Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Working setup exists on 3.1.1 where Web protected resources are available after authentication and working fine.After upgrading all components to 3.1.2, the Linux Access Gateway (LAG) heath check reported errors reading policies. When a user tries to access any protected web site via the LAG, users get the following error:
"403 - Host name received is not for this web site"
Restarting the LAG could not get rid of the policy read warnings reported in the LAG healthcheck.
The catalina.out file on the LAG (ESP) shows that we cannot retrieve the policy info from the policy store:
"403 - Host name received is not for this web site"
Restarting the LAG could not get rid of the policy read warnings reported in the LAG healthcheck.
The catalina.out file on the LAG (ESP) shows that we cannot retrieve the policy info from the policy store:
Jul 16 12:02:31 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:AMAUTHID#0: AMEVENTID#3628: backchannel reply from esp - status code = 500
AMAUTHID#0: AMEVENTID#0: config_soapReq 5176 - II PR:everything (94c3e644)
esp_online
Jul 16 12:02:31 awhqdevag1 : AM#504512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#124: processSoapRequests - size 149 processed 1, deleted
0 (0, conFail 0 conTimeout 0) 0 (0)
Jul 16 12:02:31 awhqdevag1 : AM#504512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#5176: sent soapRequest 5176 app 94c61d24 II
:
:
Jul 16 12:02:33 awhqdevag1 : AM#204512000: AMDEVICEID#ag-41A84AF432B94-0:
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies.. arg(0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies-0 (324, 0)(ok sent skip noApp) ACL(0 0
103 0) II(0 0 207 0) FF(0 0 14 0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: CheckPolicyWTD.. called ( )
Jul 16 12:02:33 awhqdevag1 : AM#204512000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#4869: backchannel reply from esp - status code = 500
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies.. arg(0)
Jul 16 12:02:33 awhqdevag1 : AM#504502000: AMDEVICEID#ag-41A84AF432B94-0:
AMAUTHID#0: AMEVENTID#0: checkPolicies-0 (324, 0)(ok sent skip noApp) ACL(0 0
103 0) II(0 0 207 0) FF(0 0 14 0)
Resolution
Change the global time and contract time at the IDP server (general tab or on contract setting) and
then apply changes to both the Identity Server and LAG.
With SP2 implementing timeout per protected resources, some of the timeouts are not being passed down
to the LAG ESP correctly.