To enable Identity Server to communicate through a firewall, you can perform one of the following actions:
Open TCP ports 8080 or 8443. These are default ports used respectively for non-secure and secure communication with Identity Server.
Configure the Identity Server service to use the TCP port 80 or 443.
The Identity Server service (hosted on Tomcat) runs as a non-privileged user and cannot bind to ports below 1024. To allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferred approach is to use the iptables to perform a port translation. Port translation allows the base URL of Identity Server to be configured for port 443 and to listen on this port. The iptables translates it to port 8443 when communicating with Tomcat.
The following are two solutions out of many possibilities:
If you have disabled the SLES firewall and do not have any other Access Manager components installed on the same server along with Identity Server, use a simple iptables script to translate the ports. See Configuring a Simple Redirect Script.
If you have configured the SLES firewall or have installed other Access Manager components on the same server along with Identity Server, use a custom rule script that allows for multiple port translations. See Configuring iptables for Multiple Components.
For information about iptables, see “Iptable Tutorial 1.2.2” and “NAM Filters for iptables Commands”.
For both of these configurations (Configuring a Simple Redirect Script and Configuring iptables for Multiple Components) to work, you must enable port forwarding. To verify whether port forwarding is enabled, run the following command:
- cat /proc/sys/net/ipv4/ip_forward
If the value is 0, then port forwarding is not enabled.
To enable port forwarding, perform the following steps:
Run the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Verify the status.
For more information, see How To Forward Ports through a Linux Gateway with Iptables.