Can somebody help me out here .... pretty please.

We have an IDM45 (latest SP) infrastructure with most IDM Applications
set up.
So UserApp/HPD with SP5 JVM 1.8.121 SSPR and OSP 6HF5 running on
SLES servers

We started of with everything running non secure IP based => That
We changed every setting according the documentation and Geoffrey's
coolsolutions to DNS names based => That worked.
We did all the certificate stuff using signed certificates from an
external CA (comodo) and moved to https => That worked.
We did use host files for the DNS names were pointing towards a NAM
setup, but everything went ok including the oauth authentication.
So every setting in configupdate and sspr was with

As last step we removed the port or changed it to 443 and have the
Access Manager in place including the SAML federation.

Now first , what i noticed is that any of the changes made in
configupdate does NOT end up in
/opt/netiq/idm/apps/tomcat/conf/ which
should to my opninion.(?)
Secondly, the documentation lacks a lot of information. On the
certificate stuff , but more importent on the configuration !. I needed
to revert my changes a couple of times because sspr was unreachable, so
i needed to makes the changes there first. learning all the time ......

Every system involved uses the same wildcard, externally signed
At one point we started to get this on the browser.
"{"Fault":{"Code":{"Value":"Sender","Subcode":{"Va lue":"XDAS_OUT_POLICY_VIOLATION"}},"Reason":{"Text ":"Unrecognized
interface. Invalid Host Header Name or Request URL Domain Name."}}}"

We checked, changed and tried every setting regarding host names,
redirect urls etc. We reverted the saml federation but the error dit not
go away.
In the osp logging is shows :

OSP] 2017-03-29T06:18:17.359+0200
Level: WARN
Code: com.novell.osp.servlet.OSPServlet.auditFailedReque st() [531]
Message: InternalError

[OSP] 2017-03-29T06:17:20.087+0200
Level: ERROR
Code: com.novell.osp.servlet.OSPServlet.errorResponse() [312]
Level: ERROR
Code: com.netiq.osp.exception.OSPAuthenticationException .<init>()
Thread: http-bio-8443-exec-3
Correlation Id: 764d662f-21f6-4bdd-9cf9-8b0fbda8610a
Text: Unrecognized interface. Invalid Host Header Name or Request URL
Domain Name.

In the local_access we stumbled upon this - - [29/Mar/2017:06:18:16 +0200] "GET /landing/ HTTP/1.1" 200
7931 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/com.netiq.ualanding.index/jquery.min.js HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET
HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/masonry.pkgd.min.netiq.js HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET /landing/landing.min.js
HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/jquery.ui.touch-punch.js HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/jquery.ui.datepicker.js HTTP/1.1" 302 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/date HTTP/1.1" 302 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/jquery.ui.datepicker-en-US.js HTTP/1.1" 304 - - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/date-en-US.js HTTP/1.1" 304 - - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/com.netiq.ualanding.index/spiffyui.min.css HTTP/1.1" 304 - - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/com.netiq.ualanding.index/NovellGWTLib.css HTTP/1.1" 304 - - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/custom/custom.css HTTP/1.1" 200 - - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/images/favicon.png HTTP/1.1" 304 - - - [29/Mar/2017:06:18:17 +0200] "GET
HTTP/1.1" 200 262953 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/SpiffyUi.min.css HTTP/1.1" 304 - - - [29/Mar/2017:06:18:17 +0200] "GET
/IDMProv/rest/access/users/fullName HTTP/1.1" 401 - - - [29/Mar/2017:06:18:17 +0200] "GET
/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://xxxxxxxxxxxx.xxxxxxxxxxxxx.xx/landing/com.netiq.ualanding.index/oauth.html&client_id=ualanding&state=spiffystate0. 29279431547721113
HTTP/1.1" 403 193

The IP address is a gateway, there is no rewriter authN policy or
anything els in place. It is a protected resource and the hostnames are
internally the same as from the outside.
Looking at the trace i see a http 401 and a 403 (193) , unauthorized and
forbidden, but i really don't know why.

What are we doing wrong here ?? Thanks in advance for any answer .....
(BTW, i did work when we used the 4.5 stock version)

dvandermaas's Profile:
View this thread: