Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server
Access Manager 3 Interim release 2 applied
Situation
Linux Access Gateway (LAG) setup with multiple path based
multihomed reverse proxy services. There are a number of formfill
and Identity injection policies that are enabled for the various
protected resources. When a user tried to access a protected
resource with no policies enabled, the browser would display the
above error immediately after entering the users credentials at the
Identity Server.
Health check showed that everything was green and healthy. We enabled the advanced IDP logging under the log TAB in order to get more details written to the catalina.out file for policies (we turned the Application component log to config level, and also enabled the trace log switch).
When the problem occured, the catalina.out file would error with the statement "the Policy ID is not set properly"
Health check showed that everything was green and healthy. We enabled the advanced IDP logging under the log TAB in order to get more details written to the catalina.out file for policies (we turned the Application component log to config level, and also enabled the trace log switch).
When the problem occured, the catalina.out file would error with the statement "the Policy ID is not set properly"
Resolution
Apply the SP1 RC1 build (b2nam3sp1.tar.gz)
It turns out that, if a protected resource previously had a Formfill or Identity Injection policy enabled, but subsequently disabled it, or the policy no longer exists (such as when an IDP is re-installed and LAG is re-imported with "C"urrent configuration), the policies would remain 'linked' to the protected resource and the SOAP communication would try and evaluate them.
The fix will now "unlink" these removed non-existent policies.
Can also workaround the issue in existing builds by doing the following:
1. On the Protected Resources page, click the link of the protected resource which is enabled on the accelerator giving the error
2. Click the Identity Injection and/or FormFill tab, press OK on each
3. OK all the way back, press Update on AG panel
It turns out that, if a protected resource previously had a Formfill or Identity Injection policy enabled, but subsequently disabled it, or the policy no longer exists (such as when an IDP is re-installed and LAG is re-imported with "C"urrent configuration), the policies would remain 'linked' to the protected resource and the SOAP communication would try and evaluate them.
The fix will now "unlink" these removed non-existent policies.
Can also workaround the issue in existing builds by doing the following:
1. On the Protected Resources page, click the link of the protected resource which is enabled on the accelerator giving the error
2. Click the Identity Injection and/or FormFill tab, press OK on each
3. OK all the way back, press Update on AG panel