Connecting to Maximo with a Proxy, are users being signed out immediately?
Shane Howard 270000C70V Comment (1) Visits (17616)
I was recently working an issue where a reverse proxy was configured with Maximo using IBM Edge. After the proxy was configured all users logging into Maximo via the proxy were being automatically redirected to the sign-out page (exit.jsp). I ran several tests, including logging in with the same users via the IHS and the Web Container port directly. The users could log in fine this way, so the problem appeared by be directly related to the proxy.
Maximo has a table called LOGINBLOCK, this table contains IP addresses that have been blocked from accessing the system, in here we found the IP address of the proxy server users are accessing Maximo through, which explains our problem. If the proxy IP is being blocked, no users accessing Maximo via the proxy will be able to login. It also explains why direct connections through the IHS and the Web Container work fine as the user would be recognized with their assigned IP address instead of the proxy.
To fix the issue we logged in to Maximo application bypassing the proxy, then used the 'Go to' Menu to open the 'Users' application. From here you can open the 'Select Actions' menu and choose 'Manage Blocked IP Addresses'. If the proxy address exists here you can delete the row, you should now be able to log in to the application via the Proxy.
Now that the problem is resolved, how did the IP get in the table in the first place? Maximo 7.5 has a security property called mxe.sec.IPblock this property when enabled will perform security checks based on a set of security properties.
When using these properties, if all users are connecting through the same address, the properties would apply still based on the single IP. If mxe.sec.IPblock.num is set to block an IP after 20 bad log in attempts (from all users accessing via the proxy), it will block the proxy address, which would result in blocking all users.
So other then removing the proxy address from the LOGINBLOCK table each time its blocked what other options do you have to prevent this from happening in the future?
1. You can disable the security feature mxe.sec.IPblock by changing the system property from 1 to 0.
2. There is a property called mxe.sec.allowedIP. This property is a list of all IP's that will not be blocked based on the above conditions. You can add the proxy address here if you have users accessing outside the proxy as well that you want to keep mxe.sec.IPblock enabled for.