I came across an interesting problem recently with an IBM Security Access Manager (ISAM)/WebSEAL junction: whenever requests were sent to the back-end server (IIS) we received an ‘HTTP 400 – Bad Request – Invalid Hostname’ error.

Looking at the pdweb.debug log showed that the requests contained
host: myhost.xyz.com:80:80
in the header. In other words the port number for the virtual host was listed twice, which IIS objected to.

Why did the requests contain this? Looking at the ISAM web GUI, the Server details in the junction definition looked absolutely fine. I eventually established that when someone had added the definition of the back-end server in the Servers tab of the junction specification, they had specified the Virtual Host to be ‘myhost.xyz.com:80’ (instead of ‘myhost.xyz.com’) as well as specifying a Virtual Host Port of 80. Note that this didn’t show up in the web GUI (but after the event I created a support file and unzipped it, and the .xml file for the junction in question contained ‘myhost.xyz.com:80:80’).

Re-entering the Virtual Host without the ‘:80’ at the end didn’t fix the problem, so the solution was to delete the back-end server definition and then re-create it, specifying the Virtual Host to be just ‘myhost.xyz.com’.

Like most of these sorts of problems, the fix was easy – but it took a while to get there…

Tagged IBM Security Access Manager, ISAM, WebSEAL