Cannot access protected resources with policies after upgrading from Access Manager SP1 to SP2

  • 7007113
  • 27-Oct-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

Working setup exists on 3.1.1 where Web protected resources are available after authentication and working fine.After upgrading all components to 3.1.2, the Linux Access Gateway (LAG) heath check reported errors reading policies. When a user tries to access any protected web site via the LAG, users get the following error:

"403 - Host name received is not for this web site"

Restarting the LAG could not get rid of the policy read warnings reported in the LAG healthcheck.

The catalina.out file on the LAG (ESP) shows that we cannot retrieve the policy info from the policy store:


Jul 16 12:02:31 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: config_soapReq 5176 - II PR:everything (94c3e644)
esp_online
Jul 16 12:02:31 awhqdevag1 : AM#504512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#124: processSoapRequests - size 149 processed 1, deleted
0 (0, conFail 0 conTimeout 0) 0 (0)
Jul 16 12:02:31 awhqdevag1 : AM#504512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#5176: sent soapRequest 5176 app 94c61d24 II
:
:
Jul 16 12:02:33 awhqdevag1 : AM#204512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#3628: backchannel reply from esp - status code = 500
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies.. arg(0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies-0 (324, 0)(ok sent skip noApp) ACL(0 0
103 0) II(0 0 207 0) FF(0 0 14 0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: CheckPolicyWTD.. called ( )
Jul 16 12:02:33 awhqdevag1 : AM#204512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#4869: backchannel reply from esp - status code = 500
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies.. arg(0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies-0 (324, 0)(ok sent skip noApp) ACL(0 0
103 0) II(0 0 207 0) FF(0 0 14 0)

Resolution

Change the global time and contract time at the IDP server (general tab or on contract setting) and
then apply changes to both the Identity Server and LAG.

With SP2 implementing timeout per protected resources, some of the timeouts are not being passed down
to the LAG ESP correctly.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.