Linux Access Gateway looping error ""An invalid XML character (Unicode: 0x1a) was found in the element content of the document." logging in with user containing double byte characters

  • 7008938
  • 04-Jul-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 3 applied
Users logging in with double byte characters in username
Multipe Identity and Linux Access Gateway servers in clusters

Situation

When a user successfully authenticates to the Identity (IDP) server and the assertion is sent over to the Linux Access Gateway (LAG) embedded service provider (ESP), the ESP must then update the proxy component of the LAG with the user specific details. The ESP adds the entry to the LAG proxy cookie broker service over tcp port 8181 on the LAG loopback interface. During this operation we get the following exception shown in the catalina.out log file of the LAG:

"An invalid XML character (Unicode: 0x1a) was found in the element content of
the document."

At this point, the user loops indefinitely or until the browser detects the looping condition, as we keep going back and forth between the ESP -> LAG proxy -> ESP -> LAG proxy , etc

Analysing the catalina.out logs on the LAG shows that once the user successfully authenticates at the IDP, the IDP sends the assertion to the LAG ESP. The LAG ESP consumes the assertion and then tries to update the LAG proxy components' authentication table. This is where we fail ie. the user session is never successfully pushed to the proxy

Request:

<amLogEntry> 2011-03-13T03:21:53Z VERBOSE NIDS Application: Posting data to
http://127.0.0.1:8181/
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession
XLibid="00002a00c0a8c85ca67ea601040a0b65f06f178e" hardExpire="581"
id="D119DA98CC94D92F152F705332546A8E" pid="+@S,vw4+3$5(LMP*;3X{f@N=*"
refreshCache="false" softExpire="378"><store
type="ldap"><dn>CN=Xkyoin,OU=CP&VS,OU=TEST,ou=USER,ou=azabu,dc=azabu-u,dc=ac,dc=jp</dn></store><authentications><contracts><contract
set="true">name/password/uri</contract></contracts></authentications><roles><role>authenticated</role></roles></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope>
</amLogEntry>

Response:

<amLogEntry> 2011-03-13T03:21:53Z DEBUG NIDS Application:
Method: URLUtil.getDocumentFromInputStream
Thread: http-127.0.0.1-8080-Processor19
XML Error on the following document:
b834245
Exception message: "An invalid XML character (Unicode: 0x1a) was found in the
element content of the document."
     y, Line: 2713, Method: A
     y, Line: 1984, Method: parse
     y, Line: 414, Method: getDocumentFromInputStream
     y, Line: 2727, Method: doSOAPRequest
     y, Line: 3440, Method: sendSOAPRequestWithCookieBrokerResponse
     y, Line: 3455, Method: sendSessionData
Note: if the user does not include any double byte characters all goes through fine without error.

Resolution

Apply Support Pack 3 Interim Release 2 and enable the touch file   
 
/var/novell/.doURLEncodewithSB

After creating the touch file the Administrator needs to do either of the following for the change to take effect:
a) /etc/init.d/novell-vmc restart   or,
b) Configuration Update from Admin console.

Note:- Please enable this only after upgrading all LAG members of the cluster to 313-IR2 or later builds. This is needed because we might have other members in the cluster who do not understand the change encoding the username.