Environment
Access Manager 4.4
Clustered IDP setup.
Clustered AG setup.
Situation
The IDP public certificate was due to expire and had been replaced.
Authentication from /nipd was successful but if a protected resource was accessed via an Access Gateway, the login page would be presented and after credentials were entered, the browser would give a HTTP 500 internal server error.
Resolution
Careful examination and comparison of all the IDP keystores showed that the signing and encryption keystores still had the old certificate.
The following steps were performed.
1. Added the new cert to the encryption and signing keystores.
2. Removed the old cert from the ncryption and signing keystores.
3. Update the IDP configuration.
4. Restarted the IDP /etc/init.d/novell-idp restart
After this the openssl command to the IDP returned the new certificate and the problem was resolved
1. Added the new cert to the encryption and signing keystores.
2. Removed the old cert from the ncryption and signing keystores.
3. Update the IDP configuration.
4. Restarted the IDP /etc/init.d/novell-idp restart
After this the openssl command to the IDP returned the new certificate and the problem was resolved
Cause
As the error appeared after the Access Gateway redirected to the IDP, the AG esp catalina.out was examined.
This showed the artifact being returned from the IDP
<amLogEntry>
2019-05-24T02:11:05Z INFO NIDS Application: AM#500105021:
AMDEVICEID#esp-B557FFBC1E82C454:
AMAUTHID#b73a52e55d405f2b72b8caec35b9c0f2c0cd78aef97809c69736f73b3ec8d5e7:
Sending artifact
AAM7cjFX55KzYS0FXScw39b0yzpGG8usD7MmtMqWaueG5NJqTJP/qHZL to URL
https://idpurl.com/nidp/idff/soap at IDP
</amLogEntry>
The AG response to this was
<amLogEntry> 2019-05-24T02:11:05Z WARNING NIDS Application: AM#100105004: AMDEVICEID#esp-B557FFBC1E82C454: Error in SOAP response format. Reason: Element [script: null] missing required child element Body. </amLogEntry>
followed by a null pointer exeception
May 24, 2019 12:11:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [NIDPServlet] in context with path [/nesp] threw exception
java.lang.NullPointerException
at com.novell.nidp.common.xml.w3c.XMLUtil.documentToPrettyString(y:613)
at com.novell.nidp.common.util.SOAPIO.doSOAPRequest(y:2040)
at com.novell.nidp.common.profile.Profile.soapSend(y:1564)
at com.novell.nidp.liberty.idff.profile.LibertyProfile.A(y:3435)
at com.novell.nidp.liberty.idff.profile.LibertyProfile.handledInBoundResponse(y:3105)
at com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processResponse(y:2675)
at com.novell.nidp.liberty.IDFFHandler.E(y:2289)
at com.novell.nidp.liberty.IDFFHandler.handleRequest(y:3087)
at com.novell.nidp.liberty.LibertyMeDescriptor.handleRequest(y:11)
at com.novell.nidp.servlets.NIDPServlet.myDoGet(y:2505)
at com.novell.nidp.servlets.NIDPBaseServlet.doGet(y:21)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
SEVERE: Servlet.service() for servlet [NIDPServlet] in context with path [/nesp] threw exception
java.lang.NullPointerException
at com.novell.nidp.common.xml.w3c.XMLUtil.documentToPrettyString(y:613)
at com.novell.nidp.common.util.SOAPIO.doSOAPRequest(y:2040)
at com.novell.nidp.common.profile.Profile.soapSend(y:1564)
at com.novell.nidp.liberty.idff.profile.LibertyProfile.A(y:3435)
at com.novell.nidp.liberty.idff.profile.LibertyProfile.handledInBoundResponse(y:3105)
at com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processResponse(y:2675)
at com.novell.nidp.liberty.IDFFHandler.E(y:2289)
at com.novell.nidp.liberty.IDFFHandler.handleRequest(y:3087)
at com.novell.nidp.liberty.LibertyMeDescriptor.handleRequest(y:11)
at com.novell.nidp.servlets.NIDPServlet.myDoGet(y:2505)
at com.novell.nidp.servlets.NIDPBaseServlet.doGet(y:21)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
This pointed to a certificate error.
Running the command
openssl s_client -connect idpurl.com:443 | openssl x509 -text
showed that a certificate was being returned but carefully checking the serial number proved that it was the old idp certificate, not the new one
If a browser went directly to the idpurl, the new certificate was returned.
If the hosts file on the AG and browser was modifed to point to a single IDP, then the HTTP 500 internal server error was not returned and the backend web site was accessed. The problem only occurred when the AD and browser accessed the cluster via the L5 switch.