde.com:443/am/cdcservle%0At?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest&RequestID=1084165037&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fapp.abc.com%3A80%2Famagent&IssueInstant=2%0A017-02-21T17%3A55%3A46Z>].
>     >     >
>     >     >
>     >     > *PA Logs* [accessing http://app.abc.com/p/test
>     >     <https://app.abc.com/p/test>]
>     >     >
>     >     > 2017-02-21 18:01:44.460    Info 31385:7f820c002cc0 all:
>     >     dsame_check_access(): starting...
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_request_url(): hostname = app.abc.com <http://app.abc.com>
>     <http://app.abc.com>
>     >     <http://app.abc.com>
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_request_url(): Port is 0. Set to default port 80.
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_request_url(): port = 80
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_request_url(): query =
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_request_url(): Returning request URL =
>     >     http://app.abc.com:80/p/test. 2017-02-21
>     >     > <http://app.abc.com:80/p/test.%0A2017-02-21> 18:01:44.460
>      Debug
>     >     31385:7f820c002cc0 all: get_method_num(): Method string is GET
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     get_method_num(): Apache method number corresponds to GET method
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     >     notification url http://app.abc.com:80/UpdateA
>     >     gentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     am_web_is_notification(): http://app.abc.com:80/p/test is not
>     >     notification url http://app.abc.com:80/UpdateA
>     >     gentCacheServlet?shortcircuit=false.
>     >     > 2017-02-21
>     >     >
>     >  
>      <http://app.abc.com:80/UpdateA%0AgentCacheServlet?shortcircuit=false.%0A2017-02-21>
>     >     18:01:44.460   Debug 31385:7f820c002cc0 all: find_cookie(): cookie
>     >     found: header [xtvrn=$566004$;
>     >     _csrf=5d27725030d7979652c1acd2d151c9eab5d900d78e0b8f58bb5fa9b
>     >     > 8da473bb5s%3A32%3A%22E0YnbI_moUBCqfFt7N_2R4ESdA5YdU5s%22%3B;
>     >     dsiPlanetDirectoryPro=; xtan=-; xtant=1;
>     >     _ga=GA1.2.28895626.1487239771] name [dsiPlanetDirectoryPro=;
>     xtan=-;
>     >     >  xtant=1; _ga=GA1.2.28895626.1487239771] val [NULL] val_len [0]
>     >     next_cookie [NULL]
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     am_web_set_host_ip_in_env_map(): map_insert:
>     client_ip=172.19.212.6
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     get_normalized_url(): *Original url: http://app.abc.com:80/p/test*
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     get_normalized_url(): PathInfo: /test
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     get_normalized_url(): Using Full URI for policy evaluation.
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     get_normalized_url(): *Normalized url:
>     http://app.abc.com:80/p/test*
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     am_web_is_access_allowed(): Processing url
>     http://app.abc.com:80/p/test.
>     >     >
>     >     > -----
>     >     >
>     >     > 2017-02-21 18:01:44.460   Debug 31385:7f820c002cc0 all:
>     >     am_web_do_cookie_domain_set(): setting cookie
>     >     dsiPlanetDirectoryPro=;Domain=.stjobs.sg <http://stjobs.sg>
>     <http://stjobs.sg>
>     >     <http://stjobs.sg>;Path=/.
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     am_web_get_url_to_redirect: *goto URL is
>     http://app.abc.com:80/p/test*
>     >     > 2017-02-21 18:01:44.460MaxDebug 31385:7f820c002cc0 all:
>     >     find_active_login_server(): Trying server:
>     >     https://amserver.cde.com:443/am/cdcservlet 2017-02-21
>     >     > <https://amserver.cde.com:443/am/cdcservlet%0A2017-02-21>
>     >     18:01:44.461   Debug 31385:7f820c002cc0 all:
>     >     am_web_get_url_to_redirect: The goto_url and url before appending
>     >     cdsso elements: [http://app.abc.com:80/p/test
>     >     > ]
>     >  
>      [https://amserver.cde.com:443/am/cdcservlet?goto=http%3A%2F%2Fapp.abc.com%3A80%2Fp%2Ftest]
>     >     >
>     >     >
>     >     > Question: Based on which policy agent is doing the
>     normalization.
>     >     Is it based on the agent prefix uri?
>     >     >
>     >     > Regards,
>     >     >
>     >     > Niro
>     >     >
>     >     > On Tue, Feb 21, 2017 at 5:33 AM Bernhard Thalmayr
>     >     > <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     > <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>> wrote:
>     >     >
>     >     >     There is no solution with Agent version 3.x as it does
>     not support
>     >     >     virtual server based agent profile.
>     >     >
>     >     >     As there is only one profile, when should the agent know
>     that
>     >     it should
>     >     >     override the incoming request and when not?
>     >     >
>     >     >     It has no clue at all that SSL-offloading is perform
>     somewhere.
>     >     >
>     >     >     Say you are doing this
>     >     >
>     >     >     client (browser) --> https --> LB (FQDN)--> http -->
>     HTTP server
>     >     >     with Agent
>     >     >
>     >     >     Which HTTP request does the client send?
>     >     >
>     >     >     E.g.
>     >     >
>     >     >     GET / HTTP/1.0
>     >     >     Host: FQDN
>     >     >
>     >     >     Which request does the HTTP server provide to the Agent? (if
>     >     there is no
>     >     >     HTTP request manipulation at the LB)
>     >     >
>     >     >     GET / HTTP/1.0
>     >     >     Host: FQDN
>     >     >
>     >     >     However, you want the client to end up at https://FQDN/
>     after
>     >     sucessful
>     >     >     authentication.
>     >     >
>     >     >     --> you need to set "Override Request URL Protocol" as this
>     >     will append
>     >     >     TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     >     TARGET=http://FQDN/
>     >     >
>     >     >
>     >     >     Now the other scenario
>     >     >
>     >     >     client (browser) --> http --> LB (FQDN)--> http --> HTTP
>     >     server with
>     >     >     Agent
>     >     >
>     >     >     Which HTTP request does the client send?
>     >     >
>     >     >     E.g.
>     >     >
>     >     >     GET / HTTP/1.0
>     >     >     Host: FQDN
>     >     >
>     >     >     Which request does the HTTP server provide to the Agent? (if
>     >     there is no
>     >     >     HTTP request manipulation at the LB)
>     >     >
>     >     >     GET / HTTP/1.0
>     >     >     Host: FQDN
>     >     >
>     >     >     --> now you must not set "Override Request URL Protocol" as
>     >     this will
>     >     >     append TARGET=https://FQDN/ to the cdcservlet url instead of
>     >     >     TARGET=http://FQDN/
>     >     >
>     >     >
>     >     >     Potentially I did not fully understand your scenario ....
>     >     >
>     >     >     Only solution with Agent 3.x
>     >     >
>     >     >     LB (virtual server1: Port 443, SSL-endpoint) ---> http -->
>     >     HTTP Server 1
>     >     >     with Agent
>     >     >
>     >     >     LB (virtual server2: Port 80, plain socket) --> http -->
>     HTTP
>     >     Server 2
>     >     >     with Agent
>     >     >
>     >     >     -Bernhard
>     >     >
>     >     >
>     >     >
>     >     >     Am 20/02/17 um 11:26 schrieb Nirosan Paramanathan:
>     >     >     > Hi Bernard,
>     >     >     >
>     >     >     > Yes, I'm using SSL-off loading.
>     >     >     >
>     >     >     > This is my Load Balancer setting for the particular agent
>     >     profile.
>     >     >     >
>     >     >     > pasted1
>     >     >     >
>     >     >     >
>     >     >     > I tried two scenarios.
>     >     >     > 1. Listening to http only
>     >     >     > Here, I configured agent notification uri & agent
>     deployment uri
>     >     >     prefix
>     >     >     > all in http. This one works perfectly.
>     >     >     > 2. Listening to https only
>     >     >     > Here, I configured agent notification uri & agent
>     deployment uri
>     >     >     prefix
>     >     >     > all in https. This one also works.
>     >     >     >
>     >     >     > Only problem arises, when listening to both http and
>     https.
>     >     >     >
>     >     >     > Struggling in this for long time, glad if you could help.
>     >     >     > - Niro
>     >     >     >
>     >     >     > On Mon, Feb 20, 2017 at 6:07 PM Bernhard Thalmayr
>     >     >     > <[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >     >     > <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>>> wrote:
>     >     >     >
>     >     >     >     The url is changed by the agent code, because you
>     told the
>     >     >     agent to
>     >     >     >     do this.
>     >     >     >
>     >     >     >     You most likely used (one of) the settings
>     >     >     >
>     >     >     >     Override Request URL Protocol
>     >     >     >     Override Request URL Host
>     >     >     >     Override Request URL Port
>     >     >     >
>     >     >     >     as you might use SSL-offloading ..., hard to tell
>     >     without details.
>     >     >     >
>     >     >     >     -Bernhard
>     >     >     >
>     >     >     >
>     >     >     >     Am 20/02/17 um 02:29 schrieb Nirosan Paramanathan:
>     >     >     >     > Hi,
>     >     >     >     > I'm having issue enabling protection for
>     >     https://app.abc.com/p/.
>     >     >     >     > Application have both http and https enabled on
>     apache,
>     >     >     agent also
>     >     >     >     > resides in the same environment.
>     >     >     >     >
>     >     >     >
>     >     >
>     >  
>      --------------------------------------------------------------------------
>     >     >     >     > Sun OpenSSO Enterprise Policy Agent for:
>     >     >     >     > Apache Web Server 2.2.x
>     >     >     >     >
>     >     >     >
>     >     >
>     >  
>      --------------------------------------------------------------------------
>     >     >     >     > Version: 3.0-04
>     >     >     >     >
>     >     >     >     > Build date: Fri Jul 29 00:05:09 BST 2011
>     >     >     >     > Build platform: constable.internal.forgerock.com
>     <http://constable.internal.forgerock.com>
>     >     <http://constable.internal.forgerock.com>
>     >     >     <http://constable.internal.forgerock.com>
>     >     >     >     <http://constable.internal.forgerock.com>
>     >     >     >     > <http://constable.internal.forgerock.com>
>     >     >     >     >
>     >     >     >     > With the current setup.
>     >     >     >     > When I access http://app.abc.com/p/test goto is
>     >     >     >     >
>     >     >     >
>     >     >
>     >  
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=172089237&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:10:21Z"
>     >     >     >     >
>     >     >     >     > When I access https://app.abc.com/p/test goto is
>     >     >     >     >
>     >     >     >
>     >     >
>     >  
>      "goto=/am/cdcservlet?TARGET=http://app.abc.com:80/p/test&RequestID=2030366327&MajorVersion=1&MinorVersion=0&ProviderID=http://agent.cde.com.sg:80/amagent&IssueInstant=2017-02-20T09:15:15Z"
>     >     >     >     >
>     >     >     >     > PA logs when accessing https url.
>     >     >     >     >
>     >     >     >     > 2017-02-20 08:49:00.102   Debug
>     12161:7f4fa40099e0 all:
>     >     >     >     > am_web_set_host_ip_in_env_map(): map_insert:
>     >     >     client_ip=172.19.212.6
>     >     >     >     > 2017-02-20 08:49:00.102MaxDebug
>     12161:7f4fa40099e0 all:
>     >     >     >     > get_normalized_url(): Original url:
>     >     >     https://app.abc.com:443/p/test
>     >     >     >     > 2017-02-20 08:49:00.102MaxDebug
>     12161:7f4fa40099e0 all:
>     >     >     >     > get_normalized_url(): PathInfo: /test
>     >     >     >     > 2017-02-20 08:49:00.102MaxDebug
>     12161:7f4fa40099e0 all:
>     >     >     >     > get_normalized_url(): Using Full URI for policy
>     >     evaluation.
>     >     >     >     > 2017-02-20 08:49:00.102MaxDebug
>     12161:7f4fa40099e0 all:
>     >     >     >     > get_normalized_url(): Normalized url:
>     >     >     http://app.abc.com:80/p/test
>     >     >     >     > 2017-02-20 08:49:00.102MaxDebug
>     12161:7f4fa40099e0 all:
>     >     >     >     > am_web_is_access_allowed(): Processing url
>     >     >     >     http://app.abc.com:80/p/test.
>     >     >     >     >
>     >     >     >     > why the https url is being normalized and
>     processed ?
>     >     What gone
>     >     >     >     wrong in
>     >     >     >     > the configurations?
>     >     >     >     >
>     >     >     >     > I have added both  http://agent.cde.com.sg:80/
>     >     >     >     > <http://agent.cde.com.sg/> and
>     >     https://agent.cde.com.sg:443/
>     >     >     >     > <https://agent.cde.com.sg/>  in Agent Root URL for
>     >     CDSSO in
>     >     >     openam
>     >     >     >     console.
>     >     >     >     >
>     >     >     >     > Thanks.
>     >     >     >     > niro
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >     > _______________________________________________
>     >     >     >     > Visit the OpenAM forum at
>     >     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     >     > OpenAM mailing list
>     >     >     >     > [hidden email]
>     <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>
>     >     >     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >     --
>     >     >     >     Painstaking Minds
>     >     >     >     IT-Consulting Bernhard Thalmayr
>     >     >     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     >     >     Tel: +49 (0)8062 7769174
>     <tel:+49%208062%207769174> <tel:+49%208062%207769174>
>     >     <tel:+49%208062%207769174>
>     >     >     <tel:+49%208062%207769174>
>     >     >     >     Mobile: +49 (0)176 55060699
>     <tel:+49%20176%2055060699> <tel:+49%20176%2055060699>
>     >     <tel:+49%20176%2055060699>
>     >     >     <tel:+49%20176%2055060699>
>     >     >     >
>     >     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>> - Solution Architect
>     >     >     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     >     >     http://de.linkedin.com/in/bernhardthalmayr
>     >     >     >
>     >     >     >     This e-mail may contain confidential and/or privileged
>     >     >     information.If
>     >     >     >     you are not the intended recipient (or have received
>     >     this email in
>     >     >     >     error) please notify the sender immediately and
>     delete this
>     >     >     e-mail. Any
>     >     >     >     unauthorized copying, disclosure or distribution
>     of the
>     >     >     material in this
>     >     >     >     e-mail is strictly forbidden.
>     >     >     >     _______________________________________________
>     >     >     >     Visit the OpenAM forum at
>     >     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     >     OpenAM mailing list
>     >     >     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]> <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>>
>     >     >     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     > OpenAM mailing list
>     >     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     Painstaking Minds
>     >     >     IT-Consulting Bernhard Thalmayr
>     >     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     >     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     <tel:+49%208062%207769174>
>     >     >     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >     <tel:+49%20176%2055060699>
>     >     >
>     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>> - Solution Architect
>     >     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     >     http://de.linkedin.com/in/bernhardthalmayr
>     >     >
>     >     >     This e-mail may contain confidential and/or privileged
>     >     information.If
>     >     >     you are not the intended recipient (or have received
>     this email in
>     >     >     error) please notify the sender immediately and delete this
>     >     e-mail. Any
>     >     >     unauthorized copying, disclosure or distribution of the
>     >     material in this
>     >     >     e-mail is strictly forbidden.
>     >     >     _______________________________________________
>     >     >     Visit the OpenAM forum at
>     >     >     https://forgerock.org/forum/fr-projects/openam/
>     >     >     OpenAM mailing list
>     >     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     <mailto:[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>>
>     >     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     > OpenAM mailing list
>     >     > [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     > https://lists.forgerock.org/mailman/listinfo/openam
>     >     >
>     >
>     >
>     >     --
>     >     Painstaking Minds
>     >     IT-Consulting Bernhard Thalmayr
>     >     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     >     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     <tel:+49%208062%207769174>
>     >     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>     <tel:+49%20176%2055060699>
>     >
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>> - Solution Architect
>     >     http://www.xing.com/profile/Bernhard_Thalmayr
>     >     http://de.linkedin.com/in/bernhardthalmayr
>     >
>     >     This e-mail may contain confidential and/or privileged
>     information.If
>     >     you are not the intended recipient (or have received this email in
>     >     error) please notify the sender immediately and delete this
>     e-mail. Any
>     >     unauthorized copying, disclosure or distribution of the
>     material in this
>     >     e-mail is strictly forbidden.
>     >     _______________________________________________
>     >     Visit the OpenAM forum at
>     >     https://forgerock.org/forum/fr-projects/openam/
>     >     OpenAM mailing list
>     >     [hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>
>     >     https://lists.forgerock.org/mailman/listinfo/openam
>     >
>     >
>     >
>     > _______________________________________________
>     > Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     > OpenAM mailing list
>     > [hidden email] <mailto:[hidden email]>
>     > https://lists.forgerock.org/mailman/listinfo/openam
>     >
>
>
>     --
>     Painstaking Minds
>     IT-Consulting Bernhard Thalmayr
>     Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>     Tel: +49 (0)8062 7769174 <tel:+49%208062%207769174>
>     Mobile: +49 (0)176 55060699 <tel:+49%20176%2055060699>
>
>     [hidden email]
>     <mailto:[hidden email]> - Solution Architect
>     http://www.xing.com/profile/Bernhard_Thalmayr
>     http://de.linkedin.com/in/bernhardthalmayr
>
>     This e-mail may contain confidential and/or privileged information.If
>     you are not the intended recipient (or have received this email in
>     error) please notify the sender immediately and delete this e-mail. Any
>     unauthorized copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...