Communication Forbidden Between MDM Servers in Different Networks
Problem
The servers used for Ataccama MDM (Runtime and Webapp) and the web browser of a user were placed in different networks. The communication between them is done via a proxy server and the proxy server technology does not hide the fact that the communication is between different networks: many applications by default don't allow such communication.
For example, Keycloak forbids such outside-of-network communications and makes exceptions only for https connections. This setting is called sslRequired=EXTERNAL
.
This setting is also checked on the level of Keycloak clients. Ataccama applications are Keycloak clients and the configuration contains the same setting <attribute name="ssl-required" value="external"/>
. Normally this setting does not require editing as users are using browsers in Windows jump-servers or their workstations are inside the same network as the servers (at least Keycloak considered it as the same network).
For some reason Keycloak does not provide notification that the client application (in our case it was MDM Runtime) does not allow external http connections. Such notification may not be possible if the URL is changed by the client (MDM Runtime) as a rejection of connection.
Solution
- Change the property
sslRequired=EXTERNAL
tosslRequired=NONE
inkeycloak-admin-center.json
to log into the Keycloak admin page via http. - In the keycloak
.json
file, change<attribute name="ssl-required" value="external"/>
to<attribute name="ssl-required" value="none"/>