IBM Security Verify

 View Only
  • 1.  Reverse proxy / Policy server mismatch

    Posted Thu November 18, 2021 09:20 AM
    We found a peculiar issue on our production environment yesterday.

    Situation:
    We have 2 ISVA servers with Reverse proxy  and 2 additional ISVA servers which handle the AAC/policy/federation
    On one of the instances on the Reverse Proxys within the management root --> junction-root we have some local screens which are located in the /test folder.
    On the policy server we had an ACL attached to the /test folder

    After deploying new screens yesterday using a zip file import, the situation changed. The reverse proxy layout of the junction-root looks the same. However in the object space of the policy server an additional /test directory is shown. So all files are showing up in /test/test now
    We can still attach an ACL to the first /test directory but arent able to remove it (0x14c01263).

    The zip file used didnt contain the extra /test directory
    Also the files accessed from the internet also need to be accessed by the /test/test format

    We did some extra testing with creating extra directories within the junction-root. If an extra /ibm directory was added, than it showed up twice in the object space of the policy server. Once as /ibm and one as /test/ibm

    Any help is needed to return to the correct situation.

    ------------------------------
    Henk Molema
    ------------------------------


  • 2.  RE: Reverse proxy / Policy server mismatch

    Posted Thu November 18, 2021 05:28 PM
    Henk,
     
    I just tried to replicate this issue in my environment but everything worked fine.
     
    To recover you should be able to delete the additional HTML files from the 'management root' panel of the LMI.  Generally objects in the object space are 'live' and represent the current pages being served by WebSEAL - however it is also possible to manually create the objects using pdadmin or the 'Policy Administration' page in the LMI, in which case you would also need to manually delete these objects.
     
    I can't say how your environment got into this state, but would suggest that you open a support ticket with IBM so that it can be investigated further.
     
    I hope that this helps.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor
     
     
     





  • 3.  RE: Reverse proxy / Policy server mismatch

    Posted Fri November 19, 2021 07:59 AM
    Thanks for your reply Scott.

    We thought that the situation started on previous mentioned date, but it now seems that it occured way earlier. This also means that we have no idea what triggered this.
    We also had everything deleted within the junction-root, but the policy server kept seeing a /tam directory. 
    It seems more to be an issue regarding the reverse proxy and how it shows it files in the gui

    ------------------------------
    Henk Molema
    ------------------------------



  • 4.  RE: Reverse proxy / Policy server mismatch

    Posted Wed December 15, 2021 03:55 AM

    Hi,

     

    Is there a way to fix a issue like this, a mismatch between the junction-root and what you see in the security domain(Policy-server)?

     

    I have tried to remove the /tam from the object space by GUI and CLI but I did not succeed, it looks like I don't have the permission to do this with the sec_master.

     

    Can it be that the /tam in the object-space that we can not remove has being created with a different user…

    Or is there a way that the /tam still is in the junction-root but that we can not see it in the GUI…


    Jasper.



    ------------------------------
    Jasper
    ------------------------------



  • 5.  RE: Reverse proxy / Policy server mismatch

    Posted Wed December 15, 2021 04:59 AM
    Jasper,

    Just a quick suggestion - is the ..../tam object actually an "objectspace" rather than an "object" - I have seen that before.
    Do a "objectspace list" to check the .../tam object doesn't show up there.  If it does, you'd have to use "objectspace delete" to remove it.

    Bit of a long shot but thought I'd ask.
    If it really is an object that you can't remove, what is the ACL, POP, AuthzRule attached - any reason why this prevents d (delete) permission?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 6.  RE: Reverse proxy / Policy server mismatch

    Posted Thu May 04, 2023 10:08 AM

    Hi all,

    We still have the "issue", because everything is working correct it has no priority for us. 
    We had a good look at the objectspace, POP, ACL and AuthRule, we did not see any remarkable there.

    Somehow the item popped up again so we had a "fresh" look at it.
    We found that the 2 RP nodes are in a RP cluster (Stanza [cluster]).

    Is it likely the clustering has something to do with this?

    Jasper.



    ------------------------------
    Jasper Teuben
    ------------------------------