Web Agent - ERROR validate_policy()

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Agent - ERROR validate_policy()

Pablo Ramirez

I have OpenAM 12.0.0 on a machine and the agent "Apache_v22_Linux_64bit_4.0.0-SNAPSHOT" (Build date: Oct 27 2015) on a separate machine where Apache resides. The agent configuration is centralized and there is full connectivity between the two machines. I defined a policy which allows "Authenticated Users" to access the resource: "http://hostname.domain.com:80/resource".
However, when I try to access that protected resource, the agent returns 403 error and in the agent debug log I see this error: 

ERROR [0x7fee6020b7e0:28476] validate_policy(): remote session/policy call to validate 'http://hostname.domain.com:80/resource' failed (max 3 retries exhausted)

What can be wrong here?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Web Agent - ERROR validate_policy()

Pablo Ramirez

Update: after reinstalling the agent I fixed the previous error but I still get 403 forbidden and in the agent debug log I see this:


validate_policy(): decision: deny, reason: no action decisions found


Despite I defined a policy for the resource!


What do you think is the root cause?




From: [hidden email] <[hidden email]> on behalf of Pablo Ramirez <[hidden email]>
Sent: Thursday, March 17, 2016 2:18 AM
To: [hidden email]
Subject: [OpenAM] Web Agent - ERROR validate_policy()
 

I have OpenAM 12.0.0 on a machine and the agent "Apache_v22_Linux_64bit_4.0.0-SNAPSHOT" (Build date: Oct 27 2015) on a separate machine where Apache resides. The agent configuration is centralized and there is full connectivity between the two machines. I defined a policy which allows "Authenticated Users" to access the resource: "http://hostname.domain.com:80/resource".
However, when I try to access that protected resource, the agent returns 403 error and in the agent debug log I see this error: 

ERROR [0x7fee6020b7e0:28476] validate_policy(): remote session/policy call to validate 'http://hostname.domain.com:80/resource' failed (max 3 retries exhausted)

What can be wrong here?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Web Agent - ERROR validate_policy()

Jonathan Thomas
Hi Pablo

If you set the openam debug level to message and check the Policy log you should see the policy decision request come in and the matching process take place - this should give you some clues.

Also double check your actions GET/POST etc are set correctly in the policy editor and if this a new application type in a subrealm that this is configured correctly in the agent.

Regards
Jon

On Fri, Mar 18, 2016 at 10:55 AM, Pablo Ramirez <[hidden email]> wrote:

Update: after reinstalling the agent I fixed the previous error but I still get 403 forbidden and in the agent debug log I see this:


validate_policy(): decision: deny, reason: no action decisions found


Despite I defined a policy for the resource!


What do you think is the root cause?




From: [hidden email] <[hidden email]> on behalf of Pablo Ramirez <[hidden email]>
Sent: Thursday, March 17, 2016 2:18 AM
To: [hidden email]
Subject: [OpenAM] Web Agent - ERROR validate_policy()
 

I have OpenAM 12.0.0 on a machine and the agent "Apache_v22_Linux_64bit_4.0.0-SNAPSHOT" (Build date: Oct 27 2015) on a separate machine where Apache resides. The agent configuration is centralized and there is full connectivity between the two machines. I defined a policy which allows "Authenticated Users" to access the resource: "http://hostname.domain.com:80/resource".
However, when I try to access that protected resource, the agent returns 403 error and in the agent debug log I see this error: 

ERROR [0x7fee6020b7e0:28476] validate_policy(): remote session/policy call to validate 'http://hostname.domain.com:80/resource' failed (max 3 retries exhausted)

What can be wrong here?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Web Agent - ERROR validate_policy()

Pablo Ramirez

I was missing this agent parameter: 


Access Control > Realm Name > Agents > Web or Java EE Agent Type >Agent Name > OpenAM Services > Policy Client Service -> Application


I set it and now it works.




From: [hidden email] <[hidden email]> on behalf of Jonathan Thomas <[hidden email]>
Sent: Friday, March 18, 2016 4:56 AM
To: Users
Subject: Re: [OpenAM] Web Agent - ERROR validate_policy()
 
Hi Pablo

If you set the openam debug level to message and check the Policy log you should see the policy decision request come in and the matching process take place - this should give you some clues.

Also double check your actions GET/POST etc are set correctly in the policy editor and if this a new application type in a subrealm that this is configured correctly in the agent.

Regards
Jon

On Fri, Mar 18, 2016 at 10:55 AM, Pablo Ramirez <[hidden email]> wrote:

Update: after reinstalling the agent I fixed the previous error but I still get 403 forbidden and in the agent debug log I see this:


validate_policy(): decision: deny, reason: no action decisions found


Despite I defined a policy for the resource!


What do you think is the root cause?




From: [hidden email] <[hidden email]> on behalf of Pablo Ramirez <[hidden email]>
Sent: Thursday, March 17, 2016 2:18 AM
To: [hidden email]
Subject: [OpenAM] Web Agent - ERROR validate_policy()
 

I have OpenAM 12.0.0 on a machine and the agent "Apache_v22_Linux_64bit_4.0.0-SNAPSHOT" (Build date: Oct 27 2015) on a separate machine where Apache resides. The agent configuration is centralized and there is full connectivity between the two machines. I defined a policy which allows "Authenticated Users" to access the resource: "http://hostname.domain.com:80/resource".
However, when I try to access that protected resource, the agent returns 403 error and in the agent debug log I see this error: 

ERROR [0x7fee6020b7e0:28476] validate_policy(): remote session/policy call to validate 'http://hostname.domain.com:80/resource' failed (max 3 retries exhausted)

What can be wrong here?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam