403 Forbidden error on Linux Access Gateway after making changes to the configuration

  • 7008659
  • 27-May-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 2 applied
Multiple Linux Access Gateway servers in a cluster

Situation

Access Manager setup and all working fine - users can access protected resources on Linux Access Gateway (LAG) after authenticating to the Identity  (IDP) server. After running a purge cache in the LAG UI, users started reporting 403 forbidden errors both accessing protected resources on the LAG, or logging out of the LAG using the /AGLogout or /nesp/app/plogout links.

Resolution

Go to Admin Console Auditing --> Troubleshooting and re-push the current configuration. A permanent solution is to apply Access Manager 3.1 Support Pack 3. It appears that this issue started happening after an upgrade to 3.1.2 IR3a, but this is not confirmed and is not something that is readily duplicated.


Additional Information

What happens is that some operation on the UI causes the SOAP backchannel (soapbc) service configuration to go to the end of the config.xml. By repushing the config, the soapbc service is put back in it's correct position near the top of the configuration. This soapbc service is for the /nesp path.

Confirmation of this can be done by looking at the contents of the config.xml (/var/novell/cfgdb/.current/ directory) and comparing it to the the working  config.xml (current or after we re-push the config).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.