Forum Discussion
OpenText EIM Redirect Issue
I am trying to setup a VIP for a OpenText EIM solution. I have a standard vip for port 443. However, the server keeps doing a redirect for another FDQN. So in this case, I am putting in https://content.companya.com and the browser is getting redirected to https://servera.host.local (the domain name for the server itself). If I go to the FQDN of the server itself (servera.host.local), it works fine. According to OpenText, this is an issue with the OpenText Directory Services (OTDS) as the this is the expected behaviour as during the installation of OTDS, it is required that we have to use the FQDN and use certificates that have been created against that hostname of the server. A reverse proxy must be used to translate requests between different top-level domains. So what type of iRule do I need to setup to make the translation work?
- Kevin_Davies_40Nacreous
If this is only an installation issue (one off)
- Create in a self signed cert with the correct CN in System->File Management->SSL Certificate List
- Create a new ssl client profile Local Traffic-> Profiles -> SSL -> Client using the new certificate and key you just created.
- Create a a new virtual with a single pool member containing the backend server and select SNAT automap.
- Apply a clientssl profile that you created and the default serverssl profile.
- Create a hosts file entry on the client machine that points servera.host.local to the new virtual server address.
Try now. Delete above configuration when finished.
- Brian_H__Jones_Nimbostratus
Still not working. The packet trace shows that when the packet goes to the pool member, another connection is initiated to the OTDS server which is a separate server. The result is that the error "There was a problem with your request. Please contact your administrator if this persists. The DNS domains for the request and response differ or cannot be determined. As OTDS uses domain-level cookies, the request and response must originate within the same DNS domain. Please make sure that fully qualified DNS domains are specified in all configuration and browser entries. Do not use IP address or local names. The redirect URL was given as "https://contentcenter:443/OTCS/cs.exe", and the OTDS URL followed was "http://dfmspotparc.hostederp.local:8080/otdsws/login"."
The Opentext support says that the solution is a "reverse proxy", so I am taking it that when the request comes in from the client as "www.companya.com" the F5 needs to forward the request to the server as "servera.host.local". However, the OTDS server is not part of the pool as it is a separate box.
- Kevin_Davies_40Nacreous
There is not enough information here for me to help you.
You can do this with LTM as well but as you can see when you have multiple outgoing to requests to different destinations you need to create virtual's for them as well. The problem here is I do not have a clear picture of what is happening. Can you draw up a diagram to explain the application flows that are going on here and attach to this post.
As for correct naming, the BIGIP can rename anything in the traffic flow to make it look right to the application, that is one of its strengths. The challenge for the solution designer is to clearly understand what the server is expecting.
- Brian_H__Jones_Nimbostratus
So the issue is that the Content Server talks to another because that is where directory services in running. After the directory services application checks to make sure there is a valid user, it should return the client to the content server. According to OpenText is that the FDQN for content server is in a .local domain, it then talks to directory services which is also in the same .local domain. But the original URL is the company.com. So when the reply go back to the client, it is only referencing the .local domain.
From the sniffer trace, I can see the following:
-
Client sends a request to the Content Server
-
Whenever we call Content server, it communicates to directory services server for authentication.
-
The directory services server sends a request to the Client for authentication
-
Client response back to the directory service server with creditentials
-
The directory services server checks the Active directory for the user existence and roles.
-
The archive server send a 302 redirect to .local:443/OTCS/livelink.exe to client to continue back to the Content Server, instead of sending .company.com/OTCS/livelink.exe
The server team built a Apache reverse proxy to replace the F5 as a test. The results came back that the application works as expected. I am going to try to do a sniffer trace with that later today.
I tried to use the Proxy Pass irule to emulate the functions but it is still doing the behavior above.
-
- Brian_H__Jones_Nimbostratus
Here are the key parts of the httpd.conf from the reverse proxy:
LimitRequestFieldsize 131072 ProxyRequests Off
ProxyPass /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/ ProxyPassReverse /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/
ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/
ProxyHTMLEnable On ProxyHTMLExtended On
ProxyHTMLURLMap http://dfpspotqcon.hostederp.local/OTCS/ /OTCS/ ProxyHTMLURLMap http://dfpspotqarc.hostederp.local:8080/otdsws/ /otdsws/ ProxyHTMLURLMap url(http://dfpspotqcon.hostederp.local([^)]*)) url(biq.dfamilk.com:99$1) Rihe
ProxyPass /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico ProxyPassReverse /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico
ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/
ProxyPass /img/ http://dfpspotqcon.hostederp.local/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local/img/
ProxyPass /img/ http://dfpspotqcon.hostederp.local:80/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local:80/img/
ProxyPass /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico
ProxyPassReverse /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico
ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico
ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico
ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /OTDS/ RequestHeader unset Accept-Encoding
ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /otdsws/ RequestHeader unset Accept-Encoding
ProxyPassReverseCookieDomain .hostederp.local .dfamilk.com
- smiley_dba_1116NimbostratusHow did you get the auth working in Open Text? We are deploying this in our environment and curious how you got the auth to work.
- smiley_dba_1116Nimbostratus
Was there ever a fix for this? We are trying to do OpenText Directory Services and we are running into the same issue. Thoughts?
RGW
- GowriTech_34270Nimbostratus
2 cents:
You can use URL mapping withing same VIP and have routed to different nodes.
/OTCS URL - Content server nodes (1...N) /otdsws URL - OTDS server nodes (1...N)
This way we can have only one DNS for example http(s)://content.company.com and based on URL it can route to different nodes.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com