AdminTokenAction:致命错误:无法获取应用程序单点登录令牌
AdminTokenAction:致命错误:无法获取应用程序单点登录令牌
提问于 2015-04-16 21:26:37
我试着用配置好的apache tomcat代理安装openam12war,sso.But尝试了50多次,但只得到了错误。
如果我在webagent中将以下属性值更改为amAdmin,则在tomcat第二个实例中调用受保护的应用程序时,它会一次又一次地重定向到同一页面,但没有得到任何异常。amAdmin是我在openam控制台上的管理员用户。
OpenSSOAgentBootstrap.properties/com.sun.identity.agents.app.username =Tomcat日志中的异常
Apr 16, 2015 5:41:10 PM org.apache.tomcat.util.digester.Digester startElement
SEVERE: Begin event threw error
java.lang.ExceptionInInitializerError
at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:727)
at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1140)
at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1579)
at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:675)
at com.sun.identity.agents.tomcat.v6.AmTomcatRealm.<clinit>(AmTomcatRealm.java:67)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:374)
at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:145)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1288)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:649)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1561)
at org.apache.catalina.startup.Catalina.load(Catalina.java:615)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:272)
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:76)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.common.configuration.ConfigurationObserver.registerListeners(ConfigurationObserver.java:89)
at com.sun.identity.common.configuration.ConfigurationObserver.getInstance(ConfigurationObserver.java:114)
at com.sun.identity.common.DebugPropertiesObserver.<clinit>(DebugPropertiesObserver.java:49)
... 32 more主机条目
127.0.0.1 org.sso.com test.openam.com来自apache-tomcat-7.0.57的Tomcat两个实例
**1, One for OpenAM.12.0.war running in port 8080
2, Another one for webagent(openam-Tomcat-v6-7-Agent-3.3.0.zip) with my protected application running in port 7070**OpenAM配置:
1, Default configuration amAdmin with password (password) and policy-agent with password(password1) created.
2, Login as amAdmin -->Access Control -- >OpenAMIDPRealm-->created
3, Access Control -- >OpenAMIDPRealm-->subject-->idpuser-->password(password)-->created
4, Access Control -- >OpenAMIDPRealm-->agent-->J2EE-->name(webagent)-->password(password)-->local-->agenturl(http://org.sso.com:7070/agentapp)-->created
5, Federation -- >Create Circle of Trust -- > OpenAMIDPCOT -->select realm (OpenAMIDPRealm) -->created
6, Common Tasks --> create hosted identity provider --> select realm (OpenAMIDPRealm) --> select Circle of Trust -- > OpenAMIDPCOT -->created网络代理配置:
D:\Studies\sso\OpenAM-SP2IDP\webagent\j2ee_agents\tomcat_v6_agent\bin>agentadmin --install
Please read the following License Agreement carefully:
[Press <Enter> to continue...] or [Enter n To Finish]
************************************************************************
Welcome to the OpenAM Policy Agent for Apache Tomcat 6.0 Servlet/JSP
Container
************************************************************************
Enter the complete path to the directory which is used by Tomcat Server to
store its configuration Files. This directory uniquely identifies the
Tomcat Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Tomcat Server Config Directory Path [C:/Program Files/Apache
Software Foundation/Tomcat 6.0/conf]: D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat
-SP\apache-tomcat-7.0.57\conf
Enter the URL where the OpenAM server is running. Please include the
deployment URI also as shown below:
(http://openam.sample.com:58080/openam)
[ ? : Help, < : Back, ! : Exit ]
OpenAM server URL: http://test.openam.com:8080/openam
$CATALINA_HOME environment variable is the root of the tomcat
installation.
[ ? : Help, < : Back, ! : Exit ]
Enter the $CATALINA_HOME environment variable: D:\Studies\sso\OpenAM-SP2IDP\apac
he-tomcat-SP\apache-tomcat-7.0.57
Choose yes to deploy the policy agent in the global web.xml file.
[ ? : Help, < : Back, ! : Exit ]
Install agent filter in global web.xml ? [true]: true
Enter the Agent URL. Please include the deployment URI also as shown below:
(http://agent1.sample.com:1234/agentapp)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://org.sso.com:7070/agentapp
Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: webagent
Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: D:\Studies\sso\OpenAM-SP2IDP\password.txt
WARNING:
Agent profile/User: webagent does not exist in OpenAM server! Either "Hit
the Back button, and re-enter the correct agent profile name/user name", or
"Create this agent profile when asked(available only in custom-install)",
or "Continue without validating it because agent profile is in sub realm", or
"Continue without validating/creating it, and manually validate/create
it in OpenAM server after installation".
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Tomcat Server Config Directory :
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf
OpenAM server URL : http://test.openam.com:8080/openam
$CATALINA_HOME environment variable :
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57
Tomcat global web.xml filter install : true
Agent URL : http://org.sso.com:7070/agentapp
Agent Profile name : webagent
Agent Profile Password file name :
D:\Studies\sso\OpenAM-SP2IDP\password.txt
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1
Updating the
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57/bin/setenv.ba
t
script with the Agent configuration JVM option ...DONE.
DONE.
Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.
Reading data from file D:\Studies\sso\OpenAM-SP2IDP\password.txt and
encrypting it ...DONE.
Generating audit log file name ...DONE.
Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.
Creating a backup for file
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/server.x
ml
...DONE.
Creating a backup for file
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/web.xml
...DONE.
Adding OpenAM Tomcat Agent Realm to Server XML file :
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/server.x
ml
...DONE.
Adding filter to Global deployment descriptor file :
D:\Studies\sso\OpenAM-SP2IDP\apache-tomcat-SP\apache-tomcat-7.0.57\conf/web.xml
...DONE.
Adding OpenAM Tomcat Agent Filter and Form login authentication to selected
Web applications ...DONE.
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/conf
ig/OpenSSOAgentBootstrap.properties
Agent Configuration file location
D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/conf
ig/OpenSSOAgentConfiguration.properties
Agent Audit directory location:
D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs
/audit
Agent Debug directory location:
D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs
/debug
Install log file location:
D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/installer-logs
/audit/install.log
Thank you for using OpenAM Policy AgentOpenSSOAgentBootstrap.properties
com.iplanet.am.naming.url=http://test.openam.com:8080/openam/namingservice
com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.tomcat.v6.AmTomcatAgentServiceResolver
com.sun.identity.agents.app.username = webagent
com.iplanet.am.service.secret = AQIC91zdxfnLewLIWRJDohP4vdRaQ/7vpmBl
am.encryption.pwd = lZco703977UeM52+kT4ZdyIjLM2PMw3d
com.iplanet.services.debug.level=error
com.iplanet.services.debug.directory=D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs/debug
com.sun.services.debug.mergeall=on
com.sun.identity.agents.config.local.logfile = D:/Studies/sso/OpenAM-SP2IDP/webagent/j2ee_agents/tomcat_v6_agent/Agent_001/logs/audit/amAgent_org_sso_com_7070.log
com.sun.identity.agents.config.organization.name = /
com.sun.identity.agents.config.lock.enable = false
com.sun.identity.agents.config.profilename = webagent
com.iplanet.am.services.deploymentDescriptor=/openamopenam/WEB-INF/classes/AMConfig.properties
com.iplanet.am.server.host=@SERVER_HOST@
com.iplanet.security.SSLSocketFactoryImpl=com.sun.identity.shared.ldap.factory.JSSESocketFactory
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.@SMS_OBJECT_CLASS@
com.iplanet.services.configpath=@BASE_DIR@
com.iplanet.am.serverMode=true
com.iplanet.am.ldap.connection.ldap.error.codes.retries=80,81,91
com.iplanet.am.locale=@PLATFORM_LOCALE@
com.sun.identity.urlconnection.useCache=false
opensso.protocol.handler.pkgs=
com.iplanet.am.server.protocol=@SERVER_PROTO@
com.iplanet.am.server.port=@SERVER_PORT@
com.iplanet.services.debug.level=error
com.sun.embedded.replicationport=
com.sun.identity.common.systemtimerpool.size=3
com.sun.identity.overrideAMC=true
com.sun.embedded.sync.servers=on
com.iplanet.am.service.secret=@ENCLDAPUSERPASSWD@
am.encryption.pwd=@AM_ENC_KEY@
com.sun.identity.sm.enableDataStoreNotification=@DATASTORE_NOTIFICATION@
com.sun.services.debug.mergeall=off
com.iplanet.am.services.deploymentDescriptor=/@SERVER_URI@
com.sun.am.event.connection.disable.list=@DISABLE_PERSISTENT_SEARCH@Agent_001/conf/OpenSSOAgentConfiguration.properties
com.sun.identity.agents.config.filter.mode[manager]=J2EE_POLICY
com.sun.identity.agents.config.filter.mode[host-manager]=J2EE_POLICY
com.sun.identity.agents.config.filter.mode = ALL
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.client.ip.header =
com.sun.identity.agents.config.client.hostname.header =
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.audit.accesstype = LOG_NONE
com.sun.identity.agents.config.log.disposition = REMOTE
com.sun.identity.agents.config.remote.logfile = amAgent_org_sso_com_7070.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.webservice.responseprocessor =
com.sun.identity.agents.config.access.denied.uri[] =
com.sun.identity.agents.config.login.form[0] = /host-manager/AMLogin.html
com.sun.identity.agents.config.login.form[1] = /manager/AMLogin.html
com.sun.identity.agents.config.login.error.uri[0] = /host-manager/AMError.html
com.sun.identity.agents.config.login.error.uri[1] = /manager/AMError.html
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.httpsession.binding = true
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://test.openam.com:8080/openam/UI/Login
com.sun.identity.agents.config.logout.url[0] = http://test.openam.com:8080/openam/UI/Logout
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.login.url.probe.enabled = true
com.sun.identity.agents.config.login.url.probe.timeout = 2000
com.sun.identity.agents.config.logout.url.prioritized = true
com.sun.identity.agents.config.logout.url.probe.enabled = true
com.sun.identity.agents.config.logout.url.probe.timeout = 2000
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://test.openam.com:8080/openam/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://test.openam.com:8080/openam/cdcservlet
com.sun.identity.agents.config.cdsso.secure.enable = false
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = org.sso.com
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI
com.sun.identity.agents.config.response.header[] =
com.sun.identity.agents.config.redirect.attempt.limit = 0
com.sun.identity.agents.config.port.check.enable = false
com.sun.identity.agents.config.port.check.file = PortCheckContent.txt
com.sun.identity.agents.config.port.check.setting[7070] = http
com.sun.identity.agents.config.notenforced.uri[0] =
com.sun.identity.agents.config.notenforced.uri.invert = false
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.uri.cache.size = 1000
com.sun.identity.agents.config.notenforced.refresh.session.idletime = false
com.sun.identity.agents.config.notenforced.ip[0] =
com.sun.identity.agents.config.notenforced.ip.invert = false
com.sun.identity.agents.config.notenforced.ip.cache.enable = true
com.sun.identity.agents.config.notenforced.ip.cache.size = 1000
com.sun.identity.agents.config.attribute.cookie.separator = |
com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z
com.sun.identity.agents.config.attribute.cookie.encode = true
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =
com.sun.identity.agents.config.session.attribute.fetch.mode = NONE
com.sun.identity.agents.config.session.attribute.mapping[] =
com.sun.identity.agents.config.response.attribute.fetch.mode = NONE
com.sun.identity.agents.config.response.attribute.mapping[] =
com.sun.identity.agents.config.bypass.principal[0] =
com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS
com.sun.identity.agents.config.privileged.attribute.type[0] = Group
com.sun.identity.agents.config.privileged.attribute.type[1] = Role
com.sun.identity.agents.config.privileged.attribute.tolowercase[Group] = false
com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false
com.sun.identity.agents.config.privileged.session.attribute[0] =
com.sun.identity.agents.config.privileged.attribute.mapping.enable = true
com.sun.identity.agents.config.privileged.attribute.mapping[] =
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.session.client.polling.enable=false
com.iplanet.am.session.client.polling.period=180
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.sun.identity.idm.remote.notification.enabled=true
com.iplanet.am.sdk.remote.pollingTime=1
com.sun.identity.sm.notification.enabled=true
com.sun.identity.sm.cacheTime=1
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=test.openam.com
com.iplanet.am.server.port=8080
com.sun.identity.agents.notification.enabled=true
com.sun.identity.agents.polling.interval=3
com.sun.identity.policy.client.cacheMode=subtree
com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny
com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false
com.sun.identity.policy.client.clockSkew=10
com.sun.identity.agents.config.policy.env.get.param[0]=
com.sun.identity.agents.config.policy.env.post.param[0]=
com.sun.identity.agents.config.policy.env.jsession.param[0]=
com.sun.identity.client.notification.url=http://org.sso.com:7070/agentapp/notification
com.iplanet.services.debug.level=error
com.sun.identity.agents.config.ignore.path.info = false请提前帮我解决这个issue.Thanks。
回答 3
Stack Overflow用户
回答已采纳
发布于 2015-10-14 05:18:25
我在过去遇到过类似的问题,在用户使用OpenAM登录登录后,它会重定向到自己。
问题出在cookie域。当OpenAM进行身份验证时,它将使用会话令牌设置cookie。如果tomcat在一个单独的域上,那么它将无法查找cookie。
您可能需要在OpenAM console -> configuration -> system -> platform中检查您的域
我的应用程序是Drupal,但我认为tomcat的配置是:
<Context sessionCookiePath="/something" sessionCookieDomain=".domain.tld" />Stack Overflow用户
发布于 2015-09-24 20:17:15
您的问题的一种可能的解决方案是使用com.iplanet.am.naming.map.site.to.server本教程将为您介绍内容:) https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide
Stack Overflow用户
发布于 2017-03-29 02:12:16
我观察到的这类错误的一个问题是,Open AM 13可能与Tomcat-8.5.12不兼容。请将其中部署open AM的tomcat安装更改为Tomcat-7.0.69。这解决了我的问题。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/29676170
复制相关文章
相似问题