Incorrect WSDL URL; caim-srv-01 is in the wsdl

Document ID : KB000124343
Last Modified Date : 10/01/2019
Show Technical Document Details
Issue:
When our wsdl is published, we see this:

<soap:address location="http://caim-srv-01:8080/iam/im/TEWS6/identityEnv"/>

This seems to be the standalone server for the UserStore, but our directory.xml has our LDAP server as userstore and we have been authenticating off of that.
Cause:
If  you are  using the hostname without specifying 8080/8443 as a port,
 you are using the Apache proxy and not the IM wildfly, which knows the IM server by this internal name.

Please refer to the scenarios below..

Scenario 1:
VApp proxy configured in app.config and with https url ( https://hostname.widget.com/iam/im/TEWS6/widgetEnv?wsdl)
This does work fine

Request reaches VApp proxy in SSL mode which redirect internally to IDM service (caim-srv) in non-ssl mode.
caim-srv is internal to VApp and not exposed outside. Though request to VApp proxy to caim-srv is non-ssl but not vulnerable

Scenario 2:
IDM server should be directly reached. Configure SSL for IM Server and use port 8443 (https://hostname.widget.com:8443/iam/im/TEWS6/widgetEnv?wsdl)

No proxy configuration required in app.config.
This is available in VApp 14.1 CP2 (https://docops.ca.com/ca-identity-suite/14-1/EN/release-notes/ca-identity-suite-virtual-appliance-release-notes/virtual-appliance-service-packs-and-cumulative-patches-14-1/ca-identity-suite-virtual-appliance-cumulative-patches/cp-va-140100-0002-release-notes)

Scenario 3:
Without proxy using https with port 443
This should not work until the request is redirected directly from hostname to IDM service (caim-srv).
As proxy is not present, hostname can't resolve to which service (IDM, IP, IG), request can be redirected.

As it's working, it does mean, request directly reaching IDM server and can only be accessed with 443 port
You have to modify URL to use 443 port

Scenario 4:
Alternatively, use Layer 3 load balancer if yoiu don't want to access IDM directly using IP and port
Resolution:
By default, you access the vApp via it's proxy server using a URL like https://100.13.69.195/iam/im/TEWS6/identityEnv?wsdl, and the generated WSDL is like the following:

<service name="Tews6">
<port name="Tews6Port" binding="tns:Tews6SoapBinding">
<soap:address location="https://caim-srv-01:8443/iam/im/TEWS6/identityEnv"/>
</port>
<port name="Tews6PublicPort" binding="tns:Tews6PublicSoapBinding">
<soap:address location="https://caim-srv-01:8443/iam/im/TEWS6/pubidentityEnv"/>
</port>
</service>

But you can bypass the proxy server and access the IdM server directly using port 8080. There is nothing that needs to be change on the vApp side but I added "100.13.69.195 myvapp142.broadcom.com" to my desktop machine's hosts file. My URL to retrieve the WSDL is http://myvapp142.broadcom.com:8080/iam/im/TEWS6/identityEnv?wsdl, and the SOAP address is successfully updated like the following:

<service name="Tews6">
<port name="Tews6Port" binding="tns:Tews6SoapBinding">
<soap:address location="http://myvapp142.broadcom.com:8080/iam/im/TEWS6/identityEnv"/>
</port>
<port name="Tews6PublicPort" binding="tns:Tews6PublicSoapBinding">
<soap:address location="http://myvapp142.broadcom.com:8080/iam/im/TEWS6/pubidentityEnv"/>
</port>
</service>