Access Manager "Error obtaining SOAP response. Reason: White spaces are required between publicId and systemId" error

  • 3612060
  • 03-Mar-2008
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Netware Access Gateway
Novell Access Management 3 Support Pack 2 applied

Situation

Access Manager setup defined where users are required to authenticate to a Novell Identity (NIDP) server when accessing a Linux Access Gateway (LAG) protected resource. Two IDP and LAG services existed in clusters. After configuring Access Manager to do the above, users would get the following error message after entering credentials on the IDP server login page:

"Error obtaining SOAP response.
Reason: White spaces are required between publicId and systemId"

All users would experience this error.

Resolution

Make sure that connectivity exists to the /nidp/idff/soap service on the IDP servers. The baseURL of the IDP servers was setup with TCP port 443 and an iptables command was defined to translate the TCP 443 to 8443 that the application was listening on. When one of the IDP servers needed to proxy the SOAP request to the other IDP server in the cluster (based on the clustsre cookie), it would not be able to connect to the TCP port running the SOAP service. The following excerpt from the catalina.log file would show the error:

"Forwarding HTTP request to cluster member at URL:
https://171.215.74.240:443/nidp/idff/soap"

< amLogEntry> 2008-02-12T19:26:19Z NIDS Trace: Method:
NIDPProxyableServlet.A()
Thread: http-8443-Processor2
Proxy: Request: added header: Name: soapaction, Value:
urn:liberty:soap-action
Proxy: Request: added header: Name: content-type, Value: text/xml; charset="utf-8"
Proxy: Request: added header: Name: connection, Value: close
Proxy: Request: added header: Name: user-agent, Value: Java/1.4.2_12
Proxy: Request: added header: Name: host, Value: login.novell.com
Proxy: Request: added header: Name: accept, Value: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy: Request: added header: Name: content-length, Value: 584
Proxy: Request: added new Via header: HTTP/1.1 171.215.36.9
Proxy: Request: added new custom NIDPProxiedRequest http header:
171.215.36.9;fckuhjec4tv2xx;fckuhjelqf52xy
Proxy: Response: The Cluster Proxy Request List has 0 members!

< /amLogEntry>
2008-02-12T19:26:19Z NIDS Trace: NIDP TRACE EXCEPTION LOG
(Thread: http-8443-Processor2):
Exception message: "Connection refused"
PlainSocketImpl.java, Line: -2, Method: socketConnect
PlainSocketImpl.java, Line: 305, Method: doConnect
PlainSocketImpl.java, L
:
:

The connect failure this ip address stemmed from an invalid iptables command which performed the translation operation on eth0 only, when in actual fact that requests were coming in on eth1. Adding the following to the iptables script fixed the issue.


iptables -t nat --flush
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
171.215.74.239:8443
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to
171.215.74.240:8443