Solutions
Archived

OpenAM 13.5 redirects to server URL instead of site URL in load balanced environment

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if OpenAM incorrectly redirects you to the server URL instead of to the expected site URL in a load balanced environment. You will also see a 400 Bad Request response with a message: "FQDN \"lb.example.com\" is not valid."


2 readers recommend this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

OpenAM redirects you to the server URL instead of to the expected site URL in a load balanced environment.

You may see the following response if you use a REST call or examine network traffic using your browser's Developer Tools:

{"code": 400,"reason": "Bad Request", "message":"FQDN \"lb.example.com\" is not valid."}

where lb.example.com is the site URL (load balancer).

You will also see this message if you make changes to the default Advanced server properties, and then try to view or change realm details in the OpenAM console.

Other symptoms may include:

  • End users get an error if the server URL is not accessible externally when they access the site URL.
  • Restarting the server can restore expected behavior since this resets the FQDN map.

Recent Changes

Made changes to any of the server properties via the OpenAM console on the site URL (which points to the load balancer). 

Causes

The site hostname is automatically added to the in-memory FQDN map; however, saving subsequent changes to server properties causes getFqdnMap in FqdnValidator.java to reinitialize the FQDN map to 0. At this point, anyone accessing the site URL will get redirected to the default server FQDN since the site URL has been removed from the FQDN map.

This issue is caused by changes made in OpenAM 13.5 that removed the need to restart the server after updating the FQDN map: OPENAM-7914 (Make the attribute com.sun.identity.server.fqdnMap hot-swappable ).

Solution

This issue can be resolved by upgrading to OpenAM 13.5.1 or later; you can download this from BackStage.

Workaround

Alternatively, you can map the FQDN to the site URL. For example, where the site URL is lb.example.com:

  • OpenAM console: navigate to Configure > Server Defaults > Advanced and add the com.sun.identity.server.fqdnMap[siteURL] property. For example:  com.sun.identity.server.fqdnMap[lb.example.com] = lb.example.com Once you have entered the property and value, click + to add followed by Save Changes.
  • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a com.sun.identity.server.fqdnMap[siteURL]=[siteURL]  replacing [adminID], [passwordfile] and [siteURL] with appropriate values. For example: $ ./ssoadm update-server-cfg -s default -u amadmin -f pwd.txt -a com.sun.identity.server.fqdnMap[lb.example.com]=lb.example.com
Note

You do not need to restart the web application container in which OpenAM runs to apply this change in OpenAM 13.5.

See Also

How do I set up Realm DNS Aliases in OpenAM 13.x?

Related Training

N/A

Related Issue Tracker IDs

OPENAM-7914 (Make the attribute com.sun.identity.server.fqdnMap hot-swappable )

OPENAM-9628 (Strange 400 response after changing advanced default server properties from site URL)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.