Environment
- Access Manager 4.4.3
- Access Manager 4.4.3 IDP server
Situation
- IDP server has been configured to run x509 mutual authentication using the Dual Connector setup with tomcat
- After running the NAM 4.4.3 update process the user gets prompted for the certificate but gets presneted with the login page again.
- catalina.out reports the Contract Execution succeeded but authentication fails
Resolution
- this issue has been addressed to engineering for future releases
- in case you have no backup of the existing context.xml file please review the configuration steps from the admin guide section: "Configuring X.509 Authentication to Provide Access Manager Error Message"
7. Navigate to the /opt/novell/nids/lib/webapp/META-INF/ directory and open the context.xml file.8. Change Tomcat context.xml to set a same cookie for sub-domains.
Ensure that the path is set to "/" as follows:
<?xml version="1.0" encoding="UTF-8"?><Context sessionCookiePath="/" sessionCookieDomain=".nam.example.com"><!-- Disable session persistence across Tomcat restarts --><Manager pathname="" saveOnRestart="false"/></Context>
Applicable for Access Manager 4.4 Service Pack 3 and later versions) Uncomment the following in the context.xml file:
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />
Cause
The "/opt/novell/nids/lib/webapp/META-INF/context.xml" IDP content configuration file will be overwritten with the default configuration file during the NAM 4.4 SP3 upgrade process. The RPM installing the file is: "novell-nidp-server-4.4.3.0-93.noarch". The RPM does not verify the content.xml file nor creates any backup