This topic contains 11 replies, has 3 voices, and was last updated by  Andy Cory 4 months, 1 week ago.

  • Author
    Posts
  • #22236
     Dhairyasheel 
    Participant

    Hi All,
    I am trying to install web agent 4 along with Openam 13 version…
    After doing all the configuration,when i try to access my protected resource,it doesn’t redirect to
    Openam login page.Also no audit and debug logs are created in web agent instance.

    Thank you,
    Regards.

    #22238
     Bill Nelson 
    Participant

    Did you restart the web container after installing the web agent?

    If you are not seeing any logs on the web agent, then I suspect that may be your problem.

    If you did restart the web container and are still not seeing anything, then check your web container’s configuration file. assuming this is apache, check your httpd.conf file for the presence of the web agent’s shared object reference.

    If you don’t see such a reference, then you didn’t install the agent properly.

    #22241
     Dhairyasheel 
    Participant

    @bill-nelsonidentityfusion-com
    Yes,I did restart my Apache HTTP server after the web agent installation and I’m still not seeing anything.
    Also I can see the web agent object reference in httpd.conf file at the end.
    Installation is right, that is what I feel like as i have followed the documentation of OpenAm ForgeRock.
    I might be doing something wrong in the properties of web agent(agent.conf) file.
    Is there any property we need to change in agent.conf file after the installation of web agent??

    #22242
     Bill Nelson 
    Participant

    The web agent installation only requires a minimal number of parameters to complete and no, you don’t need to update the agent config. The startup of the web container and the agent bootstrapping process follows very well defined steps.

    – Start the Web Container (you should see the .so file loaded in the web container logs)
    – Web Agent retrieves agent profile from OpenAM (you should see this interaction in the web agent logs)
    – Web Agent uses profile settings for further interaction (you should see this occur in the web agent logs)

    If you are not seeing anything in the web agent log files then quite possibly a) you have turned off the web agent local logging in your profile, b) enabled remote logging (i.e. all logs are sent to and stored on OpenAM), or c) you are looking in the wrong place for the logs.

    #22243
     Dhairyasheel 
    Participant

    The web agent log, I can see that there are
    two directories namely DEBUG & AUDIT in logs directory.
    But there is nothing inside these directories.
    I have also enabled local logging for web agent.The value of sun.identity.agent.remote.log.file is amagent…..log file.
    I searched for this file in OpenAm server using (find) command..but didn’t find any.
    And about the .so file which you said should
    be loaded once I start my http server,I will check that and get back to you.

    #22245
     Dhairyasheel 
    Participant

    @bill-nelsonidentityfusion-com
    The error.log present in /var/log/apache directory is not showing anything about mod.so.openam module being loaded by http server.
    The access.log is empty.
    Also I am not getting any remote log file in openam server.

    #22249
     Dhairyasheel 
    Participant

    @bill-nelsonidentityfusion-com
    Hi,
    Ok, now the debug files are showing up…I have debug.log file in my logs directory of agent instance.
    But when I try to access my protected resource, it gives Forbidden error – cannot access / on this server.
    After looking into my debug.log file, the error is “not able to open the agent.conf file”.
    I thought this might be because the permissions are wrong for “agent.conf” file, but didn’t work and had the same error.
    One more thing, I have installed web agent using root user.As mentioned in the documentation, they say avoid installing web agent using root user.
    Would this create a problem??

    #22259
     Andy Cory 
    Participant

    One more thing, I have installed web agent using root user.As mentioned in the documentation, they say avoid installing web agent using root user.
    Would this create a problem??

    It probably would cause a problem, that’s why the docs say avoid doing that :-)

    It’s possible your web server doesn’t have permissions to read/write what it needs to read/write. Rather than continuing to debug a scenario the vendor advises you to avoid, you will probably have more success redeploying your web agent according to the docs.

    -Andy

    #22272
     Dhairyasheel 
    Participant

    @bill-nelsonidentityfusion-com
    @acorysmart421-com
    My openam login redirection is working fine now.
    I am using turnkey ELGG application as my protected resource.
    If I try to access this resource, the following things take place:-
    1.)It is redirecting to the login page of openam for authentication purpose.
    2.)After successfully providing the username and password,openam is redirecting to the ELGG application page.
    The problem here is openam is redirecting me to the ELGG LOGIN page…It should directly show me user profile in ELGG,shouldn’t it??

    Any help would be appreciated:)
    Thankyou.

    #22273
     Bill Nelson 
    Participant

    It seems to me that OpenAM is working just fine. The problem is that your ELGG application may not be recognizing that the user has a valid session.

    Here are the flows that it appears that you have performed.

    1. You access the ELGG application that is protected by OpenAM.
    2. The OpenAM policy agent detects that you do not have an active/valid session so it redirects you to OpenAM to authenticate.
    3. You successfully authenticate.
    4. You are redirected back to the ELGG application where you you are NOT sent back to OpenAM again. That means that the Policy Agent detected the session cookie and queried OpenAM to see if it was valid or not. Since you were not redirected back to OpenAM, the session is both active and valid.

    OpenAM can only redirect you back to the original place that you attempted to access in the first place. This is defined in the “goto” URL parameter. In your case, it appears that the goto parameter is the login page. Now you just need to figure out how to configure the ELGG application to recognize whatever it is that is passed by OpenAM as proof of an active session. This can be an HTTP header, cookie, or snippet of information passed as part of the response.

    But from all appearances, OpenAM and the Policy Agent seem to be working just fine.

    #22318
     Dhairyasheel 
    Participant

    @bill-nelsonidentityfusion-com
    @acorysmart421-com
    Hi,
    Apologies for the delay in response and thanks for your reply.
    So my openam and web Policy agent is working a fine..It’s just that, I can see iPlanetDirectoryPro cookie in Elgg web page which actually is the OpenAM cookie(SSO token).
    I need to know how to set properties in the SSO token at the server side(Openam) which has openDJ as it’s backend.
    And I also want to retrieve values from the SSO token on client side, in my case ELGG application, so that i can set modify the php code in ELGG and open up the user profile in ELGG.
    I tried to see the Header content in ELGG Webpage which had uid:”username”(the username with which I logged in the openam login page), but as per my knowledge this is not enough to open up the session in ELGG.
    How do I set the properties like ‘Password’ and ‘mail’ in SSO token on server side and retrieve it on client side?

    I need to complete this setup till next week..
    Any help would be appreciated :)
    Thankyou

    #22319
     Andy Cory 
    Participant

    While you can’t change the content of the SSO token, you can add profile attributes as either additional cookies or as HTTP headers.

    See the docs at https://backstage.forgerock.com/docs/openam-web-policy-agents/4.1/web-pa-guide/#web-agent-profile-attributes-processing-properties

    -Andy

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?