Opensso Admintokenaction Fatal Error Cannot Obtain Application Sso Token
Contents |
OpenDJ OpenIDM OpenICF OpenIG Intro to Identity Downloads Forums General Discussion ForgeRock Projects OpenAM OpenIDM OpenDJ OpenIG OpenUMA DevOps Internet of Things Documentation logging configuration class "com.sun.identity.log.s1is.logconfigreader" failed Groups Resources Events Calendar Upcoming Event Map Add Event! AdminTokenAction: openam admintokenaction fatal error cannot obtain application sso token FATAL ERROR: Cannot obtain Application SSO token Home Forums ForgeRock Projects OpenAM AdminTokenAction: FATAL ERROR:
Ssoadm Fatal Error: Cannot Obtain Application Sso Token
Cannot obtain Application SSO token Learn more about our upcoming Identity Summits Tagged:openam, tomcat agent This topic contains 1 reply, has 2 voices, and
Check Amconfig.properties For The Following Properties
was last updated by Scott Heger 1 year, 6 months ago. Author Posts April 17, 2015 at 12:00 pm #3914 sun.leo04@gmail.comParticipant Hi, I was trying to install openam 12 war with apache tomcat agent as configured sso.But tried more than fifty times but am getting only error.Please help me to solve this issue.Thanks in advance. If I change below property value as amAdmin from webagent,while calling the protected application in tomcat second instance it countinously redirecting to same page again and again but didn't get any exception. amAdmin is my admin user of openam console. Please check this link for complete issue details. http://stackoverflow.com/questions/29676170/admintokenaction-fatal-error-cannot-obtain-application-sso-token April 17, 2015 at 4:54 pm #3918 Scott HegerParticipant Hi, Did you happen to catch this WARNING in the output of your Web Agent install: WARNING: Agent profile/User: webagent does not exist in OpenAM server! Either "Hit the Back button, and re-enter the correct agent profile name/user name", or "Create this agent profile when asked(available only in custom-install)", or "Continue without validating it because agent profile is in sub realm", or "Continue without validating/creating it, and manually validate/create it in OpenAM server after installation". Looks like you didn't create the ag
OpenDJ OpenIDM OpenICF OpenIG Intro to Identity Downloads Forums General Discussion ForgeRock Projects OpenAM OpenIDM OpenDJ OpenIG OpenUMA DevOps Internet of Things Documentation Groups Resources Events Calendar Upcoming Event Map Add Event! Issue with ssoadm tool after setting up OpenAM site. Home Forums ForgeRock Projects OpenAM Issue with ssoadm tool after setting up OpenAM site. Learn more about our upcoming Identity Summits This topic contains 4 replies, has 3 voices, and was last updated by gbairwa@scholastic.com 8 months ago. Author Posts March 26, 2015 at 10:42 pm #3745 PareshParticipant Hi, We are setting https://forgerock.org/topic/admintokenaction-fatal-error-cannot-obtain-application-sso-token/ up OpenAM instance. The setup is done using "openam-configurator" tool. We have specified the same password for amadmin (ADMIN_PWD) and embedded OpenDJ "cn=Directory Manager" user (DS_DIRMGRPASSWD) in the configuration file. After the setup is complete, then we create a realm and configure bunch of other stuff using ssoadm tool. However, we have observed that after we setup a new OpenAM https://forgerock.org/topic/issue-with-ssoadm-tool-after-setting-up-openam-site/ site and add the current OpenAM instance to this site, then we start getting an error for subsequent run of ssoadm tool. Here is the error message reported by ssoadm tool:
8.0 Release NotesPrevious: 4079: ssoadm import-svc-cfg command fails when using Directory Server as the configuration https://docs.oracle.com/cd/E19681-01/820-3745/ghtso/index.html data storeNext: 2905: jss4.jar entry is missing in the ssoadm classpath3955: Unable to execute the ssoadm command You are unable to execute the https://technicalconfessions.com/posts.php?post_id=426 ssoadm command with the get-realm due to this exception. Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check fatal error AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password Check if cannot obtain application the amadmin password is different from the directory manager password for the service management data store. If yes, apply the following workaround. Workaround. Modify the server configuration XML as follows: Log in to the OpenSSO Console as amadmin. Use the ssoadm.jsp get-svrcfg-xml to get the server configuration XML. Use encode.jsp to encode the amadmin password. Set the encoded password in the two places represented by amadmin-password in the XML. For example:
on this blog is for information purposes only, and may at times not apply to your situation. Please read the disclaimer before continuing This is certainly a weird one though I managed to work it out. The error string value states that the agent deployment was 'Unable to get Application SSO Token'. This error was caught in a try/catch within the ApplicationSSOTokenProvider class (which can be located within the agent.jar, which is also populated within the tomcat lib directory during the install) After decompiling the code, you can see that it initiates an initial AuthContext, which basically initiates the authentication of the user (which is the agent). The issue from the log files... To perform the agent user authentication, it instantiates the AuthContext by requesting to OpenAM on what it actually needs (hence the authContents.getRequirements()) If the login is successful, then OpenAM will setup the SSOToken. The code however never gets that far though because the exception is thrown with the string value of 'Unable to get Application SSO Token'. Therefore when this issue occurs, it's not even completing the AuthContext, which implies to either the credentials being incorrect or that the service name is unreachable/unavailable. From my side, I eliminated the credentials because this was an initial installation of the agent, which requires the agent profile username/password. My statement is also supportive based on the return response, 'Failed to create new Authentication Context: Cannot find server ID'. One way to test the service name is accessing the /namingservice URL of your OpenAM instance. For example, http://servername:8080/openam/namingservice. This should bring back something such as 'OpenSSO', which is the identifer you require for the AuthContext initiation. If you're sitting behind a LB with multiple instances, then ensure that the naming service is also available. My issue was actually related to the server in which it tries to access the naming service. Within the OpenSSOAgentBootstrap.properties, you should be able to locate the 'com.iplanet.am.naming.url' value pointing to the namingservice value. I altered this value to be pointing to the LB instead of the designated server that was SSL enabled and not the open port directed to the single instance #com.iplanet.am.naming.url=https://server1:8080/openam/namingservice com.iplanet.am.naming.url=https://loadbalancer:443/openam/namingservice Once I did this, I was able to progress with the initiation of newly deployed J2EE