Apache Tomcat Configuration

The Apache Tomcat server is embedded with the IdentityIQ Cloud Gateway. To configure the Apache Tomcat server, perform the procedures described in this section.

Mitigating log4j Vulnerability

See CVE-2021-44228

Note
This step is applicable only for IdentityIQ Cloud Gateway version 8.0 and later.

To prevent this vulnerability from being exploited, introduce a JVM system property to the Apache Tomcat server environment that is hosting IdentityIQ Cloud Gateway. Set the following property in catalina.sh or catalina.bat on the Cloud Gateway instance:

set CATALINA_OPTS=%CATALINA_OPTS% -Dlog4j2.formatMsgNoLookups=true

Setting up HTTPS Communication

The communication between the IdentityIQ Cloud Gateway and IdentityIQ is through HTTPS. A self signed Certificate is created in the keystore that is shipped along with the IdentityIQ Cloud Gateway. This self-signed Certificate is used for setting up HTTPS communication.

Note
Users are advised to replace the self-signed certificate shipped with IdentityIQ Cloud Gateway with either a CA-signed certificate or a self-signed certificate that is created specifically for their environment.

Creating a new Self-Signed Certificate

This section describes how to replace the self-signed certificate shipped with IdentityIQ Cloud Gateway with a self-signed certificate created specifically for the customer environment. The following command will create a new keystore and a self-signed certificate:

keytool -keystore keystoreName -storetype jks -genkey -alias aliasName -keyalg RSA -keysize 2048

In the above command line, the variables are as follows:
- keystoreName is the name of the keystore the user wants to use.
- aliasName is the name of the certificate that is created while creating a new keystore.
Enter the appropriate values when prompted for setting the keystore password and other details required for creating the keystore certificate.

Note
If the JRE's bin folder is not set in the PATH environment variable then you would need to prefix keytool with the path up to the bin folder.
Configuring Apache Tomcat to use the new Self-Signed Certificate

Perform the following:
1. Open the server.xml file present in the cloudGatewayInstallationDir/apache-tomcat-7.0.32/conf directory and locate the keystoreFile and keystorePass files.
2. Replace the values of keystoreFile with the complete path of the newly created keystore and keystorePass with the password provided while creating the new keystore as described above (Creating a new Self Signed Certificate).
  
  For instance, if you created a new keystore by the name cibkeystore.keystore and used the password 123456 then the server.xml configuration would be as follows:
  
  keystoreFile="/keystore/ cibkeystore.keystore" keystorePass="123456"
  
  Note
  If you have not created any keystore and is using the default keystore provided in the packaged apache, you must provide the full path of the keystoreName on Linux platform.

Changing the HTTPS Communication Port

Note
Stop Apache Tomcat server before changing the Https communication port and start the Apache Tomcat server after changing the Https communication port.

By default, the HTTPS communication port used is 8443. To change this port, perform the following:

Open the server.xml file present in cloudGatewayInstallationDir/apache-tomcat-7.0.32/conf folder.
Locate the HTTPS configuration by searching for 8443.
Replace all 8443 ports with the port that should be used for HTTPS communication.

Note
Ensure that the port configured is free and is not used by any other application.

To identify if a port is currently being used, run the following command:

(For Windows): netstat -an | find "portNumber"
(For UNIX): netstat -an | grep "portNumber"

The port is free if no value is returned.

Provisioning Request for an Attribute Having Backslash

To provision a distinguished name with a backslash to an application (like Active Directory) through the Cloud Gateway, set the following properties in catalina.sh or catalina.bat on the Cloud Gateway instance:

set CATALINA_OPTS=%CATALINA_OPTS% -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
set CATALINA_OPTS=%CATALINA_OPTS% -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

Note
If Apache Tomcat is installed as a service, then the above parameters must be set in the Apache service using the Tomcat editor.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Apache Tomcat Configuration

Mitigating log4j Vulnerability

Setting up HTTPS Communication

Changing the HTTPS Communication Port

Provisioning Request for an Attribute Having Backslash

Documentation Feedback