OpenAM 13.5 redirects to server URL instead of site URL in load balanced environment
The purpose of this article is to provide assistance if OpenAM incorrectly redirects you to the server URL instead of to the expected site URL in a load balanced environment. You will also see a 400 Bad Request response with a message: "FQDN \"lb.example.com\" is not valid."
2 readers recommend this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
OpenAM redirects you to the server URL instead of to the expected site URL in a load balanced environment.
You may see the following response if you use a REST call or examine network traffic using your browser's Developer Tools:
{"code": 400,"reason": "Bad Request", "message":"FQDN \"lb.example.com\" is not valid."}where lb.example.com is the site URL (load balancer).
You will also see this message if you make changes to the default Advanced server properties, and then try to view or change realm details in the OpenAM console.
Other symptoms may include:
- End users get an error if the server URL is not accessible externally when they access the site URL.
- Restarting the server can restore expected behavior since this resets the FQDN map.
Recent Changes
Made changes to any of the server properties via the OpenAM console on the site URL (which points to the load balancer).
Causes
The site hostname is automatically added to the in-memory FQDN map; however, saving subsequent changes to server properties causes getFqdnMap in FqdnValidator.java to reinitialize the FQDN map to 0. At this point, anyone accessing the site URL will get redirected to the default server FQDN since the site URL has been removed from the FQDN map.
This issue is caused by changes made in OpenAM 13.5 that removed the need to restart the server after updating the FQDN map: OPENAM-7914 (Make the attribute com.sun.identity.server.fqdnMap hot-swappable ).
Solution
This issue can be resolved by upgrading to OpenAM 13.5.1 or later; you can download this from BackStage.
Workaround
Alternatively, you can map the FQDN to the site URL. For example, where the site URL is lb.example.com:
- OpenAM console: navigate to Configure > Server Defaults > Advanced and add the com.sun.identity.server.fqdnMap[siteURL] property. For example: com.sun.identity.server.fqdnMap[lb.example.com] = lb.example.com Once you have entered the property and value, click + to add followed by Save Changes.
- ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a com.sun.identity.server.fqdnMap[siteURL]=[siteURL] replacing [adminID], [passwordfile] and [siteURL] with appropriate values. For example: $ ./ssoadm update-server-cfg -s default -u amadmin -f pwd.txt -a com.sun.identity.server.fqdnMap[lb.example.com]=lb.example.com
Note
You do not need to restart the web application container in which OpenAM runs to apply this change in OpenAM 13.5.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENAM-7914 (Make the attribute com.sun.identity.server.fqdnMap hot-swappable )
OPENAM-9628 (Strange 400 response after changing advanced default server properties from site URL)