Access Manager WS-Trust responds with Authentication of Username Password Token Failed on RST requests

  • Document ID:7024337
  • Creation Date:12-Dec-2019
  • Modified Date:12-Dec-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4.x
  • Access Manager 4.5.x

Situation

  • After IDP Authentication methods and contracts have been modified the Secure Token Service (STS) responds with and  "Authentication of Username Password Token Failed" enclosed in a HTTP 500 Internal Server Error header

  • From within iManager only one Authentication Method has been assigned to the STS Service


  • The method has been configured to identify the user and a userstore has been assigned


  • The IDP server "/var/opt/novell/nam/logs/idp/tomcat/catalina.out" lsists the following message

    Dec 12, 2019 9:37:38 AM com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader validate
    SEVERE: WSS1408: UsernameToken Authentication Failed
    Dec 12, 2019 9:37:38 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
    SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
    com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
      at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:175)
      at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:164)
      at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:368)

Resolution

  1. create a full Backup of your Access Manager configuration running "ambkup.sh" tool
  2. remove all configured Authentication Methods from the STS Configuration
  3. use iManager or an LDAP browser to search for the "nidsWSTrustContainer" class object.
  4. remove the nidsAuthMethodSeDNList attribute from the STS configuration object
  5. from within iManager add the authentication method of your choice and verify with the LDAP browser the attribute got re-created

Cause

  • A method which was assigned to the STS configuration has been deleted. As the STS does just store a list of object names for the configured method this will use stale entries ending up with a failure on trying to authenticate a user by ws-trust  RST

  • Note: The same error will be return if the LDAP query defined on the method assigned to the STS will fail

Additional Information

Troubleshooting
  1. Logging Options:

    1. Add the following JAVA options to your "/opt/novell/nam/idp/conf/tomcat.conf" and restart your IDP server
      -------------------------------------------------------------------------------------------------------------------------------------
      # WS Security configuration settings
      JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.wss.provider.wsit.SecurityTubeFactory.dump=false"
      JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true"
      JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true"
      -------------------------------------------------------------------------------------------------------------------------------------

    2. From within iManager configure


    3. run: "> /var/opt/novell/nam/logs/idp/tomcat/catalina.out" to have an empty logfile

  2. Tools used for troubleshooting:

    1. Free Version of Postman from: "https://www.getpostman.com/downloads/" to generate WS-Trust RST requests aginst the IDP server


    2. Telerik Fiddler header trace tool from: "https://www.telerik.com/download/fiddler"


    3. Apache Directory Studio LDAP browser from: "http://directory.apache.org/studio" to review configuration in the Admin Console configstore (eDirectory)
      The STS configuration is stored in the "nidsWSTrustContainer" class:


      Note: The STS configuration stores the configured Authentication Methods as a list on the "nidsAuthMethodSetDNList". The attribute is just a list but not a reference to the Objects Storing the Authentication Methods.