Admin Console iManager returns a blank page while trying to edit an Access Gateway Proxy Service

  • Document ID:7024133
  • Creation Date:23-Sep-2019
  • Modified Date:23-Sep-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • NetIQ Access Manager 4.5

Situation

  • dedicated primary and secondary Access Manager Admin Console (AC) installed on Linux
  • system had been upgraded from NAM 4.4.1
  • a backup (taken with NAM 4.4.1) had been restored on the primary AC running NAM 4.5


  • Problem:

    • iManager on the primary AC returns a blank page while trying to edit a given proxy service
    • iManager on the secondary AC works as expected
    • eDirectory health check had been and all objects including the cluster configuration object are the same / in sync

Resolution

  • check the tomcat connector settings for iManager from within the "/opt/novell/nam/adminconsole/conf/server.xml" and make sure the parameters relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^\`"<>'" are set.

  • Newer versions like Tomcat 8.5 are more strict in URL encoded and would discard messages including unencoded data

Cause

  • The tomcat connector for iManager is missing the relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^\`"<>'" parameters

  • Example of correct tomcat connector:
 <Connector NIDP_Name="connector" port="8443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystorePass="changeit" SSLEnabled="true" address="10.2.92.100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" relaxedPathChars="'[]|'" relaxedQueryChars="'[]|{}^&amp;#x5c;&amp;#x60;&amp;quot;&amp;lt;&amp;gt;'" />

  • Note!!! restoring a backup taken with another version of NAM is not supported. The root cause for the this issue is that older versions of NAM did not require this parameter. The restore process has overwritten the original NAM 4.5 server.xml which the one stored in the backup

Additional Information

The AG Cluster configuration is stored at: "ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" and start with a "~tmp" object name.

The configuration is stored within the "romaAGConfiguratuibXML" attribute of the working / current container object below the cluster object.

The http request initiated to edit the proxy service includes an "appname" parameter which is the name of cluster object and "basexpath" parameter which references the proxy proxy service from within the  "romaAGConfiguratuibXML" document. Fildder can be used to track and debug any requests initiated by iManager