Chapter 2 Working with Firewalls, Load Balancers, or Proxy Servers

This chapter describes how Identity Manager uses Uniform Resource Locators (URLs) and how to configure Identity Manager to obtain accurate URL data when firewalls, load balancers, or proxy servers are in place.

Servlet APIs

The Web-based Identity Manager user interface is highly dependent on Uniform Resource Locators (URLs) to specify the location of pages to be retrieved by the Web client.

Identity Manager depends on the Servlet APIs provided by an application server (such as Glassfish, Apache Tomcat, IBM WebSphere, or BEA WebLogic) to determine the fully qualified URL in the current HTTP request so that a valid URL can be placed in the generated HTML and HTTP response.

Some configurations prevent the application server from determining the URL the Web client uses for an HTTP request. Examples include:

• A port-forwarding or Network Address Translation (NAT) firewall placed between the Web client and Web server, or between the Web server and application server

• A proxy server (such as Tivoli Policy Director WebSEAL) placed between the Web client and Web server, or between the Web server and application server

For instances in which the Servlet APIs do not provide accurate URL data from an HTTP request, the correct data can be configured in the Waveset.properties file (located in your Identity Manager installation config directory).

The following attributes control Identity Manager’s Web-based documentation root and whether Identity Manager uses the HTML BASE HREF tag.

• ui.web.useBaseHref (Default value: true)— Set this attribute to one of the following values:

  • true— Identity Manager uses the HTML BASE HREF tag to indicate the root of all relative URL paths.

  • false— All URLs placed into HTML contain fully qualified paths; including scheme, host, and port.

• ui.web.baseHrefURL— Set this attribute to a non-empty value to define the BASE HREF used in generated HTML, which overrides the value that is calculated using servlet APIs.

Overriding this calculated value can be useful when those APIs do not return the whole truth, which occurs when:

• The application server is behind a firewall using port forwarding or NAT

• The connector between the application server and Web server does not provide accurate information

• The application server is front-ended by a proxy server

Configuring Logs to Work with Load Balancers

You can configure Identity Manager to automatically log the client IP address contained in the x-Forwarded-For HTTP request header, which is the standard header for identifying the originating IP address of a client connecting to a web server through a load balancer or HTTP proxy. If necessary, you can also configure Identity Manager to use a custom HTTP header.

To force Identity Manager to log IP addresses contained in a custom HTTP request header, use the following steps:

1. Open Waveset.properties in a text editor.

2. Search for client.headerIPVariable= and uncomment the line.

3. Type the name of the HTTP request header that you want Identity Manager to use instead.

   Alternatively, you can disable this feature by setting the property equal to zero.

4. Save Waveset.properties.

5. Restart Identity Manager.

You can apply this configuration to both audit logs and system logs.

If you do not want Identity Manager to automatically log the client IP address, you can disable this feature by uncommenting the client.headerIPVariable in the Waveset.properties file.