In my last post, I talked about the “Redirect URL Host” option that is part of VIDM integration. In this post, I would like to discuss configurations that may result in unexpected redirections and what you can do about it. Read on to learn more!
As you may recall in my last post, with standalone Log Insight instances, the node’s IP address will always be used. It is unlikely that you will be accessing the Log Insight UI via an IP and will leverage DNS instead. If you access the UI via a FQDN and authenticate via VIDM then when VIDM redirects back to Log Insight it will redirect you back to the Log Insight IP instead of the FQDN. The implications of this are two-fold:
- The URL changes in the address bar
- You will need to accept the SSL warning
This is clearly not the best customer experience and can also make changing the IP address of the instance (should be very rare) harder. To overcome this behavior, you should configure the Integrated Load Balancer and ensure you set a FQDN. Then when you integrate with VIDM you will have the ability to use a FQDN instead of an IP.
For non-production environments, you could also try the following changes:
WARNING: This is NOT officially supported by VMware. Proceed at your own risk.
- Disable VIDM integration — note this will wipe all configuration inputs, they will need to all be manually entered in a later step
- Go to /internal/config and find the standalone service-group:
<distributed overwrite-children="true"> <daemon port="16520" token="97c70439-ee10-4d9f-b447-600b837b3fbe"> <service-group name="standalone" /> </daemon>
and add a host option to the daemon XML with the FQDN from which you access the UI
<distributed overwrite-children="true"> <daemon host="loginsight.example.com" port="16520" token="97c70439-ee10-4d9f-b447-600b837b3fbe"> <service-group name="standalone" /> </daemon>
- Hit save
- Go back to VIDM integration and configure it again
Note: The above configuration change may be lost during upgrades.
Now the “Redirect URL Host” option will match the URL you enter into your browser and redirection will work as expected.
Note: If you check /internal/config you may notice a vidm-oauth-client-redirect-url option, changing this will break your VIDM configuration so leave it alone.
Multiple ILB VIPs
If you have configured multiple ILB VIPs on your Log Insight instance then you may run into the same issue as the standalone instance scenario above. In short, you may access the UI on VIP 1, but VIDM redirection might be set on VIP 2. This means the URL and possibly a SSL warning will occur. The solution is to ensure that the FQDN used to access the UI is the same FQDN used to configure VIDM integration. In this scenario, you can make all necessary changes on supported UI pages so no need to worry about supported configurations.
© 2017, Steve Flanders. All rights reserved.