When Gateway Hub is configured to provide SSO authentication via LDAP and AD/Kerberos, some users may encounter an error page when connecting to the web UI.
The two specific errors in this case are either a 400 Bad Request or a 431 Request Header Fields Too Large. This is indicative of a request header problem associated with user accounts with a large number of AD groups.
Normally, when a user is a member of many AD groups the LDAP Token Filter setting can be used to select which groups are of relevance to the Role based access management in Gateway Hub. This Token Filter setting, however, is only applied to the LDAP lookup after the initial Kerberos SSO authentication exchange with the web UI takes place and the error message from the web interface cannot be accounted for in the LDAP configuration.
For Gateway Hub installations before 2.4.2, the administrator will have to adjust the maximum request header sizes by changing start-up settings for the apid and webconsole services in the Gateway Hub across all nodes in the cluster. This can be done as follows:
1. Locate and change to the webconsole directory in the Gateway Hub installation:
cd /opt/hub/hub-current/services/webconsole-X.Y.Z
(Here replace X.Y.Z with the version number in your system, e.g. 2.4.0 and the first part of the path if your installation is not in the typical location)
2. Edit start.sh and add the highlighted line like below (it must appear before the "-jar" line):
-Dlogging.config=${WEBCONSOLE_LOGBACK_PATH} \
-Dloglevel=${WEBCONSOLE_LOG_LEVEL} \
-Dserver.max-http-header-size=64KB \
-jar ${WEBCONSOLE_HOME}/lib/web-console-2.4.0.jar \
Note: The trailing backslash ("\") is important and must not be missed and must not be followed by any characters except the newline.
3. Now, similarly, go to the apid directory:
cd /opt/hub/hub-current/services/apid-X.Y.Z
(Again, modify the path to match you local layout and version)
4. Edit the start.sh script and add the highlighted line:
-Djava.io.tmpdir=${APID_TMP_DIR} \
-Dhub.rocksdb.log.level=${APID_ROCKSDB_LOG_LEVEL} \
-Dakka.http.server.parsing.max-header-value-length=64k \
2>&1
Note: Once again the trailing backslash is important and also please note the different syntax for the size (64k versus 64KB).
5. Now repeat these steps for each node in your cluster or copy the two start.sh files across to the other servers, whichever you are more comfortable with.
6. The two services must be restarted. This can be done manually, one service at a time or, if you have maintenance scheduled then restarting the whole cluster is also possible.
To restart each service locate the hub-admin script on each node and run it like this:
./hub-admin service restart -n=apid
./hub-admin service restart -n=webconsole
Remember that these commands need to be run on each node in the cluster.
Comments
0 comments
Please sign in to leave a comment.