Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

OpenText EIM Redirect Issue

I am trying to setup a VIP for a OpenText EIM solution. I have a standard vip for port 443. However, the server keeps doing a redirect for another FDQN. So in this case, I am putting in https://content.companya.com and the browser is getting redirected to https://servera.host.local (the domain name for the server itself). If I go to the FQDN of the server itself (servera.host.local), it works fine. According to OpenText, this is an issue with the OpenText Directory Services (OTDS) as the this is the expected behaviour as during the installation of OTDS, it is required that we have to use the FQDN and use certificates that have been created against that hostname of the server. A reverse proxy must be used to translate requests between different top-level domains. So what type of iRule do I need to setup to make the translation work?

0
Rate this Question
Comments on this Question
Comment made 21-Mar-2016 by smiley_dba 382
How did you get the auth working in Open Text? We are deploying this in our environment and curious how you got the auth to work.
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If this is only an installation issue (one off)

  1. Create in a self signed cert with the correct CN in System->File Management->SSL Certificate List
  2. Create a new ssl client profile Local Traffic-> Profiles -> SSL -> Client using the new certificate and key you just created.
  3. Create a a new virtual with a single pool member containing the backend server and select SNAT automap.
  4. Apply a clientssl profile that you created and the default serverssl profile.
  5. Create a hosts file entry on the client machine that points servera.host.local to the new virtual server address.

Try now. Delete above configuration when finished.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Still not working. The packet trace shows that when the packet goes to the pool member, another connection is initiated to the OTDS server which is a separate server. The result is that the error "There was a problem with your request. Please contact your administrator if this persists. The DNS domains for the request and response differ or cannot be determined. As OTDS uses domain-level cookies, the request and response must originate within the same DNS domain. Please make sure that fully qualified DNS domains are specified in all configuration and browser entries. Do not use IP address or local names. The redirect URL was given as "https://contentcenter:443/OTCS/cs.exe", and the OTDS URL followed was "http://dfmspotparc.hostederp.local:8080/otdsws/login"."

The Opentext support says that the solution is a "reverse proxy", so I am taking it that when the request comes in from the client as "www.companya.com" the F5 needs to forward the request to the server as "servera.host.local". However, the OTDS server is not part of the pool as it is a separate box.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There is not enough information here for me to help you.

You can do this with LTM as well but as you can see when you have multiple outgoing to requests to different destinations you need to create virtual's for them as well. The problem here is I do not have a clear picture of what is happening. Can you draw up a diagram to explain the application flows that are going on here and attach to this post.

As for correct naming, the BIGIP can rename anything in the traffic flow to make it look right to the application, that is one of its strengths. The challenge for the solution designer is to clearly understand what the server is expecting.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So the issue is that the Content Server talks to another because that is where directory services in running. After the directory services application checks to make sure there is a valid user, it should return the client to the content server. According to OpenText is that the FDQN for content server is in a .local domain, it then talks to directory services which is also in the same .local domain. But the original URL is the company.com. So when the reply go back to the client, it is only referencing the .local domain.

From the sniffer trace, I can see the following:

  1. Client sends a request to the Content Server

  2. Whenever we call Content server, it communicates to directory services server for authentication.

  3. The directory services server sends a request to the Client for authentication

  4. Client response back to the directory service server with creditentials

  5. The directory services server checks the Active directory for the user existence and roles.

  6. The archive server send a 302 redirect to .local:443/OTCS/livelink.exe to client to continue back to the Content Server, instead of sending .company.com/OTCS/livelink.exe

The server team built a Apache reverse proxy to replace the F5 as a test. The results came back that the application works as expected. I am going to try to do a sniffer trace with that later today.

I tried to use the Proxy Pass irule to emulate the functions but it is still doing the behavior above.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
<P>Here are the key parts of the httpd.conf from the reverse proxy:</P> <P>LimitRequestFieldsize 131072 ProxyRequests Off</P> <P>ProxyPass /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/ ProxyPassReverse /otdsws/ http://dfpspotqarc.hostederp.local:8080/otdsws/</P> <P>ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local/OTCS/</P> <P>ProxyHTMLEnable On ProxyHTMLExtended On</P> <P>ProxyHTMLURLMap http://dfpspotqcon.hostederp.local/OTCS/ /OTCS/ ProxyHTMLURLMap http://dfpspotqarc.hostederp.local:8080/otdsws/ /otdsws/ ProxyHTMLURLMap url(http://dfpspotqcon.hostederp.local([^)]*)) url(biq.dfamilk.com:99$1) Rihe</P> <P>ProxyPass /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico ProxyPassReverse /OTCS/favicon.ico http://dfpspotqcon.hostederp.local/OTCS/favicon.ico</P> <P>ProxyPass /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/ ProxyPassReverse /OTCS/ http://dfpspotqcon.hostederp.local:80/OTCS/</P> <P>ProxyPass /img/ http://dfpspotqcon.hostederp.local/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local/img/</P> <P>ProxyPass /img/ http://dfpspotqcon.hostederp.local:80/img/ ProxyPassReverse /img/ http://dfpspotqcon.hostederp.local:80/img/</P> <P>ProxyPass /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico</P> <P>ProxyPassReverse /otdsws/app_directory_services.ico http://dfpspotqarc.hostederp.local:8080/otdsws/app_directory_services.ico</P> <P>ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local:80/img/favicon.ico</P> <P>ProxyPass /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico ProxyPassReverse /img/favicon.ico http://dfpspotqcon.hostederp.local/img/favicon.ico</P> <P><Location /OTDS/> ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /OTDS/ RequestHeader unset Accept-Encoding </LOCATION></P> <P><Location /otdsws/> ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap / /otdsws/ RequestHeader unset Accept-Encoding </LOCATION></P> <P>ProxyPassReverseCookieDomain .hostederp.local .dfamilk.com </P>
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Was there ever a fix for this? We are trying to do OpenText Directory Services and we are running into the same issue. Thoughts?

RGW

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

2 cents:

You can use URL mapping withing same VIP and have routed to different nodes.

/OTCS URL - Content server nodes (1...N) /otdsws URL - OTDS server nodes (1...N)

This way we can have only one DNS for example http(s)://content.company.com and based on URL it can route to different nodes.

0