Linux Access Gateway not processing request after applying changes to policies

  • 7007129
  • 01-Nov-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway

Situation

Access Manager environment setup and working fine. All Linux Access Gateway (LAG) protected resources were accessible by all users without issues. An additional authorization policy was needed for an existing protected resource. Since the only difference between the newly required authorization policy and an existing one on the system was the URL that the policy redirected too, a copy of an existing policy was done. After the copy, a rename was done and the new redirect URL value added.

After applying the changes, the LAG status did not come up as green - the yellow warning status claimed that X policies failed to get read correctly, where X is the number of policies on the system.

Looking at the catalina.out file on the LAG (where IDP logging has the 'Application' component set to DEBUG), we saw the following message reported indicating that the configuration was likely to be corrupted:

com.novell.nxpe.NxpeException: com.novell.nxpe.NxpeException:
org.xml.sax.SAXException: Error: URI=null Line=5916: cvc-complex-type.2.4.b:
The content of element 'xpeml:Policy' is not complete. One of
'{"urn:novell:schema:xpeml:2.0:policy":Rule}' is expected.
at com.novell.nidp.policy.soap.BasicSoapPep.configure(y:1330)
at com.novell.nidp.policy.soap.PolicySoapHandler.A(y:403)

Resolution

Under the 'Auditing -> Troubleshooting -> Policies' tab, there is a section called "Policies Containing No Rule". Select the entry in here and remove it. This will clean out the corrupt entry that caused the issue.

There may be a small chance that the problem is not addressed with this workaround above. If this is the case, we need to browse to the policy database on the Admin Console eDirectory configuration store. Using an LDAP browser (internal iManager one or 3rd party), connect to the Admin Console SECURE LDAP server and browse to the following container:

"ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"

Under this container will be the masterCDN container (default policy container) although other containers may exist depending on whether the administrator has created custom containers for policies. Search for the 'romaContentCollectionXMLDoc' attribute name under these containers and the value of the attribute will contain all policies for the system. Copy and paste these into an XML validation tool so that it is easier to locate the corrupt entries.

Additional Information

The entry was corrupted when it was added to the policy database. The last entry visible when cut and pasting the policy database was the following:
<xpeml:Policy Enable="true"
UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_12776438239270" Category=""
Name="Redirect_XPC_INTERNAL" LastModified="1277643919516"
PolicyID="PolicyID_xpemlPEP_AGAuthorization_12776438239270"
DateCreated="4294967295" Description="Redirect to
https:&amp;#047;&amp;#047;xpc.ancorp.com&amp;#047;anxpc90&amp;#047;"
DateArchived="4294967295" LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef ElementRefType="ExternalWithIDRef"
ExternalDocRef="ou=cfb820sr9le7,ou=f2wfb820rp6yz3,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc"
ExternalElementRef="xpemlPEP_AGAuthorization" />
<xpeml:ConfigurationUsageList />
</xpeml:Policy>
Typically, a <xpeml:Rule> tag also exists for every policy - in the case of the corruption above, this was missing causing us to exit out of the policy checks and failwhen a user requested a protected resource that had a policy associated with it.

<xpeml:Policy Enable="true" UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1227179120325" Category="" Name="AuthorizationDenyAndRedirect" LastModified="1233683139626" PolicyID="PolicyID_xpemlPEP_AGAuthorization_1227179120325" DateCreated="4294967295" Description="" DateArchived="4294967295" LastModifiedBy="cn=admin,o=novell">
         <xpeml:PolicyEnforcementPointRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=cfnraqp3djia,ou=7vcfnraqmt6ez4,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" ExternalElementRef="xpemlPEP_AGAuthorization" />
         <xpeml:ConfigurationUsageList />
         <xpeml:Rule RuleID="RuleID_1227179120325" RuleOrder="1" Enable="1" UserInterfaceID="RuleID_1227179120325" ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
           <xpeml:ActionList>
             <xpeml:Action UserInterfaceID="1" Order="1">
               <xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=cfnraqp3djia,ou=7vcfnraqmt6ez4,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_Redirect" />
               <xpeml:InstanceParameterList>
                 <xpeml:ParameterGroup UserInterfaceID="RedirectParameters" EnumerativeValue="2621" GroupName="RedirectParameters" Order="1">
                   <xpeml:Choice UserInterfaceID="ChoiceID_30_1233683026965" EnumerativeValue="30" Enabled="true" ChoiceName="RedirectToLocation" Order="1">
                     <xpeml:Parameter Value="https%3A%2F%2Flag129.lab.novell.com%3Ffinal_route%3Dhttps%3A%2F%2Fmyaccount-atgeng.twcbc.com%2F" UserInterfaceID="ParameterID_1_1233683026965" EnumerativeValue="1" Name="Redirect" />
                   </xpeml:Choice>
                 </xpeml:ParameterGroup>
               </xpeml:InstanceParameterList>
             </xpeml:Action>
           </xpeml:ActionList>
           <xpeml:ConditionList>
             <xpeml:ConditionSet Enable="true" UserInterfaceID="1" NOT="0" SetOrder="1">
               <xpeml:Condition Enable="true" UserInterfaceID="1" NOT="0" Order="1" ResultOnError="false">
                 <xpeml:ConditionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=cfnraqp3djia,ou=7vcfnraqmt6ez4,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" ExternalElementRef="xpemlCondition_url" />
                 <xpeml:OperatorRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=cfnraqp3djia,ou=7vcfnraqmt6ez4,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" ExternalElementRef="nxpeOperator_url-equals" />
                 <xpeml:LHSOperand Value="">
                   <xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=cfnraqp3djia,ou=7vcfnraqmt6ez4,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_Url" />
                 </xpeml:LHSOperand>
                 <xpeml:RHSOperand Value="https%3A%2F%2Flag129.lab.novell.com%2FAGLogout%3Ffinal_route%3Dhttps%3A%2F%2Fmyaccount-atgeng.twcbc.com%2F" />
                 <xpeml:InstanceParameterList>
                   <xpeml:Parameter Value="case-sensitive" UserInterfaceID="case-sensitive" EnumerativeValue="1" Name="url-flags" />
                 </xpeml:InstanceParameterList>
               </xpeml:Condition>
             </xpeml:ConditionSet>
           </xpeml:ConditionList>
         </xpeml:Rule>
       </xpeml:Policy>