Environment
Novell Access Manager 3.1 Linux Access Gateway
Situation
Access Manager 3.1.2 IR2 applied. Configuration appears to be fine - users can access the protected resources after authenticating to the Identity server. After applying an update or purging the cache, all users sometimes start experiencing 403 errors with "You do not have permission to access the resource.". The URL displayed in the browser at the time of the error is always the /nesp/app/plogin or /nesp/app/plogout link on the LAG embedded service provider.
When the issue occurs, the system can be put back into the working state by re-pushing the LAG configuration. However, the problem often reappears after applying a new change.
When the issue occurs, the system can be put back into the working state by re-pushing the LAG configuration. However, the problem often reappears after applying a new change.
Resolution
Apply Access Manager 3.1 Support Pack 3.
The problem lies with the fact that the soapbc service configuration entry appeared at the came at the end of the config.xml file, and not at the beginning. When this happens, another protected resource is executed instead of the soapbc /nesp protected resource and the 403 forbidden message is displayed. The issue appears to have been introduced with the SP2 IR2 build.
The problem lies with the fact that the soapbc service configuration entry appeared at the came at the end of the config.xml file, and not at the beginning. When this happens, another protected resource is executed instead of the soapbc /nesp protected resource and the 403 forbidden message is displayed. The issue appears to have been introduced with the SP2 IR2 build.