Policy Agent Authentication Failed!!!

Hi All,
I configured the Policy Agent based on Apache 2.055, and browsed server, it display 500 error code : Internal Server Error. The followings is the debug log,
Error 900:7f2028 AuthService: AuthService::processLoginStatus() Exception message=[Authentication Failed!!] errorCode='107' templateName=login_failed_template.jsp.
2005-11-15 14:04:38.093 Error 900:7f2028 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Authentication Failed!!] errorCode='107' templateName=login_failed_template.jsp and code:3
2005-11-15 14:04:38.093 Warning 900:7f2028 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/, GET) denying access: status = Identity Server authentication service failure
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/.
2005-11-15 14:04:38.093 Info 900:7f2028 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/, GET) returning status: Identity Server authentication service failure.
2005-11-15 14:04:38.093 Info 900:7f2028 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/ returned Identity Server authentication service failure.
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_ERROR, data []
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_ERROR
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
Please help to sovle it.
Any help will be appreciated.
Thanks,
Peter

Looks like the agent can't authenticate. Check the AM URL and the amldapuser password. Check the amserver amAuthApplication and amComm debug files to see if there are any agent authentication related exceptions. If you have ethereal installed you can do a network trace to see the XML passed between the agent and the server

Similar Messages

Policy agent 2.2 amfilter local authentication with session binding failed

Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
     Status      : FORBIDDEN
     RedirectURL     : null
     RequestHelper:
          null
     Data:
          null
-----------------------------------------------------------

Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip

Urgent :Authentication fails for Policy Agent on weblogic 8 SP3

Hi
I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()
09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.authenticate() Initialized callback handler for Subject:
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login()
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login() : User name from Callback amAdmin
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: SSOTokenValidator failed with exception
[AgentException Stack]
com.sun.identity.agents.arch.AgentException: Invalid transport string version
at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()

Hi,
I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
I suggest you try it out and start the bea server as a service and see if it works - if not try again.
I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
hth,
Sean

Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Policy web agent configuration failed: NSPR error Configuration Failed!!!!

I am having troubles to install agent Apache 2.2!!!!!
The libamapc22.so uses libstdc++.so.5....
so i have this error:
root@ped-02 bin# service httpd start
Starting httpd: httpd: Syntax error on line 995 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /opt/web_agents/apache22_agent/Agent_006/config/dsame.conf: Cannot load n/opt/web_agents/apache22_agent/lib/libamapc22.so into server: libstdc++.so.5: cannot open shared object file: No such file or directory
In my OS is Installed the libstdc++.so.6
if I Install the libstdc++.so.5
I have this error:
[Wed Aug 20 15:50:35 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Aug 20 15:50:35 2008] [notice] Digest: done
[Wed Aug 20 15:50:35 2008] [alert] Policy web agent configuration failed: NSPR error Configuration Failed
So I have installed NSPR and NSS but this error persists.
In log /opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
===========
2008-08-20 16:16:36.152 Error 18271:b949c3d0 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPR error (12): exiting...
2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: Process initialization failure:NSPR error
My configuration: ---- AMAgent.properties
com.sun.am.cookie.name = iPlanetDirectoryPro
com.sun.am.cookie.secure = false
com.sun.am.naming.url = http://accessmanager.coreo.network.ctbc:8080/opensso/namingservice
com.sun.am.policy.am.login.url = http://accessmanager.coreo.network.ctbc:8080/opensso/UI/Login
com.sun.am.policy.agents.config.local.log.file =/opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
com.sun.am.policy.agents.config.local.log.rotate = false
com.sun.am.policy.agents.config.remote.log = amAuthLog.accessmanager.coreo.network.ctbc.80
com.sun.am.log.level =
com.sun.am.policy.am.username = amadmin
com.sun.am.policy.am.password = fhfeUCQselvAndSuo17Pww==
com.sun.am.sslcert.dir =
com.sun.am.certdb.prefix =
com.sun.am.trust_server_certs = true
com.sun.am.notification.enable = false
com.sun.am.notification.url=http://accessmaager.coreo.network.ctbc:80/UpdateAgentCacheServlet?shortcircuit=false
com.sun.am.policy.am.url_comparison.case_ignore = true
com.sun.am.policy.am.polling.interval=3
com.sun.am.sso.polling.period=3
com.sun.am.policy.am.userid.param=UserToken
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.session.attribute.map=
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.response.attribute.map=
com.sun.am.load_balancer.enable = false
com.sun.am.policy.agents.config.version=2.2
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
com.sun.am.policy.agents.config.agenturi.prefix = http://accessmanager.coreo.network.ctbc:80/amagent
com.sun.am.policy.agents.config.locale = en_US
com.sun.am.policy.agents.config.instance.name = unused
com.sun.am.policy.agents.config.do_sso_only = false
com.sun.am.policy.agents.config.accessdenied.url =
com.sun.am.policy.agents.config.fqdn.check.enable = true
com.sun.am.policy.agents.config.fqdn.default = accessmanager.coreo.network.ctbc
com.sun.am.policy.agents.config.fqdn.map =
com.sun.am.policy.agents.config.cookie.reset.enable=false
com.sun.am.policy.agents.config.cookie.reset.list=
com.sun.am.policy.agents.config.cookie.domain.list=
com.sun.am.policy.agents.config.anonymous_user=anonymous
com.sun.am.policy.agents.config.anonymous_user.enable=false
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
com.sun.am.policy.agents.config.notenforced_list.invert = false
com.sun.am.policy.agents.config.notenforced_client_ip_list =
com.sun.am.policy.agents.config.postdata.preserve.enable = false
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
com.sun.am.policy.agents.config.client_ip_validation.enable = false
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
com.sun.am.policy.agents.config.logout.url=
com.sun.am.policy.agents.config.logout.cookie.reset.list =
com.sun.am.policy.am.fetch_from_root_resource = true
com.sun.am.policy.agents.config.get_client_host_name = true
com.sun.am.policy.agents.config.convert_mbyte.enable = false
com.sun.am.policy.agents.config.ignore_path_info = false
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
com.sun.am.policy.agents.config.override_notification.url =
com.sun.am.policy.agents.config.connection_timeout =
com.sun.am.receive_timeout = 0
com.sun.am.connect_timeout = 0
com.sun.am.poll_primary_server = 5
com.sun.am.tcp_nodelay.enable = false
com.sun.am.policy.agents.config.encode_url_special_chars.enable = false
com.sun.am.policy.agents.config.iis.filter_priority = HIGH
com.sun.am.policy.agents.config.cdsso.enable=false
com.sun.am.policy.agents.config.cdcservlet.url = http://accessmanager.coreo.network.ctbc:8080/opensso/cdcservlet
Jonathan Costa Muniz.

Hi joncmuniz,
Are you managed to resolve this problem? I have the same.
In logs i have such information:
2008-10-08 16:48:02.471   Debug 23153:84d5368 all: Connection::initialize() calling NSS_Initialize() with directory = "" and prefix = ""
2008-10-08 16:48:02.471   Debug 23153:84d5368 all: Connection::initialize() Connection timeout wen receiving data = 0 milliseconds
2008-10-08 16:48:02.472   Error 23153:84d5368 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
2008-10-08 16:48:02.475   Error 23153:84d5368 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPRerror (12): exiting...
2008-10-08 16:48:02.475   Error 23153:84d5368 all: Process initialization failure:NSPR errorI think the problem is with certificates, but i can't point where.
Can you help?

Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

Hi
I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
Wondering if anyone has seen this before?
Here is sanitized output from a trace on the POST and resulting response.
POST /oslp/?sunwMethod=GET HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-au
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sco88342744.corp.qed.qld.gov.au
Content-Length: 3496
Connection: Keep-Alive
Cache-Control: no-cache
X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
LARES=<snip>
HTTP/1.1 200 OK
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
HTTP/1.1 302 Found
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 1.1.4322
Location: /oslp/user/signon.aspx
Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 139
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
</body></html>

Hi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2

Policy agent using https redirect to AM for authentication

We are using Access Manager 6 2005Q1.
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
     2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
     2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
Any help with this configuration issue is appreciated.

Bernhard,
From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
Craig

Weblogic fails to start after Configuring Agent Authenticator Provider

Hi
I have installed the Sun One Policy Agent for Weblogic.After making changes to the Security Realm, the weblogic server does not start.Following is the stack trace seen on the console.
The WebLogic Server did not start up properly.
java.lang.ExceptionInInitializerError
at com.sun.identity.agents.weblogic.AmAuthProvider.getRealmInstance(Unknown Source)
at com.sun.identity.agents.weblogic.AmAuthProvider.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.createSecurityProvider(SecurityServiceManagerDelegateImpl.java:242)
at weblogic.security.service.SecurityServiceManager.createSecurityProvider(SecurityServiceManager.java:939)
at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:151)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:257)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:698)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:731)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:874)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:717)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
at weblogic.Server.main(Server.java:32)
Caused by: java.lang.RuntimeException: Exception caught in AmRealmManager initializer: AmRealm: Unable to create store connection
at com.sun.identity.agents.realm.AmRealmManager.<clinit>(Unknown Source)
Can anyone help regarding this.Its Urgent

Hi all
I am also getting the same error
CLASSPATH=C:\bea\JDK141~1\lib\tools.jar;C:\bea\WEBLOG~1\server\lib\weblogic_sp.j
ar;C:\bea\WEBLOG~1\server\lib\weblogic.jar;C:\bea\WEBLOG~1\server\lib\ojdbc14.ja
r;C:\bea\WEBLOG~1\common\eval\pointbase\lib\pbserver44.jar;C:\bea\WEBLOG~1\commo
n\eval\pointbase\lib\pbclient44.jar;C:\bea\JDK141~1\jre\lib\rt.jar;C:\bea\WEBLOG
~1\server\lib\webservices.jar;C:\Agent\IdentityServer\j2ee_agents\lib\agent_tool
s_2_1.jar;C:\Agent\IdentityServer\j2ee_agents\config\C__bea_user_projects_domain
s_NewFuelPricingDomain;C:\Agent\IdentityServer\j2ee_agents\locale;C:\Agent\Ident
ityServer\j2ee_agents\lib\am_agent_sdk_2_1.jar;C:\Agent\IdentityServer\j2ee_agen
ts\lib\am_agent_filter_2_1.jar;C:\Agent\IdentityServer\j2ee_agents\lib\am_sdk.ja
r;C:\Agent\IdentityServer\j2ee_agents\lib\am_services.jar;C:\Agent\IdentityServe
r\j2ee_agents\lib\am_sso_provider.jar;C:\Agent\IdentityServer\j2ee_agents\lib\am
logging.jar;C:\Agent\IdentityServer\j2eeagents\lib\am_wl70_agent_2_1.jar;extli
b\log4j-1.2.8.jar;C:\bea\appsettings;C:\projects\resources\terajdbc4.jar;C:\proj
ects\resources\tdgssjava.jar;.\log4j.xml
PATH=C:\bea\WEBLOG~1\server\bin;C:\bea\JDK141~1\jre\bin;C:\bea\JDK141~1\bin;C:\P
rogram Files\NCR\Teradata Client\Bin;C:\Program Files\CA\Dcs\DMScripting\;C:\Pro
gram Files\CA\DCS\CAWIN\;c:\reskit;c:\winnt;c:\winnt\system32;c:\winnt\system32\
wbem;C:\Program Files\Common Files\OpSession\Shared;C:\Program Files\Common File
s\OpSession\Viewer Shared;N:\;c:\orant\bin;C:\Program Files\CA\Unicenter Softwar
e Delivery\BIN;C:\orant\bin;C:\Program Files\Hewlett-Packard\OpenView\service de
sk 4.5\client\bin;C:\ant\bin;.;C:\j2sdk1.4.2_16\bin;C:\Documents and Settings\dp
sdazk;C:\java\javasoft\java1.42\bin;C:\java\apache\jakarta-ant-1.5.1\bin;C:\Prog
ram Files\NCR\TeraJDBC\bin;;C:\bea\WEBLOG~1\server\bin\oci920_8
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http:\\[hostname]:[port]\console *
Bad level value for property: com.iplanet.services.debug.level
Bad level value for property: com.sun.identity.agents.logging.level
Bad level value for property: com.sun.am.policy.amFilter.audit.level
<Feb 13, 2008 1:34:09 PM EST> <Info> <WebLogicServer> <BEA-000377> <Starting Web
Logic Server with Java HotSpot(TM) Client VM Version 1.4.1_05-b01 from Sun Micro
systems Inc.>
<Feb 13, 2008 1:34:09 PM EST> <Info> <Configuration Management> <BEA-150016> <Th
is server is being started as the administration server.>
<Feb 13, 2008 1:34:09 PM EST> <Info> <Management> <BEA-141107> <Version: WebLogi
c Server 8.1 SP2 Fri Dec 5 15:01:51 PST 2003 316284
WebLogic XMLX Module 8.1 SP2 Fri Dec 5 15:01:51 PST 2003 316284 >
<Feb 13, 2008 1:34:09 PM EST> <Notice> <Management> <BEA-140005> <Loading domain
configuration from configuration repository at C:\bea\user_projects\domains\New
FuelPricingDomain\.\config.xml.>
<Feb 13, 2008 1:34:12 PM EST> <Notice> <Log Management> <BEA-170019> <The server
log file C:\bea\user_projects\domains\NewFuelPricingDomain\myserver\myserver.lo
g is opened. All server side log events will be written to this file.>
The WebLogic Server did not start up properly.
java.lang.ExceptionInInitializerError
at com.sun.identity.agents.weblogic.AmAuthProvider.getRealmInstance(Unkn
own Source)
at com.sun.identity.agents.weblogic.AmAuthProvider.initialize(Unknown So
urce)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.createSe
curityProvider(SecurityServiceManagerDelegateImpl.java:241)
at weblogic.security.service.SecurityServiceManager.createSecurityProvid
er(SecurityServiceManager.java:929)
at weblogic.security.service.PrincipalAuthenticator.initialize(Principal
Authenticator.java:151)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuth
enticator.java:257)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(Se
curityServiceManagerDelegateImpl.java:580)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initiali
zeRealm(SecurityServiceManagerDelegateImpl.java:419)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadReal
m(SecurityServiceManagerDelegateImpl.java:697)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initiali
zeRealms(SecurityServiceManagerDelegateImpl.java:730)
at weblogic.security.service.SecurityServiceManagerDelegateImpl.initiali
ze(SecurityServiceManagerDelegateImpl.java:873)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:719)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:820)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:664)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:342)
at weblogic.Server.main(Server.java:32)
Caused by: java.lang.RuntimeException: Exception caught in AmRealmManager initia
lizer: AmRealm: Unable to create store connection
at com.sun.identity.agents.realm.AmRealmManager.<clinit>(Unknown Source)
... 16 more
Please help me to resolve this problem.
Any help will be highly appreciated.

Authentication to agent workstation failed when trying to run a test in Oracle Test Manager

I have the complete version of OATS installed on my local machine. I have the OracleATSHelper, OracleATSServer and OracleATSAgent services running.
In OTM when I go to run an openscript test I select the system, type the version number and hit run and get a "Authentication to agent workstation failed" error in the summary field.
It worked before but I cant figure out why it isnt working anymore.
Can anyone help?

ATS Version: 12.3.0.1.0 build 376
I am getting the same error when trying to execute a script from OTM - "Authentication to agent workstation failed".
I have the OTM server on a remote (server) machine and the Oracle Agent is running on my laptop / workstation. I've tried all I have seen on this thread, but no progress. The manager is now in manual mode and the console only provides the following output:
D:\OracleATS\agentmanager\bin>d:\OracleATS\agentmanager\bin\AgentManagerService.exe -c AgentManagerService.conf
wrapper | --> Wrapper Started as Console
wrapper | Launching a JVM...
jvm 1    | Wrapper (Version 3.0.3)
jvm 1    |
One different thing, maybe, I see is that the agentmanager_auth.log is empty always.
Also, on the server, I've added this SYSTEM successfully, i.e.the Testing of the SYSTEM added in OTM always gives the success message "The system specified can be successfully accessed by the Oracle Test Manager server." . In fact it does this even when I provide an incorrect password!

Policy agent error code 21 after authenticating

Hi,
I get the following error in my amAgent logs after successfully authenticating to Sun Policy Manager 7.1:
PolicyEngine: am_policy_evaluate: InternalException in AuthService::submitRequirements() with error message:Error sending client submitted requirements to server. and code:21
A 500 Internal Server Error page is returned with the message: This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.
The Policy Manager auth access log shows: "Login Success" for the login attempt.
My configuration:
Solaris 10
Apache 2.0.54
Sun Java System Access Manager Policy Agent 2.2
Has anyone seen or experienced this error before?
Thanks
Edited by: tutro on Aug 7, 2008 7:31 AM

A control character was being read from the password (even though both the encrypted and unencrypted password did not contain any control characters). A password reset resolved the issue.

Reverse Proxy + Policy Agent generates unwanted Basic Authentication

We have a policy agent installed on the SJWS 7.0u1. It's configured as a reverse proxy to a server running on another port on the same machine as the web server. The policy agent catches the request and redirects to the access manager, which authenticates fine. The access manager then redirects back to the web server, which then issues presents the basic authentication dialog. (We did not configure it for basic authentication).
In a previous post I was directed to check my DNS entries. Both servers can resolve each other without problem. I can type nslookup server.practicegreenhealth.org, nslookup server (these are the web server addresses) and they both resolve to the correct ip. I can type nslookup access.practicegreenhealth.org and nslookup access and they both resolve to the correct IP.
I had the application deployed as a JRuby application within the SJWS's servlet container and the setup worked fine. I switched back to using SJWS as a reverse proxy to application running as its own instance and am now presented with the basic auth dialog. I can hit the application fine both from the box it's running on and if I disable the policy agent. It's just the combination of the reverse proxy configuration + the policy agent that doesn't seem to work.
Edited by: phoehne on Jun 23, 2008 12:40 PM

what does the server error log say ? you might want to increase the log level to finest (config/server.xml change info to finest) and restart and look at the server error logs. this could provide us some insight on what is happening. most likely some config parameters in obj.conf need to be fine tuned.

Policy Agent + Distributed Authentication UI?

Can I deploy the distAuth application inside a policy agent protected container, or does it have to be deployed in a non-protected container?
Thanks,
Michael.

Thanks, that's exactly the answer I was looking for. I was trying to deploy on a J2EE container, and while I'm interested in the workarounds, it's probably simpler for me to just deploy another container instance.

Audio test service , bandwidth policy servier (authentication) , Bandwidth policy server (core) Failed to start

Event ID 32014, source:LS Application Server
The application threw an exception while starting.
The application urn:application:testbot threw the following exception when starting: Exception: Microsoft.Rtc.Collaboration.ProvisioningFailureException
> FailureReason: ApplicationNotFound
> DetectionStackTrace: at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at Microsoft.Rtc.Collaboration.ProvisioningFailureException..ctor(String message, Exception innerException, ProvisioningFailureReason failureReason)
at Microsoft.Rtc.Collaboration.PlatformDataImpl.CreateInstance(String requiredCertificateUsage, UCSettings ucSettings, String applicationId, Boolean enableCMSLoadBalancing, Boolean useLocalRegistrar)
at Microsoft.Rtc.Collaboration.ProvisioningSourceImpl.GetInitialPlatformData()
at Microsoft.Rtc.Collaboration.ProvisioningSourceGetInitialPlatformDataAsyncResult.ProcessCoreHelper()
at Microsoft.Rtc.Collaboration.SipCollaborationAsyncResult.ProcessCore()
at Microsoft.Rtc.Signaling.AsyncWorkitemQueue.ProcessItems()
at Microsoft.Rtc.Signaling.SerializationQueue`1.ResumeProcessing()
at Microsoft.Rtc.Signaling.SerializationQueue`1.ResumeProcessingCallback(Object state)
at Microsoft.Rtc.Signaling.QueueWorkItemState.ExecuteWrappedMethod(WaitCallback method, Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
> Message: Application with id(urn:application:testbot) not found or a default port has not been configured for it.
> TargetSite: Exception: Exception has been thrown by the target of an invocation.
> StackTrace: at Microsoft.Rtc.Internal.ServerSharedComponents.MachApplication.StartUp()
at Microsoft.Rtc.Internal.ServerSharedComponents.ServiceManager.Startup()
at Microsoft.Rtc.Internal.ServerSharedComponents.UCAS.MachUcasService.StartAsync()
at Microsoft.Rtc.ApplicationServerCore.ApplicationLoader.CallStartAsync()
> Source: Microsoft.Rtc.Collaboration
> HResult: -2146233088
Cause: Startup errors.
Resolution:
Check the events prior to this to resolve the service startup issue.

Event ID: 29004 Source: LS Bandwidth Policy Service (Authentication)
Error while trying to access local Settings. The LS Bandwidth Policy Service (Authentication) will stop.
Exception: System.Exception: MRAS port is not configured!
at Microsoft.Rtc.MRAS.Configuration..ctor(ConfigChangedHandler ConfigChangedEventHandler, RoleName roleName)
Cause: The current account may not have the necessary permissions to access these settings, or the LS Bandwidth Policy Service may not be installed correctly, or the settings are wrong.
Resolution:
Rerun LS Bandwidth Policy Service (Authentication) installation and activation.
Event ID: 29005 Source: LS Bandwidth Policy Service (Authentication)
LS Bandwidth Policy Service (Authentication) could not be started.
Exception: System.Exception: MRAS port is not configured!
at Microsoft.Rtc.MRAS.Configuration..ctor(ConfigChangedHandler ConfigChangedEventHandler, RoleName roleName)
at Microsoft.Rtc.MRAS.Core..ctor(ServiceStopHandler serviceStop, RoleName roleName)
at Microsoft.Rtc.MRAS.Server.OnStart(RoleName roleName)
Cause: Internal error.
Resolution:
Examine the details in the associated event log entry to determine the potential cause and report to Product Support Services.

Problem Installing Policy Agent 2.2 on Apache 2.2.3

Hi all,
I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
[06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
[06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
[06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
[06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
[06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
[06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
[06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
[Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
[Tue Jun 10 16:57:34 2008] [notice] Digest: done
[Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
Configuration Failed
Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
Error message issued during installation of Policy Agent 2.2 on Linux systems
When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
*+
Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
o
NSPR: http://www.mozilla.org/projects/nspr/
o
NSS: http://www.mozilla.org/projects/security/pki/nss/
So, I checked my libraries but they are upgraded to the latest version.
If I comment the line that includes the libamapc22.so in the apache configuration file
LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
Apache can restart but the agent is misconfigurated!
Any Idea?

thank you Subhodeep for your reply,
I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
this one could definitely be the reason of the misconfiguration.

Policy Agent Error

Version:
Solaris: 8
IS 6.0
Policy Agent 2.0
Webserver: iWS 6.0
I installed the agent, configured a policy protecting the resources on the webserver. When I access any resource, it throws me a login page (as it should). Once I submit the credentials, I get a 403 error on the page. The agent logs show the following:
2003-01-30 13:38:23.168 Error 4355:42b508 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
2003-01-30 13:38:23.168 Warning 4355:42b508 PolicyAgent: am_web_is_access_allowed(http://server.sub.com:8081/index.html, GET) denying access: status = access denied (20)
2003-01-30 13:38:23.169 -1 4355:42b508 PolicyAgent: validate_session_policy() access denied to unknown user
At the same time I can see the user session active under the IS console.
Can somebody help me here?
Thanks

ahhh, what shared secret did you use to install. You should of used the amldapuser account password rather than amadmin
Use the cryptutil to hash that password and stick it in the AMAgent file. Restart and all will be well.
Steve

Policy Agent Authentication Failed!!!

Similar Messages

Maybe you are looking for