Openam Web Agent configuration issue #403x

This topic has 0 replies, 1 voice, and was last updated 9 months, 1 week ago by shrewdTurtle.

  • Author
    Posts
  • #28708
     shrewdTurtle
    Participant

    Hi
    I am using Openam as an authentication solution for my web app. I have configured OpenAM behind a reverse proxy. I have made all the changes regarding headers and its working fine. I have also created a site for the server. I can login as admin and configure realms and policies. I have configured a web agent to be used with my app. I am facing an issue with the web agent. When I login to my app request goes to OpenAM and it authenticates the user, but cannot redirect to the designated page. It just shows
    #403x
    on the browser. In the authenticator logs I see the following

    amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
    ERROR: Invalid Agent: Could not get agent for the realm
    java.lang.Exception: Goto URL not valid for the agent Provider ID
            at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:208)
            at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
            at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
            at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
            at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)
    
    amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
    ERROR: CDCServlet.doGetPost
    java.lang.Exception: Invalid Agent: Could not get agent for the realm
            at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:227)
            at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
            at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
            at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
            at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
            at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)

    I have done all the relevant configuration for agent as well. I have disabled server lookup, set the following properties as recommended in documentation

    com.sun.identity.agents.config.agenturi.prefix
    com.sun.identity.agents.config.override.protocol=true
    com.sun.identity.agents.config.override.host=true
    com.sun.identity.agents.config.override.port=true

    My site url is
    https://xyz.com/openam

    I create the agent like this

    server url = https://xyz.com:443/openam
    agent url = https://xyz.com:443/

    My Agent configurations is as follows

    
    com.sun.identity.agents.config.agent.logout.url[0]=
    com.sun.identity.agents.config.agenturi.prefix=https://xyz.com:443/amagent
    com.sun.identity.agents.config.anonymous.user.enable=false
    com.sun.identity.agents.config.anonymous.user.id=anonymous
    com.sun.identity.agents.config.attribute.multi.value.separator=|
    com.sun.identity.agents.config.audit.accesstype=LOG_BOTH
    com.sun.identity.agents.config.auth.connection.timeout=2
    com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=https://xyz.com:443/openam/cdcservlet
    com.sun.identity.agents.config.cdsso.cookie.domain[0]=
    com.sun.identity.agents.config.cdsso.enable=false
    com.sun.identity.agents.config.change.notification.enable=true
    com.sun.identity.agents.config.cleanup.interval=30
    com.sun.identity.agents.config.client.ip.validation.enable=false
    com.sun.identity.agents.config.convert.mbyte.enable=false
    com.sun.identity.agents.config.cookie.name=iPlanetDirectoryPro
    com.sun.identity.agents.config.cookie.reset.enable=false
    com.sun.identity.agents.config.cookie.reset[0]=
    com.sun.identity.agents.config.cookie.secure=false
    com.sun.identity.agents.config.debug.file.rotate=true
    com.sun.identity.agents.config.debug.file.size=10000000
    com.sun.identity.agents.config.debug.level=All
    com.sun.identity.agents.config.domino.check.name.database=false
    com.sun.identity.agents.config.domino.ltpa.config.name=LtpaToken
    com.sun.identity.agents.config.domino.ltpa.cookie.name=LtpaToken
    com.sun.identity.agents.config.domino.ltpa.enable=false
    com.sun.identity.agents.config.encode.cookie.special.chars.enable=false
    com.sun.identity.agents.config.encode.url.special.chars.enable=false
    com.sun.identity.agents.config.fetch.from.root.resource=false
    com.sun.identity.agents.config.fqdn.check.enable=true
    com.sun.identity.agents.config.fqdn.default=xyz.com
    com.sun.identity.agents.config.fqdn.mapping[]=
    com.sun.identity.agents.config.get.client.host.name=false
    com.sun.identity.agents.config.ignore.path.info=false
    com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list=true
    com.sun.identity.agents.config.ignore.preferred.naming.url=true
    com.sun.identity.agents.config.ignore.server.check=true
    com.sun.identity.agents.config.iis.filter.priority=HIGH
    com.sun.identity.agents.config.iis.logonuser=false
    com.sun.identity.agents.config.iis.owa.enable=false
    com.sun.identity.agents.config.iis.owa.enable.change.protocol=false
    com.sun.identity.agents.config.iis.password.header=false
    com.sun.identity.agents.config.load.balancer.enable=true
    com.sun.identity.agents.config.local.log.rotate=true
    com.sun.identity.agents.config.local.log.size=52428800
    com.sun.identity.agents.config.locale=en_US
    com.sun.identity.agents.config.log.disposition=ALL
    com.sun.identity.agents.config.login.url[0]=https://xyz.com:443/openam/UI/Login
    com.sun.identity.agents.config.logout.cookie.reset[0]=
    com.sun.identity.agents.config.logout.url[0]=https://xyz.com:443/openam/UI/Logout
    com.sun.identity.agents.config.notenforced.ip[0]=
    com.sun.identity.agents.config.notenforced.url.attributes.enable=false
    com.sun.identity.agents.config.notenforced.url.invert=false
    com.sun.identity.agents.config.notenforced.url[0]=/logout.html
    com.sun.identity.agents.config.notenforced.url[1]=/images/*
    com.sun.identity.agents.config.notenforced.url[2]=/css/-*-
    com.sun.identity.agents.config.notenforced.url[3]=/*.jsp?locale=*
    com.sun.identity.agents.config.notification.enable=true
    com.sun.identity.agents.config.organization.name=/
    com.sun.identity.agents.config.override.host=true
    com.sun.identity.agents.config.override.notification.url=true
    com.sun.identity.agents.config.override.port=true
    com.sun.identity.agents.config.override.protocol=true
    com.sun.identity.agents.config.policy.cache.polling.interval=3
    com.sun.identity.agents.config.policy.clock.skew=0
    com.sun.identity.agents.config.poll.primary.server=5
    com.sun.identity.agents.config.polling.interval=60
    com.sun.identity.agents.config.postcache.entry.lifetime=10
    com.sun.identity.agents.config.postdata.preserve.enable=false
    com.sun.identity.agents.config.profile.attribute.cookie.maxage=300
    com.sun.identity.agents.config.profile.attribute.cookie.prefix=HTTP_
    com.sun.identity.agents.config.profile.attribute.fetch.mode=NONE
    com.sun.identity.agents.config.profile.attribute.mapping[]=
    com.sun.identity.agents.config.proxy.override.host.port=false
    com.sun.identity.agents.config.redirect.param=goto
    com.sun.identity.agents.config.remote.log.interval=5
    com.sun.identity.agents.config.remote.logfile=amAgent_xyz_com_443.log
    com.sun.identity.agents.config.repository.location=centralized
    com.sun.identity.agents.config.response.attribute.fetch.mode=NONE
    com.sun.identity.agents.config.response.attribute.mapping[]=
    com.sun.identity.agents.config.session.attribute.fetch.mode=NONE
    com.sun.identity.agents.config.session.attribute.mapping[]=
    com.sun.identity.agents.config.sso.cache.polling.interval=3
    com.sun.identity.agents.config.sso.only=false
    com.sun.identity.agents.config.url.comparison.case.ignore=true
    com.sun.identity.agents.config.userid.param=UserToken
    com.sun.identity.agents.config.userid.param.type=session
    com.sun.identity.client.notification.url=https://xyz.com:443/UpdateAgentCacheServlet?shortcircuit=false
    org.forgerock.openam.agents.config.policy.evaluation.application=iPlanetAMWebAgentService
    org.forgerock.openam.agents.config.policy.evaluation.realm=/
    sunIdentityServerDeviceKeyValue[0]=agentRootURL=https://xyz.com:443/
    sunIdentityServerDeviceStatus=Active
    userpassword=

    But still it is not working. Can someone explain what I am missing and how can I resolve this?

    regards

    • This topic was modified 9 months, 1 week ago by shrewdTurtle. Reason: Added Agent config
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?