Thursday, January 15, 2015

OAM 11g : System error after DCC tunneling authentication

Hi All,

My apologies for taking long time to write a post in this blog. Better late than never. Today I'm writing about an issue we encountered in OAM 11g.

Our environment is OAM 11gR2 PS2 BP03 and we have tunneling enabled at DCC Webgate. An OHS application is protected using DCC tunneling authentication scheme (I will explain the DCC tunneling in a separate post). When the user access the OHS application, a login page is displayed and user submits credentials. Post authentication, instead of redirecting to OHS application, System error message is displayed.

I'd ensured that credentials are correct, back end user identity store is running fine.

I'd seen below exception in OAM Server diagnostic logs:

oracle.security.am.pbl.protocol.plugin.oam.AMFailureResponseHandler] [SRC_METHOD: processResponse] OAM-02073[[
oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:614)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:199)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:596)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:788)
at oracle.security.am.controller.MasterController.process(MasterController.java:708)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)

I'd ensured that Authentication scheme is correct as the same setup was working in other environment.

I'd come across an article 1578776.1 talking about similar exception but it was in OAM 11gR1 and for custom Login page. In our case, we are using default login page served from OAM Server.

I did see that OAM Server could not redirect to the requested URL post authentication as I don't see OAM_REQ cookie in /oam/server/auth_cred_submit http request.

I remembered a setting in oam-config.xml "serverRequestCacheType" which takes BASIC, COOKIE and FORM values.

Currently it is set to FORM in a non working environment. FORM value means, the OAM_REQ token has to be returned to OAM Server in Login page. COOKIE value means, only userid and password along with request_id has to be returned to OAM server in login page. Since we are using default login page, only userid and password are returned to OAM Server.

Therefore with FORM value setting, OAM Server authenticates the user but does not know the requested URL or data containing original requested URL and it throws System Error.

Fix:

  1. Stop the OAM servers (managed + admin).
  2. Take backup of oam-config.xml
  3. Change the value serverRequestCacheType from FORM to COOKIE.
  4. Change the Version (increment with 1).
  5. Start OAM Servers.
Retest the scenario and you will see that user is redirected to original requested URL. 


Please leave your comments.


No comments:

Post a Comment