Forbidden – You don't have permission to access / on this server.

This topic has 7 replies, 7 voices, and was last updated 4 years, 3 months ago by marrax.

  • Author
    Posts
  • #7996
     mshaw1
    Participant

    Hi,

    My steup:

    OpenAM 13.0
    tomcat 1.7
    httpd 2.4
    OS: redhat 7

    I have followed the steps here to setup policy agent: http://openam.forgerock.org/doc/bootstrap/getting-started/index.html

    I keep getting “Forbidden – You don’t have permission to access / on this server.”

    If i uninstall the agent, it works fine and I get the message “It Works”.

    I have also enabled SSO Only, so it only does authentication but I enabled debug in WebAgent and noticed the following error.

    still have the same issue. I then noticed, the following error in Agent/debug file,

    2016-02-21 09:06:32.183 -0500 ERROR [0x7f654bfff700:2841] am_get_config_file(): can’t open file /path/to/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf (error: 13)
    2016-02-21 09:06:32.183 -0500 ERROR [0x7f654bfff700:2841] am_get_agent_config(): failed to load instance bootstrap 3987119432 data
    2016-02-21 09:06:32.183 -0500 ERROR [0x7f654bfff700:2841] amagent_auth_handler(): failed to get agent configuration instance, error: file parser error

    This is the file permission:
    [[email protected] ~]# ls -la /path/to/web_agents/apache24_agent/instances/agent_1/config/agent.conf
    -rw-r—–. 1 root root 7790 Feb 21 08:27 /path/to/web_agents/apache24_agent/instances/agent_1/config/agent.conf

    There is no issue with this file permission but I change the file permission of this file and I am still getting same error:

    [[email protected] ~]# ls -la /path/to/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
    -rwxrwxrwx. 1 root root 7790 Feb 21 08:27 /path/to/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf

    Any ideas on how to resolve it?

    Thanks

    • This topic was modified 5 years, 11 months ago by mshaw1.
    #8076
     srenkens
    Participant

    Hi mshaw1,

    I just ran into this problem and got it fixed by adding the “–changeOwner” parameter to the “agentadmin” install command.

    Full command was:
    /opt/apache24_agent/bin/agentadmin --s /usr/local/apache2/conf/httpd.conf $AM_SERVER_URL $AGENT_URL / WebAgent /opt/pwd --acceptLicence --changeOwner

    Hope this hint will get it working for you.

    Regards,
    Sebastiaan

    • This reply was modified 5 years, 11 months ago by srenkens. Reason: typo
    #8085
     Rogerio Rondini
    Participant

    Also, you can check if “SELINUX” is blocking Policy Agent.
    https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable.html

    You can try disable SELINUX for a test and if Policy Agent works you configure SELINUX correctly to enable Policy Agent.

    Abs.
    Rogerio.

    #9967
     patrickli
    Participant

    Hi,

    I got the same problem on the openAM apache22_agent

    2016-04-19 17:20:40.770 -0700 ERROR [0x7fe4be9c77e0:58827] am_get_config_file(): can’t open file /root/apache22_agent/bin/../instances/agent_1/config/agent.conf (error: 13
    )
    2016-04-19 17:20:40.770 -0700 ERROR [0x7fe4be9c77e0:58827] am_get_agent_config(): failed to load instance bootstrap 3668831586 data
    2016-04-19 17:20:40.770 -0700 ERROR [0x7fe4be9c77e0:58827] amagent_auth_handler(): failed to get agent configuration instance, error: file parser error

    [[email protected] debug]# ll /root/apache22_agent/bin/../instances/agent_1/config/agent.conf
    -rwxrwxrwx 1 apache apache 7775 Apr 19 17:04 /root/apache22_agent/bin/../instances/agent_1/config/agent.conf

    I tried –changeOwner option butit didn’t help. selinux is disabled.

    [[email protected] debug]# sestatus
    SELinux status: disabled

    Any suggestion? Thanks.

    #9973
     miankashifali
    Participant

    Hi,

    i have the same issue. I followed the steps described in getting started.

    I get the following error.
    [Wed Apr 20 17:17:40.524606 2016] [core:notice] [pid 7545:tid 140619221346048] AH00094: Command line: ‘/usr/local/apache2/bin/httpd’
    [Wed Apr 20 17:19:08.751798 2016] [amagent:error] [pid 7550:tid 140619101619968] [client 127.0.0.1:53711] OpenAM Web Agent is not configured to handle the request to / (unable to get agent configuration instance, configuration: /home/oracle/apps/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: file parser error)
    [Wed Apr 20 17:19:08.861843 2016] [amagent:error] [pid 7550:tid 140619093227264] [client 127.0.0.1:53711] OpenAM Web Agent is not configured to handle the request to /favicon.ico (unable to get agent configuration instance, configuration: /home/oracle/apps/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: file parser error)
    [Wed Apr 20 17:19:08.862971 2016] [amagent:error] [pid 7550:tid 140619084834560] [client 127.0.0.1:53711] OpenAM Web Agent is not configured to handle the request to /favicon.ico (unable to get agent configuration instance, configuration: /home/oracle/apps/web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf, error: file parser error)

    Given that:
    1- SELinux status: disabled
    2- installed policy agent using –changeOwner
    3- Apache HTTP server is running as administrator

    Please help.

    #9976
     miankashifali
    Participant

    I fixed the issue running following steps before installing the web agents:

    1- instead of policy agent 4.0 I used 3.3.
    2- sudo chmod -R 777 /usr/local/apache2
    3- sudo chmod -R 777 /downloads/web_agents

    I am sure there should be some proper way to set the permissions for both the apache2 and web_agents directory.

    Now url request is intercepted by OpenAM Credential Collector but after successful authentication still user demo cant access the “it works” page.
    it looks the the authorization policy is not triggered correctly.

    following is the tail from tomcat:

    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “GET /openam/XUI/ HTTP/1.1” 304 –
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “GET /openam/XUI/libs/requirejs-2.1.14-min.js HTTP/1.1” 304 –
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “GET /openam/json/serverinfo/* HTTP/1.1” 304 –
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “POST /openam/json/users?_action=idFromSession HTTP/1.1” 401 73
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “GET /openam/XUI/locales/en-US/translation.json?v=13.0.0 HTTP/1.1” 404 1033
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “POST /openam/json/authenticate?goto=http%3A%2F%2Fwww.idmpirate.eu%3A8000 HTTP/1.1” 200 684
    127.0.0.1 – – [20/Apr/2016:19:06:38 -0400] “GET /openam/XUI/images/login-logo.png?v=13.0.0 HTTP/1.1” 304 –
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/json/authenticate HTTP/1.1” 408 74
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/json/authenticate?goto=http%3A%2F%2Fwww.idmpirate.eu%3A8000 HTTP/1.1” 200 679
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/json/authenticate HTTP/1.1” 200 147
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/json/users?_action=idFromSession HTTP/1.1” 200 206
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “GET /openam/json/users/demo HTTP/1.1” 200 843
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/json/users?_action=validateGoto HTTP/1.1” 200 56
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/namingservice HTTP/1.0” 200 3478
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/sessionservice HTTP/1.0” 200 2138
    127.0.0.1 – – [20/Apr/2016:19:08:58 -0400] “POST /openam/policyservice HTTP/1.0” 200 407

    I hope someone will show up with correct answer.

    #18515
     eshraiman
    Participant

    I had this same problem with authorization using Web Agent 3.3.0

    I installed Agent 3.3.1 and was able to authenticate and was redirected to the apache It works! page. There were many bugs fixed in Agent 3.3.1

    To make it work with Agent 3.3.0 you have to disable authorization: in WebAgent General section set SSO Only Mode to Enabled. This will enforce authentication but no authorization for policies. Then you can be redirected when using Agent 3.3.0

    #19162
     marrax
    Participant

    I installed an older version and it worked – yeah !

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?