Hi, looking for some help with a long overdue upgrade of AM 3.15.
We have a simple system: Admin console on a VM, ID server + SSLVPN (with
ESP) on 2nd (physical) server and AG + SSLVPN (no ESP) on 3rd server. No
customised files or J2EE agents.
All 3 servers are on same subnet, but the IDserver+SSLVPN server has a
second NIC connected to another subnet (SSLVPN is used to access that
subnet) and the AG has a second NIC for DMZ for external access.
I have all of this setup in a test lab so I can experiment and have
tried this from scratch a couple of times with the same result.

I started with the Admin console migration to a new VM, which ran
smoothly, everything still worked after doing that.
Then I did the ID server+SSLVPN upgrade using the same IP address:
-Remove the ID server from the cluster (cluster of one), shutdown
server and delete it in the admin console.
-The instructions say to update cluster, but there was nothing to
update (because there is only 1 server in the cluster?)
-Do fresh install of SLES 11 SP3 on server
-Install compat (other required rpms where installed by default)
-Extract AM_40_AccessManagerService_Linux64.tar.gz and install the ID
server using install.sh.
-Add server back into cluster and update the ID Server - says it will
restart tomcat.
-ID server status was green after doing that.
-Install SSLVPN using install.sh and update.
-Change connection port on the SSLVPN from 8443 to 3443 & update, then
update ID server (cert changed)
-When everything is green, install the high speed key and restart the
SSLVPN.

All looked ok after doing that except that the VPN on the AG server was
reporting failure to import certificate with alias (stunnel) to keystore
(SSLVPN Secure Tunnel Key Store). Tried pushing the cert again, but got
the same result. We don't use that SSLVPN so I've ignored that error for
now - not sure if that's wise! (The SSLVPN on the ID server is the one
we use and is working normally).

Then I did some testing - my understanding is that everything should
work even with the older AG server.

I was able to login to the SSLVPN on the ID server successfully.

When I checked external access to websites, I could access unprotected
sites, but ones that are protected give an error "Unable to complete
request at this time (100101043-C34005A9EEDCE9D4)"
After getting that error, I noticed the ID server's status was now
yellow and the error message is "Failed to retrieve metadata from
trusted embedded service provider! NIDPMAIN.405"

Here's the debug output from /root/IS_NIDP.2015-09-18.xml on the ID
Server:


<amLogEntry seq="71" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: NIDPContextListener.sessionCreated
Thread: http-bio-10.0.1.174-8443-exec-1
Created session
AMAUTHID#1A6648A1966B901B93595CA83F1713A0</msg></amLogEntry>
<amLogEntry seq="72" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: http-bio-10.0.1.174-8443-exec-1
****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /idff
Query String:
RequestID=idHoEvdTjZ9VNUhyhU5Ww5PaxYbM4&amp;MajorV ersion=1&amp;MinorVersion=2&amp;IssueInstant=2015-09-17T22%3A54%3A27Z&amp;ProviderID=https%3A%2F%2Fport al.test.org%3A443%2Fnesp%2Fidff%2Fmetadata&amp;Rel ayState=MA%3D%3D&amp;consent=urn%3Aliberty%3Aconse nt%3Aunavailable&amp;ForceAuthn=false&amp;IsPassiv e=false&amp;NameIDPolicy=onetime&amp;ProtocolProfi le=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbr ws-art&amp;target=https%3A%2F%2Fmoodle.test.org%3A443 %2F&amp;AuthnContextStatementRef=secure%2Fbasic%2F name%2Fpassword%2Furi
Path Info: /sso
Server Name: nidp.test.org
Server Port: 8443
Content Length: -1
Content Type: null
Auth Type: null
Request URL: https://nidp.test.org:8443/nidp/idff/sso
Host IP Address: 10.0.1.177
Remote Client IP Address: 10.0.1.177
Header: Name: connection, Value: keep-alive
Header: Name: host, Value: nidp.test.org:8443
Header: Name: accept, Value:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Header: Name: upgrade-insecure-requests, Value: 1
Header: Name: user-agent, Value: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125
Safari/537.36
Header: Name: accept-encoding, Value: gzip, deflate
Header: Name: accept-language, Value: en-US,en;q=0.8
Header: Name: via, Value: 1.1 nidp.test.org (Access Gateway
3.1.5-42-9D4B7B3FB1C63FA3- )
Session Id: 1A6648A1966B901B93595CA83F1713A0
Session Last Accessed Time: 1442530668870</msg></amLogEntry>
<amLogEntry seq="73" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

Retrieval of object from cache session failed using key
1A6648A1966B901B93595CA83F1713A0. Cache size is 1</msg></amLogEntry>
<amLogEntry seq="74" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

Retrieval of object from cache ancestralsession failed using key
1A6648A1966B901B93595CA83F1713A0. Cache size is 0</msg></amLogEntry>
<amLogEntry seq="75" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ids="AM#600105011: AMDEVICEID#C34005A9EEDCE9D4:
AMAUTHID#1A6648A1966B901B93595CA83F1713A0: " ><msg>IDP liberty12 handler
to process request received for /nidp/idff</msg></amLogEntry>
<amLogEntry seq="76" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

Retrieval of object from cache session failed using key
1A6648A1966B901B93595CA83F1713A0. Cache size is 1</msg></amLogEntry>
<amLogEntry seq="77" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

Retrieval of object from cache ancestralsession failed using key
1A6648A1966B901B93595CA83F1713A0. Cache size is 0</msg></amLogEntry>
<amLogEntry seq="78" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

Addition of object com.novell.nidp.servlets.NIDPServletSession@4cdaca a
to cache session succeeded using key 1A6648A1966B901B93595CA83F1713A0.
Cache size is 2</msg></amLogEntry>
<amLogEntry seq="79" d="2015-09-17T22:57:48Z" lg="Application"
lv="VERBOSE" th="43" ><msg>Session has consumed authentications:
false</msg></amLogEntry>
<amLogEntry seq="80" d="2015-09-17T22:57:48Z" lg="IDFF" lv="VERBOSE"
th="43" ><msg>Handling IDFF request, session authenticated:
false</msg></amLogEntry>
<amLogEntry seq="81" d="2015-09-17T22:57:48Z" lg="Application"
lv="VERBOSE" th="43" ><msg>Session has consumed authentications:
false</msg></amLogEntry>
<amLogEntry seq="82" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: ProxyProfile.isProxyRequest
Thread: http-bio-10.0.1.174-8443-exec-1
/nidp/idff/sso is a ProxyRequest: false</msg></amLogEntry>
<amLogEntry seq="83" d="2015-09-17T22:57:48Z" lg="IDFF" lv="VERBOSE"
th="43" ><msg>Processing Liberty SSO request</msg></amLogEntry>
<amLogEntry seq="84" d="2015-09-17T22:57:48Z" lg="IDFF" lv="DEBUG"
th="43" ><msg>Method: LibertyProfile.traceMessage
Thread: http-bio-10.0.1.174-8443-exec-1

************************* Liberty Redirect message
********************************
Type: received
RelayState: None
RequestID=idHoEvdTjZ9VNUhyhU5Ww5PaxYbM4&amp;MajorV ersion=1&amp;MinorVersion=2&amp;IssueInstant=2015-09-17T22%3A54%3A27Z&amp;ProviderID=https%3A%2F%2Fport al.test.org%3A443%2Fnesp%2Fidff%2Fmetadata&amp;Rel ayState=MA%3D%3D&amp;consent=urn%3Aliberty%3Aconse nt%3Aunavailable&amp;ForceAuthn=false&amp;IsPassiv e=false&amp;NameIDPolicy=onetime&amp;ProtocolProfi le=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbr ws-art&amp;target=https%3A%2F%2Fmoodle.test.org%3A443 %2F&amp;AuthnContextStatementRef=secure%2Fbasic%2F name%2Fpassword%2Furi
************************* End Liberty message
****************************</msg></amLogEntry>
<amLogEntry seq="85" d="2015-09-17T22:57:48Z" lg="IDFF" lv="DEBUG"
th="43" ><msg>Method: LibertySSOProfile.processAuthnRequest
Thread: http-bio-10.0.1.174-8443-exec-1
Process Liberty AuthnRequest</msg></amLogEntry>
<amLogEntry seq="86" d="2015-09-17T22:57:48Z" lg="Application" lv="INFO"
th="43" ids="AM#500105025: AMDEVICEID#C34005A9EEDCE9D4:
AMAUTHID#1A6648A1966B901B93595CA83F1713A0: " ><msg>IDP is requesting
metadata from ESP
https://portal.test.org:443/nesp/idff/metadata</msg></amLogEntry>
<amLogEntry seq="87" d="2015-09-17T22:57:48Z" lg="Application"
lv="VERBOSE" th="43" ><msg>Attempting to connect to URL:
https://portal.test.org:443/nesp/idff/metadata via
GET</msg></amLogEntry>
<amLogEntry seq="88" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: URLUtil.connectToURL
Thread: http-bio-10.0.1.174-8443-exec-1
Response code 404 from connection</msg></amLogEntry>
<amLogEntry seq="89" d="2015-09-17T22:57:48Z" lg="IDFF" lv="SEVERE"
th="43" ids="AM#100106001: AMDEVICEID#C34005A9EEDCE9D4: " ><msg>Unable
to load metadata for Embedded Service Provider:
https://portal.test.org:443/nesp/idff/metadata, error:
NIDPMAIN.405</msg></amLogEntry>
<amLogEntry seq="90" d="2015-09-17T22:57:48Z" lg="Application"
lv="DEBUG" th="43" ><msg>Method: CacheMap.A
Thread: http-bio-10.0.1.174-8443-exec-1

All three servers can resolve portal.test.org correctly, as they could
before the upgrade. I haven't done the upgrade of the AG yet, though did
do that with a previous attempt and had the same issue after the
upgrade.

I have found that if I push the certificates again, the ID server status
goes back to green. However, as soon as I try to access a protected
resource again, it goes back to yellow with the same error.


--
imoore
------------------------------------------------------------------------
imoore's Profile: https://forums.netiq.com/member.php?userid=3071
View this thread: https://forums.netiq.com/showthread.php?t=54315