AdminTokenAction:致命错误:无法获取应用程序SSO标记
我试图安装openam 12与Apacheconfigurationtomcat代理作为configurationsso.But尝试了五十多次,但只得到错误。
如果我从webagent以amAdmin的forms更改属性值,则在调用tomcat第二个实例中的受保护的应用程序时,它会一次又一次地redirect到同一页面,但没有得到任何exception。 amAdmin是我的pipe理员用户的openam控制台。
OpenSSOAgentBootstrap.properties/com.sun.identity.agents.app.username =
Tomcat日志中的exception
Apr 16, 2015 5:41:10 PM org.apache.tomcat.util.digester.Digester startElement SEVERE: Begin event threw error java.lang.ExceptionInInitializerError at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:727) at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1140) at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1579) at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:675) at com.sun.identity.agents.tomcat.v6.AmTomcatRealm.<clinit>(AmTomcatRealm.java:67) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at java.lang.Class.newInstance(Class.java:374) at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:145) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:649) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561) at org.apache.catalina.startup.Catalina.load(Catalina.java:615) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:272) at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:76) at java.security.AccessController.doPrivileged(Native Method) at com.sun.identity.common.configuration.ConfigurationObserver.registerListeners(ConfigurationObserver.java:89) at com.sun.identity.common.configuration.ConfigurationObserver.getInstance(ConfigurationObserver.java:114) at com.sun.identity.common.DebugPropertiesObserver.<clinit>(DebugPropertiesObserver.java:49) ... 32 more
主机条目
127.0.0.1 org.sso.com test.openam.com
Tomcat的两个实例来自apache-tomcat-7.0.57
**1, One for OpenAM.12.0.war running in port 8080 2, Another one for webagent(openam-Tomcat-v6-7-Agent-3.3.0.zip) with my protected application running in port 7070**
OpenAMconfiguration:
1, Default configuration amAdmin with password (password) and policy-agent with password(password1) created. 2, Login as amAdmin -->Access Control -- >OpenAMIDPRealm-->created 3, Access Control -- >OpenAMIDPRealm-->subject-->idpuser-->password(password)-->created 4, Access Control -- >OpenAMIDPRealm-->agent-->J2EE-->name(webagent)-->password(password)-->local-->agenturl(http://org.sso.com:7070/agentapp)-->created 5, Federation -- >Create Circle of Trust -- > OpenAMIDPCOT -->select realm (OpenAMIDPRealm) -->created 6, Common Tasks --> create hosted identity provider --> select realm (OpenAMIDPRealm) --> select Circle of Trust -- > OpenAMIDPCOT -->created
Web代理configuration:
D:\Studies\sso\OpenAM-SP2IDP\webagent\j2ee_agents\tomcat_v6_agent\bin>agentadmin --install Please read the following License Agreement carefully: [Press <Enter> to continue...] or [Enter n To Finish] ************************************************************************ Welcome to the OpenAM Policy Agent for Apache Tomcat 6.0 Servlet/JSP Container ************************************************************************ Enter the complete path to the directory which is used by Tomcat Server to store its configuration Files. This directory uniquely identifies the Tomcat Server instance that is secured by this Agent. [ ? : Help, ! : Exit ] Enter the Tomcat Server Config Directory Path [C:/Program Files/Apache Software Foundation/Tomcat 6.0/conf]: D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat -SP\apache-tomcat-7.0.57\conf Enter the URL where the OpenAM server is running. Please include the deployment URI also as shown below: (http://openam.sample.com:58080/openam) [ ? : Help, < : Back, ! : Exit ] OpenAM server URL: http://test.openam.com:8080/openam $CATALINA_HOME environment variable is the root of the tomcat installation. [ ? : Help, < : Back, ! : Exit ] Enter the $CATALINA_HOME environment variable: D:\Studies\sso\OpenAM-SP2IDP\apac he-tomcat-SP\apache-tomcat-7.0.57 Choose yes to deploy the policy agent in the global web.xml file. [ ? : Help, < : Back, ! : Exit ] Install agent filter in global web.xml ? [true]: true Enter the Agent URL. Please include the deployment URI also as shown below: (http://agent1.sample.com:1234/agentapp) [ ? : Help, < : Back, ! : Exit ] Agent URL: http://org.sso.com:7070/agentapp Enter the Agent profile name [ ? : Help, < : Back, ! : Exit ] Enter the Agent Profile name: webagent Enter the path to a file that contains the password to be used for identifying the Agent. [ ? : Help, < : Back, ! : Exit ] Enter the path to the password file: D:\Studies\sso\OpenAM-SP2IDP\password.txt WARNING: Agent profile/User: webagent does not exist in OpenAM server! Either "Hit the Back button, and re-enter the correct agent profile name/user name", or "Create this agent profile when asked(available only in custom-install)", or "Continue without validating it because agent profile is in sub realm", or "Continue without validating/creating it, and manually validate/create it in OpenAM server after installation". ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Tomcat Server Config Directory : D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf OpenAM server URL : http://test.openam.com:8080/openam $CATALINA_HOME environment variable : D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57 Tomcat global web.xml filter install : true Agent URL : http://org.sso.com:7070/agentapp Agent Profile name : webagent Agent Profile Password file name : D:\Studies\sso\OpenAM-SP2IDP\password.txt Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]: 1 Updating the D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57/bin/setenv.ba t script with the Agent configuration JVM option ...DONE. DONE. Creating directory layout and configuring Agent file for Agent_001 instance ...DONE. Reading data from file D:\Studies\sso\OpenAM-SP2IDP\password.txt and encrypting it ...DONE. Generating audit log file name ...DONE. Creating tag swapped OpenSSOAgentBootstrap.properties file for instance Agent_001 ...DONE. Creating a backup for file D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/server.x ml ...DONE. Creating a backup for file D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/web.xml ...DONE. Adding OpenAM Tomcat Agent Realm to Server XML file : D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/server.x ml ...DONE. Adding filter to Global deployment descriptor file : D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/web.xml ...DONE. Adding OpenAM Tomcat Agent Filter and Form login authentication to selected Web applications ...DONE. SUMMARY OF AGENT INSTALLATION ----------------------------- Agent instance name: Agent_001 Agent Bootstrap file location: D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/conf ig/OpenSSOAgentBootstrap.properties Agent Configuration file location D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/conf ig/OpenSSOAgentConfiguration.properties Agent Audit directory location: D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs /audit Agent Debug directory location: D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs /debug Install log file location: D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/installer-logs /audit/install.log Thank you for using OpenAM Policy Agent
OpenSSOAgentBootstrap.properties
com.iplanet.am.naming.url=http://test.openam.com:8080/openam/namingservice com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.tomcat.v6.AmTomcatAgentServiceResolver com.sun.identity.agents.app.username = webagent com.iplanet.am.service.secret = AQIC91zdxfnLewLIWRJDohP4vdRaQ/7vpmBl am.encryption.pwd = lZco703977UeM52+kT4ZdyIjLM2PMw3d com.iplanet.services.debug.level=error com.iplanet.services.debug.directory=D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs/debug com.sun.services.debug.mergeall=on com.sun.identity.agents.config.local.logfile = D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs/audit/amAgent_org_sso_com_7070.log com.sun.identity.agents.config.organization.name = / com.sun.identity.agents.config.lock.enable = false com.sun.identity.agents.config.profilename = webagent com.iplanet.am.services.deploymentDescriptor=/openam
openam / WEB-INF /类/ AMConfig.properties
com.iplanet.am.server.host=@SERVER_HOST@ com.iplanet.security.SSLSocketFactoryImpl=com.sun.identity.shared.ldap.factory.JSSESocketFactory com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.@SMS_OBJECT_CLASS@ com.iplanet.services.configpath=@BASE_DIR@ com.iplanet.am.serverMode=true com.iplanet.am.ldap.connection.ldap.error.codes.retries=80,81,91 com.iplanet.am.locale=@PLATFORM_LOCALE@ com.sun.identity.urlconnection.useCache=false opensso.protocol.handler.pkgs= com.iplanet.am.server.protocol=@SERVER_PROTO@ com.iplanet.am.server.port=@SERVER_PORT@ com.iplanet.services.debug.level=error com.sun.embedded.replicationport= com.sun.identity.common.systemtimerpool.size=3 com.sun.identity.overrideAMC=true com.sun.embedded.sync.servers=on com.iplanet.am.service.secret=@ENCLDAPUSERPASSWD@ am.encryption.pwd=@AM_ENC_KEY@ com.sun.identity.sm.enableDataStoreNotification=@DATASTORE_NOTIFICATION@ com.sun.services.debug.mergeall=off com.iplanet.am.services.deploymentDescriptor=/@SERVER_URI@ com.sun.am.event.connection.disable.list=@DISABLE_PERSISTENT_SEARCH@
Agent_001 / conf目录/ OpenSSOAgentConfiguration.properties
com.sun.identity.agents.config.filter.mode[manager]=J2EE_POLICY com.sun.identity.agents.config.filter.mode[host-manager]=J2EE_POLICY com.sun.identity.agents.config.filter.mode = ALL com.sun.identity.agents.config.user.mapping.mode = USER_ID com.sun.identity.agents.config.user.attribute.name = employeenumber com.sun.identity.agents.config.user.principal = false com.sun.identity.agents.config.user.token = UserToken com.sun.identity.agents.config.client.ip.header = com.sun.identity.agents.config.client.hostname.header = com.sun.identity.agents.config.load.interval = 0 com.sun.identity.agents.config.locale.language = en com.sun.identity.agents.config.locale.country = US com.sun.identity.agents.config.audit.accesstype = LOG_NONE com.sun.identity.agents.config.log.disposition = REMOTE com.sun.identity.agents.config.remote.logfile = amAgent_org_sso_com_7070.log com.sun.identity.agents.config.local.log.rotate = false com.sun.identity.agents.config.local.log.size = 52428800 com.sun.identity.agents.config.webservice.enable = false com.sun.identity.agents.config.webservice.endpoint[0] = com.sun.identity.agents.config.webservice.process.get.enable = true com.sun.identity.agents.config.webservice.authenticator = com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt com.sun.identity.agents.config.webservice.responseprocessor = com.sun.identity.agents.config.access.denied.uri[] = com.sun.identity.agents.config.login.form[0] = /host-manager/AMLogin.html com.sun.identity.agents.config.login.form[1] = /manager/AMLogin.html com.sun.identity.agents.config.login.error.uri[0] = /host-manager/AMError.html com.sun.identity.agents.config.login.error.uri[1] = /manager/AMError.html com.sun.identity.agents.config.login.use.internal = true com.sun.identity.agents.config.login.content.file = FormLoginContent.txt com.sun.identity.agents.config.auth.handler[] = com.sun.identity.agents.config.logout.handler[] = com.sun.identity.agents.config.verification.handler[] = com.sun.identity.agents.config.httpsession.binding = true com.sun.identity.agents.config.redirect.param = goto com.sun.identity.agents.config.login.url[0] = http://test.openam.com:8080/openam/UI/Login com.sun.identity.agents.config.logout.url[0] = http://test.openam.com:8080/openam/UI/Logout com.sun.identity.agents.config.login.url.prioritized = true com.sun.identity.agents.config.login.url.probe.enabled = true com.sun.identity.agents.config.login.url.probe.timeout = 2000 com.sun.identity.agents.config.logout.url.prioritized = true com.sun.identity.agents.config.logout.url.probe.enabled = true com.sun.identity.agents.config.logout.url.probe.timeout = 2000 com.sun.identity.agents.config.agent.host = com.sun.identity.agents.config.agent.port = com.sun.identity.agents.config.agent.protocol = com.sun.identity.agents.config.login.attempt.limit = 0 com.sun.identity.agents.config.amsso.cache.enable = true com.sun.identity.agents.config.cookie.reset.enable = false com.sun.identity.agents.config.cookie.reset.name[0] = com.sun.identity.agents.config.cookie.reset.domain[] = com.sun.identity.agents.config.cookie.reset.path[] = com.sun.identity.agents.config.cdsso.enable = false com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://test.openam.com:8080/openam/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://test.openam.com:8080/openam/cdcservlet com.sun.identity.agents.config.cdsso.secure.enable = false com.sun.identity.agents.config.logout.application.handler[] = com.sun.identity.agents.config.logout.uri[] = com.sun.identity.agents.config.logout.request.param[] = com.sun.identity.agents.config.logout.introspect.enabled = false com.sun.identity.agents.config.logout.entry.uri[] = com.sun.identity.agents.config.fqdn.check.enable = true com.sun.identity.agents.config.fqdn.default = org.sso.com com.sun.identity.agents.config.fqdn.mapping[] = com.sun.identity.agents.config.legacy.support.enable = false com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7* com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI com.sun.identity.agents.config.response.header[] = com.sun.identity.agents.config.redirect.attempt.limit = 0 com.sun.identity.agents.config.port.check.enable = false com.sun.identity.agents.config.port.check.file = PortCheckContent.txt com.sun.identity.agents.config.port.check.setting[7070] = http com.sun.identity.agents.config.notenforced.uri[0] = com.sun.identity.agents.config.notenforced.uri.invert = false com.sun.identity.agents.config.notenforced.uri.cache.enable = true com.sun.identity.agents.config.notenforced.uri.cache.size = 1000 com.sun.identity.agents.config.notenforced.refresh.session.idletime = false com.sun.identity.agents.config.notenforced.ip[0] = com.sun.identity.agents.config.notenforced.ip.invert = false com.sun.identity.agents.config.notenforced.ip.cache.enable = true com.sun.identity.agents.config.notenforced.ip.cache.size = 1000 com.sun.identity.agents.config.attribute.cookie.separator = | com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z com.sun.identity.agents.config.attribute.cookie.encode = true com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE com.sun.identity.agents.config.profile.attribute.mapping[] = com.sun.identity.agents.config.session.attribute.fetch.mode = NONE com.sun.identity.agents.config.session.attribute.mapping[] = com.sun.identity.agents.config.response.attribute.fetch.mode = NONE com.sun.identity.agents.config.response.attribute.mapping[] = com.sun.identity.agents.config.bypass.principal[0] = com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS com.sun.identity.agents.config.privileged.attribute.type[0] = Group com.sun.identity.agents.config.privileged.attribute.type[1] = Role com.sun.identity.agents.config.privileged.attribute.tolowercase[Group] = false com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false com.sun.identity.agents.config.privileged.session.attribute[0] = com.sun.identity.agents.config.privileged.attribute.mapping.enable = true com.sun.identity.agents.config.privileged.attribute.mapping[] = com.iplanet.am.cookie.name=iPlanetDirectoryPro com.iplanet.am.session.client.polling.enable=false com.iplanet.am.session.client.polling.period=180 com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption com.sun.identity.idm.remote.notification.enabled=true com.iplanet.am.sdk.remote.pollingTime=1 com.sun.identity.sm.notification.enabled=true com.sun.identity.sm.cacheTime=1 com.iplanet.am.server.protocol=http com.iplanet.am.server.host=test.openam.com com.iplanet.am.server.port=8080 com.sun.identity.agents.notification.enabled=true com.sun.identity.agents.polling.interval=3 com.sun.identity.policy.client.cacheMode=subtree com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false com.sun.identity.policy.client.clockSkew=10 com.sun.identity.agents.config.policy.env.get.param[0]= com.sun.identity.agents.config.policy.env.post.param[0]= com.sun.identity.agents.config.policy.env.jsession.param[0]= com.sun.identity.client.notification.url=http://org.sso.com:7070/agentapp/notification com.iplanet.services.debug.level=error com.sun.identity.agents.config.ignore.path.info = false
请帮我解决这个问题。提前感谢。
我以前也遇到过类似的问题,用户login后使用OpenAMlogin,redirect到自己。
问题是cookie域。 当OpenAM进行身份validation时,会使用会话令牌设置一个cookie。 如果tomcat在一个单独的域上,那么它将无法查找cookie。
您可能需要在OpenAM控制台 – >configuration – >系统 – >平台中检查您的域
我的应用程序是Drupal,但我认为tomcat的configuration是:
<Context sessionCookiePath="/something" sessionCookieDomain=".domain.tld" />
一个可能的解决scheme可能是使用com.iplanet.am.naming.map.site.to.server
本教程应该涵盖你的东西:) https://backstage.forgerock.com/#!/docs/ openam / 12.0.0 /pipe理导
我观察到的这些错误之一是,Open AM 13可能与Tomcat-8.5.12不兼容。 请将Tomcat的安装更改为Tomcat-7.0.69。 这已经解决了我的问题。
- 身份validationfilter和servletlogin
- Java Swing:如何在显示JFrame之前实现login屏幕?
- SHA1 vs md5与SHA256:哪个用于PHPlogin?
- 如何检查用户是否使用FB SDK 4.0 for Androidlogin?
- 如何在警报对话框中添加两个编辑文本字段
- 检查SQL Serverlogin是否已经存在
- 提交应用程序时,iOS 10 GM发布错误“由于GoogleSignIn,AdMob,应用程序尝试访问隐私敏感数据而没有使用说明”
- 这个应用程序没有configurationAndroid密钥散列。 – 使用Facebook SDK进行login
- 如何用logback创build2个不同的ROOTlogging器?