Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 2 applied
Multiple Linux Access Gateway servers in a cluster
Novell Access Manager 3.1 Support Pack 2 applied
Multiple Linux Access Gateway servers in a cluster
Situation
Access Manager setup and all working fine - users can access protected resources on Linux Access Gateway (LAG) after authenticating to the Identity (IDP) server. After running a purge cache in the LAG UI, users started reporting 403 forbidden errors both accessing protected resources on the LAG, or logging out of the LAG using the /AGLogout or /nesp/app/plogout links.
Resolution
Go to Admin Console Auditing --> Troubleshooting and
re-push the current configuration. A permanent solution is to apply Access Manager 3.1 Support Pack 3. It appears that this issue started happening after an upgrade to 3.1.2 IR3a, but this is not confirmed and is not something that is readily duplicated.
Additional Information
What happens is that some operation on the UI causes the SOAP backchannel (soapbc) service
configuration to go to the end of the config.xml. By repushing the config, the
soapbc service is put back in it's correct position near the top of the configuration. This soapbc service is for the /nesp path.
Confirmation of this can be done by looking at the contents of
the config.xml (/var/novell/cfgdb/.current/ directory) and comparing it to the the working
config.xml (current or after we re-push the config).