Re: Fwd: Need help with policy migration OpenAM 12 to OpenAM 13 (Peter Major)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Need help with policy migration OpenAM 12 to OpenAM 13 (Peter Major)

Pratik Sayare
Hi Peter,
Thanks for the suggestions. I am able to import all policies using JSON v1. Now openam is crashing, I am able to navigate through all tabs, but when I navigate to Authorization -> Policy Sets -> iPlanetAMWebAgentService... I am not able to see any of the policies and the openam stops working. I enabled debug logs but not getting much relevant cause behind crash in any of the logs. Below are some logs from IdRepo. I verified opendj is working fine.
Kindly assist.
/Pratik

ERROR: PSearch is already removed, unable to unregister DJLDAPv3Repo:05/03/2016 02:43:21:137 PM HKT: Thread[localhost-startStop-2,5,main]: TransactionId[a328b117-2287-4db6-8ef0-841af0b1edd9-170] ERROR: PSearch is already removed, unable to unregister DJLDAPv3Repo:05/03/2016 03:00:56:848 PM HKT: Thread[http-nio-192.168.13.131-8443-exec-1,5,main]: TransactionId[c2660244-b806-4e6e-ab88-5ebb463fd14f-125] ERROR: Unexpected error occurred during search org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:163) at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:124) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.getMonitoredConnectionFactory(AbstractLoadBalancingAlgorithm.java:343) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm.access$100(AbstractLoadBalancingAlgorithm.java:59) at org.forgerock.opendj.ldap.AbstractLoadBalancingAlgorithm$MonitoredConnectionFactory.getConnection(AbstractLoadBalancingAlgorithm.java:88) at org.forgerock.opendj.ldap.LoadBalancer.getConnection(LoadBalancer.java:55) at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.search(DJLDAPv3Repo.java:1168) at com.sun.identity.idm.server.IdServicesImpl.search(IdServicesImpl.java:1534) at com.sun.identity.idm.server.IdCachedServicesImpl.search(IdCachedServicesImpl.java:623) at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:379) at com.sun.identity.idm.AMIdentityRepository.searchIdentities(AMIdentityRepository.java:311) at com.sun.identity.console.idm.model.EntitiesModelImpl.getEntityNames(EntitiesModelImpl.java:194) at com.sun.identity.console.idm.EntitiesViewBean.getEntityNames(EntitiesViewBean.java:235) at com.sun.identity.console.idm.EntitiesViewBean.beginDisplay(EntitiesViewBean.java:179) at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149) at org.apache.jsp.console.idm.Entities_jsp._jspService(Entities_jsp.java:190) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:720) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466) 
====================================
amIdm:05/03/2016 05:33:41:076 PM HKT: Thread[ajp-nio-127.0.0.1-8009-exec-83,5,main]: TransactionId[e0e1cc4c-4cfd-436a-b5c9-68bb6d3ceb00-1492]
IdUtils.getOrganization Exception in getting org name from SMS
Message:Connection to the server could not be established: Connection to the server could not be established

        at com.sun.identity.sm.ldap.SMSLdapObject.getConnection(SMSLdapObject.java:578)
        at com.sun.identity.sm.ldap.SMSLdapObject.searchSubOrganizationNames(SMSLdapObject.java:910)
        at com.sun.identity.sm.ldap.SMSLdapObject.searchSubOrgNames(SMSLdapObject.java:887)
        at com.sun.identity.sm.SMSEntry.searchSubOrgNames(SMSEntry.java:854)
        at com.sun.identity.sm.CachedSubEntries.searchSubOrgNames(CachedSubEntries.java:221)
        at com.sun.identity.sm.OrganizationConfigManagerImpl.getSubOrganizationNames(OrganizationConfigManagerImpl.java:175)
        at com.sun.identity.sm.OrganizationConfigManager.getSubOrganizationNames(OrganizationConfigManager.java:541)
        at com.sun.identity.idm.IdUtils.getOrganization(IdUtils.java:526)
        at org.forgerock.openam.core.CoreWrapper.getOrganization(CoreWrapper.java:215)
        at org.forgerock.openam.rest.RealmContextFilter.getRealmFromAlias(RealmContextFilter.java:277)
        at org.forgerock.openam.rest.RealmContextFilter.resolveRealm(RealmContextFilter.java:270)
        at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:235)
        at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:209)
        at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:84)
        at org.forgerock.http.handler.Chain.handle(Chain.java:55)
        at org.forgerock.http.routing.Router.handle(Router.java:92)
        at org.forgerock.http.handler.Chain.handle(Chain.java:57)
        at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
        at org.forgerock.http.handler.Chain.handle(Chain.java:55)
        at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
        at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
        at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
        at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
        at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:221)

==================================== 

If you don't like to deal with resourceTypeUuids, you could try to use 
the v1 version of the policies REST endpoint, in that scenario OpenAM 
should magically deal with resourcetypes for you (how well it does that, 
I can't say).

IMO the best way to export policies is to query all policies from a 
realm in JSON format. To import them just manually traverse through them 
and add them back one by one.
XACML is much less readable..

cheers,
Peter

2016. 04. 26. 8:53 keltezéssel, Jari Ahonen írta:
> Hi,
>
> Policy export/import is flakey in 13.0.0. The REST interface should work
> but you need to add the correct resourceTypeUuid value to the JSON
> policy object before it will be accepted. The easiest is to create a
> policy in v13 policy editor, fetch that via REST and see what your
> policies exported from v12 are missing.
>
> - Jari
>
> *From:*openam-bounces at forgerock.org
> [mailto:openam-bounces at forgerock.org] *On Behalf Of *Pratik Sayare
> *Sent:* Monday, April 25, 2016 3:02 PM
> *To:* openam at forgerock.org
> *Subject:* [OpenAM] Fwd: Need help with policy migration OpenAM 12 to
> OpenAM 13
>
> Hi,
>
> While trying to upgrade Openam from 12 to 13. With existing policies the
> upgrade was getting stucked. Exported all existing policies and deleted
> then tried upgrade it worked. Now when importing the policies again
> using “Import policies” it is failing with below error:
>
> Entitlement:04/19/2016 04:30:27:983 AM HKT:
> Thread[ajp-nio-127.0.0.1-8009-exec-10,5,main]:
> TransactionId[affbda7d-37cd-497f-a547-b7f105b7b105-1016]
> ERROR: XACMLProvilegeUtils.streamToPolicySet(),
> core_pkg:com.sun.identity.entitlement.xacml3.core
>
> Tried with below ssoadm command but fails with error
>
> ./ssoadm \
> create-policies \
> –realm “/” \
> –adminid amadmin \
> –password-file pass \
> –xmlfile realm-policies.xml
>
> Error – XML parsing error
>
> amCLI:04/19/2016 05:21:12:581 AM HKT: Thread[main,5,main]
> **********************************************
> amCLI:04/19/2016 05:21:12:581 AM HKT: Thread[main,5,main]
> ERROR: RealmCreatePolicy.handleRequest
> com.sun.identity.policy.PolicyException(1):XML parsing error
> Document is invalid: no grammar found.
> org.xml.sax.SAXParseException(2):Document is invalid: no grammar found.
> org.xml.sax.SAXParseException; lineNumber: 2; columnNumber: 11; Document
> is invalid: no grammar found.
> at
> org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown
> Source)
> at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
> at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
> at
> org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLNSDocumentScannerImpl$NSContentDispatcher.scanRootElementHook(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
> 7,1 Top
>
> Tried with REST but getting below error
>
> "statusCode": 235,
>
>      "statusMessage": "Invalid resource type null, must be one from the
> set defined against the containing application."
>
> Any pointers/suggestions please.
>
> /Pratik

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam