|
|
|
The following table provides information about troubleshooting common SiteMinder Agent runtime problems.
|
Symptom |
Possible Cause |
Confirm |
Resolve problem |
|---|---|---|---|
|
401 Not Authorized; no identity propagation. |
The web application Login Config is not set to CLIENT-CERT, which prevents the WebLogic server from triggering the SiteMinder Identity Asserter. |
Try to access the application through the WebLogic httpd listener (default port 7001). Are you challenged by BASIC or FORM? |
Edit web.xml manually and change the <login-config><auth-method> value to CLIENT-CERT. OR Open WebLogic Builder or other deployment descriptor GUI editor and edit the web application deployment descriptor. Change the Auth Method value under Login Config. |
|
401 Not Authorized; no identity propagation. (continued) |
Require authentication by |
Try authenticating from this user directory in another method; for example, add group to the WebLogic admin role and start the WebLogic server with that username. |
If DefaultAuthentication Provider still exists, edit properties and verify Control Flag is not "REQUIRED". |
|
401 Not Authorized; no identity propagation. (continued) |
SiteMinder Agent Provider not enabled. |
Check the SiteMinder Agent connection log file for the Provider (or console, if enabled) for this message: "Provider is disabled" where Provider is the name of the Provider. |
Edit the appropriate Agent configuration file in ASA_HOME/conf and set enableWeb |
Identity Asserter Runtime Problems
|
Symptom |
Possible Cause |
Confirm |
Resolve problem |
|---|---|---|---|
|
Application works but identity does not propagate. |
Identity Asserter not invoked. |
Try accessing the application through the WebLogic httpd listener (default port 7001). Can the application be accessed without challenge? |
There must be a security constraint levied against the URL; check the Web deployment descriptor. |
|
Failed to decrypt SMSESSION cookie. |
Discrepancy between Policy Server used to set session cookie and that used by Identity Asserter. |
Check the Agent Configuration files for the proxy server Web Agent and the SiteMinder Agent to verify that they point to policy servers that use the same key store. |
Verify that policy and key stores are synchronized. See the SiteMinder Policy Server Administration Guide for more information about key stores. |
|
Single sign-on between a custom agent built with SiteMinder SDK and WebLogic does not work |
The SiteMinder Identity Asserter is not configured to accept cookies from custom agents, which are different from standard Web Agent cookies. |
Check the accepttpcookie value in the Identity Asserter WebAgent.conf file. |
The accepttpcookie parameter must be set to "Yes" to propagate identity. |
|
Server error on first request to WebLogic. |
Required version of Web Agent not available. |
Refresh the request and see if the application is now displayed. |
Upgrade to the latest Web Agent QMR version. |
|
SSL error message: "The SiteMinder Identity Asserter failed to validate the X.509 certificate" in the SiteMinder Identity Asserter Validation Realm. |
There is a problem with the authentication scheme for the SiteMinder Identity Asserter Validation Realm. |
See the "Resolve problem" column. |
Protect the SiteMinder Identity Asserter Validation Realm with a X509 Client Cert authentication scheme. |
|
SSL error message: "keytool error:java.lang.Exception: Failed to establish chain from reply" |
There is a problem with the certificate. |
See the "Resolve problem" column. |
Import the server certificate in "Base 64 encoded certificate with CA certificate chain in pkcs7 format". |
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |