Environment
- Access Manager 4.4.x
- Access Manager 4.5.x
Situation
- After IDP Authentication methods and contracts have been modified the Secure Token Service (STS) responds with and "Authentication of Username Password Token Failed" enclosed in a HTTP 500 Internal Server Error header
- From within iManager only one Authentication Method has been assigned to the STS Service
- The method has been configured to identify the user and a userstore has been assigned
- The IDP server "/var/opt/novell/nam/logs/idp/tomcat/catalina.out" lsists the following message
Dec 12, 2019 9:37:38 AM com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader validate
SEVERE: WSS1408: UsernameToken Authentication Failed
Dec 12, 2019 9:37:38 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Authentication of Username Password Token Failed
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:175)
at com.sun.xml.ws.security.opt.impl.incoming.UsernameTokenHeader.validate(UsernameTokenHeader.java:164)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(SecurityRecipient.java:368)
Resolution
- create a full Backup of your Access Manager configuration running "ambkup.sh" tool
- remove all configured Authentication Methods from the STS Configuration
- use iManager or an LDAP browser to search for the "nidsWSTrustContainer" class object.
- remove the nidsAuthMethodSeDNList attribute from the STS configuration object
- from within iManager add the authentication method of your choice and verify with the LDAP browser the attribute got re-created
Cause
- A method which was assigned to the STS configuration has been deleted. As the STS does just store a list of object names for the configured method this will use stale entries ending up with a failure on trying to authenticate a user by ws-trust RST
- Note: The same error will be return if the LDAP query defined on the method assigned to the STS will fail
Additional Information
Troubleshooting
- Logging Options:
- Add the following JAVA options to your "/opt/novell/nam/idp/conf/tomcat.conf" and restart your IDP server
-------------------------------------------------------------------------------------------------------------------------------------
# WS Security configuration settings
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.wss.provider.wsit.SecurityTubeFactory.dump=false"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true"
------------------------------------------------------------------------------------------------------------------------------------- - From within iManager configure
- run: "> /var/opt/novell/nam/logs/idp/tomcat/catalina.out" to have an empty logfile
- Tools used for troubleshooting:
- Free Version of Postman from: "https://www.getpostman.com/downloads/" to generate WS-Trust RST requests aginst the IDP server
- Telerik Fiddler header trace tool from: "https://www.telerik.com/download/fiddler"
- Apache Directory Studio LDAP browser from: "http://directory.apache.org/studio" to review configuration in the Admin Console configstore (eDirectory)
The STS configuration is stored in the "nidsWSTrustContainer" class:
Note: The STS configuration stores the configured Authentication Methods as a list on the "nidsAuthMethodSetDNList". The attribute is just a list but not a reference to the Objects Storing the Authentication Methods.