How to run PINsafe on non-default ports
From Swivel Knowledgebase Wiki
Contents |
Overview
It is possible to either run PINsafe on different ports or to access PINsafe on a different port. For software installations and ports above 1024 then the port which Tomcat runs can be changed. If it is a PINsafe appliance or Linux install where the required port is less than 1024 then the section on Port Address Translation should be followed.
Changing the Port on which PINsafe Runs
There may be times where you wish to change the ports on which PINsafe listens, for example if this clashes with another application or if particular ports are blocked by firewall policies.
Note This approach should not be used to run PINsafe on Ports lower than 1024. eg port 443, as this has security implications, for example this would mean that Tomcat would have to be run as root on a linux system. The next section detailing Port Address Translation and firewall rewriting, provides a way of achieving the same result in a different way. For ports above 1024 the below method can be used.
To change the ports used by PINsafe you need to edit the apache-tomcat/conf/server.xml file
In this file there will be definitions of connectors which specify the port to be used
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
Therefore to change PINsafe to run on port 8181, this would be changed to
<Connector port="8181" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
Tomcat would then need to be restarted.
A PINsafe appliance will have three connectors defined.
<Connector address="localhost" port="8181" />
<Connector address="0.0.0.0" port="8080" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/swivel/.keystore" keystorePass="lockbox" />
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" />
</Engine>
</Service>
<Service name="Catalina-proxy">
<Connector address="0.0.0.0" port="8443" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/swivel/.keystore" keystorePass="lockbox" />
There is no need to change port 8181 as this is only used internally Port 8080 serves the admin console and port 8443 is used to the external interface, eg to supply the TURing image.
Port Address Translation: Running PINsafe on port 443
There may be times when it is required for PINsafe to respond on port 443, the default port for https. It is not recommended to do this by editing the server.xml file as this has other implications. An alternative approach is to use the Appliance firewall to re-route inbound traffic on port 8443 to port 443. Once the port is changed all PINsafe references using 8443 must be updated.
The options for this are:
- Use Port Address Translation (PAT) on the firewall device
- Use Port Address Translation (PAT) on the PINsafe Appliance, as detailed below for access to the webmin see Webmin How To Guide
These are the steps required to achieve this.
Log onto the PINsafe WEBMIN interface on https://<IPADDRESS>:10000
Select the Network->Firewall option
Then select the NAT option (as shown) and click Showing IPTable
Under the PREROUTING (top) section select Add Rule
The rule has the following elements: A comment or name, eg 443 to reroute to 8443 Specify that it is a re-direct action required. Target port, the port TO which traffic is to be directed, in this case 8443. Network protocol for which the rule applies, in this case TCP Destination port equals 443 in this case.
Once this is in place select Create Rule, then Apply Configuration
This rule means that any traffic inbound on port 443 will be redirected to port 8443 before being forwarded to PINsafe.
You can test this by first retrieving a TURing image from https://<ip address>:8443/proxy/SCImage?username=test and then trying https://<ip address>:8443/proxy/SCImage?username=test, without the 8443. Both urls should produce the same result.
Remember to update authentication devices that reference the image port.
Troubleshooting
Known Issues
Some versions of the appliance up to 2.0.13 failed to save the firewall changes, so changes would disappear after the firewall was rebooted. To see if an appliance is affected, reboot the appliance after making configuration changes.
To overcome this issue, Ensure this fix is added then make changes to the firewall:
Edit the file /etc/webmin/firewall/config
Add the following line as in the image below. For information on how to edit files use WinSCP How To Guide or the PuTTY How To Guide
save_file=/etc/sysconfig/iptables
When changes are made to the webmin and applied they will be written to the file /etc/sysconfig/iptables. Once the changes are made, Webmin will recognise the new path and so no services require a restart.
