Hub - SSO & Kerberos Token size limits

When Gateway Hub is configured to provide SSO authentication via LDAP and AD/Kerberos, some users may encounter an error page when connecting to the web UI.

The two specific errors in this case are either a 400 Bad Request or a 431 Request Header Fields Too Large. This is indicative of a request header problem associated with user accounts with a large number of AD groups.

Normally, when a user is a member of many AD groups the LDAP Token Filter setting can be used to select which groups are of relevance to the role-based access management in Gateway Hub.

This Token Filter setting, however, is only applied to the LDAP lookup after the initial Kerberos SSO authentication exchange with the web UI takes place and the error message from the web interface cannot be accounted for in the LDAP configuration.

For Gateway Hub installations before 2.4.2, the administrator will have to adjust the maximum request header sizes by changing start-up settings for the apid and webconsole services in the Gateway Hub across all nodes in the cluster. This can be done as follows:

1. Locate and change to the webconsole directory in the Gateway Hub installation:

cd /opt/hub/hub-current/services/webconsole-X.Y.Z

In here, replace X.Y.Z with the version number in your system, and the first part of the path if your installation is not in the typical location.

2. Edit start.sh and add the highlighted line like below. It must appear before the -jar line:

-Dlogging.config=${WEBCONSOLE_LOGBACK_PATH} \
-Dloglevel=${WEBCONSOLE_LOG_LEVEL} \
**-Dserver.max-http-header-size=64KB \**
-jar ${WEBCONSOLE_HOME}/lib/web-console-2.4.0.jar \

Note

The trailing backslash (\) is important and must not be missed and must not be followed by any characters except the new line.

3. Go to the apid directory:

cd /opt/hub/hub-current/services/apid-X.Y.Z

Again, modify the path to match your local layout and version.

4. Edit the start.sh script and add the highlighted line:

-Djava.io.tmpdir=${APID_TMP_DIR} \
-Dhub.rocksdb.log.level=${APID_ROCKSDB_LOG_LEVEL} \
**-Dakka.http.server.parsing.max-header-value-length=64k \**
2>&1

Note

The trailing backslash (\) is important and must not be missed. Please note the different syntax for the size (64k versus 64KB).

5. Repeat these steps for each node in your cluster or copy the two start.sh files across to the other servers, whichever you are more comfortable with.

6. The two services must be restarted. This can be done manually, one service at a time or, if you have maintenance scheduled, restarting the whole cluster is also possible.

To restart each service locate the hub-admin script on each node and run it like this:

./hub-admin service restart -n=apid
./hub-admin service restart -n=webconsole

Remember that these commands need to be run on each node in the cluster.