This simple solution works only if you are not using iptables to translate ports of other applications or other Access Manager components. For a solution that works with multiple components, see Configuring iptables for Multiple Components.
Ensure that you have enabled port forwarding. See Port Forwarding.
Perform the following steps to configure a simple redirect script:
Click Devices > Identity Server.
Select the Identity Server name and click Edit, and configure Base URL with HTTPS protocol and Port 443.
Click OK.
Update Identity Server.
At a terminal window, log in as the root user.
Create a unit configuration file to hold the iptables rule and place it in any directory. For example, /usr/bin/redirect-idp.
Ensure that it has execute rights. You can use CHMOD as appropriate.
NOTE:Do not create the file in the /etc/init.d directory because it may cause some issues. For information about the issues, see 13.3.3 System V Compatibility.
Copy the following example script and paste it in the file that you created in Step 6.
The following is an example of a redirect startup file:
#!/bin/sh # Copyright (c) 2010 Novell, Inc. # All rights reserved. # #! /bin/sh #! /etc/init.d/idp_8443_redirect # ### BEGIN INIT INFO # Provides: idp_8443_redirect # Required-Start: # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: Redirect 8443 to 443 for Novell IDP ### END INIT INFO # # Environment-specific variables. IPT_BIN=/usr/sbin/iptables INTF=eth0 ADDR=10.10.0.1 . /etc/rc.status
# First reset status of this service rc_reset case "$1" in start) echo -n "Starting IP Port redirection" $IPT_BIN -t nat --flush $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 80 -j DNAT --to ${ADDR}:8080 $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:8443 $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:8443 $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 80 -j DNAT --to ${ADDR}:8080 rc_status -v ;; stop) echo -n "Flushing all IP Port redirection rules" $IPT_BIN -t nat --flush rc_status -v ;; restart) $0 stop $0 start rc_status ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac rc_exit
For more information about init scripts for SLES 12, see “Managing Services in a Running System” in the SLES 12 Administration Guide.
Create a systemd service unit at /etc/systemd/system/<unit-name>.service. In this example unit-name is redirect-idp therefore, the service unit is /etc/systemd/system/redirect-idp.service.
Copy the following code and paste it in the service unit:
[Unit] Description=Novell AM-IDP-Redirection After=local-fs.target network.target [Service] Type=oneshot ExecStart=/usr/bin/redirect-idp start ExecStop=/usr/bin/redirect-idp stop RemainAfterExit=yes [Install] WantedBy=multi-user.target
Modify the service unit content as per requirement but ensure that ExecStart and ExecStop script points to the script that you created in the unit configuration file.
In this example, the scripts must include /usr/bin/redirect-idp.
Execute the following commands:
systemctl daemon-reload
systemctl enable <unit-name>.service
For example, systemctl enable redirect-idp.service
Reboot the Identity Server machine.
Verify that port 443 is being routed to Identity Server by running the following command:
iptables -t nat -nvL
The following is a sample entry:
pkts bytes target prot opt in out source destination 17 748 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.10.0.1:8443
This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1.
(Conditional) If your Identity Server cluster configuration contains more than one Identity Server, repeat these steps on each server in the cluster.