Communication Forbidden Between MDM Servers in Different Networks

Problem

The servers used for Ataccama MDM (Runtime and Webapp) and the web browser of a user were placed in different networks. The communication between them is done via a proxy server and the proxy server technology does not hide the fact that the communication is between different networks: many applications by default don't allow such communication.

For example, Keycloak forbids such outside-of-network communications and makes exceptions only for https connections. This setting is called sslRequired=EXTERNAL

This setting is also checked on the level of Keycloak clients. Ataccama applications are Keycloak clients and the configuration contains the same setting <attribute name="ssl-required" value="external"/>. Normally this setting does not require editing as users are using browsers in Windows jump-servers or their workstations are inside the same network as the servers (at least Keycloak considered it as the same network).

For some reason Keycloak does not provide notification that the client application (in our case it was MDM Runtime) does not allow external http connections. Such notification may not be possible if the URL is changed by the client (MDM Runtime) as a rejection of connection.

Solution 

  1. Change the property sslRequired=EXTERNAL to sslRequired=NONE in keycloak-admin-center.jsonto log into the Keycloak admin page via http.
  2. In the keycloak .json file, change <attribute name="ssl-required" value="external"/> to <attribute name="ssl-required" value="none"/>