IBM Security Access Manager Fixes
SAM9 KVM is not installing from iso
if you see a blank screen with a blinking cursor
Open Virtual Machine Manager console, open the VM definition. Go to Processor. Expand the Configuration option and then change the value of the Model field to Clear CPU configuration. Click Apply.
alternatively you can run the virsh shell, edit the virtual machine definition (for example, edit isam_appliance). Locate and then remove the <cpu>...</cpu> entry. Save the file.
WebSEAL session max does not seem to be enforced with SMS enabled
First make sure the session limit policy option has been enabled during the configuration of the SMS instance.
Then, make sure all webseal configs have the following
enforce-max-sessions-policy = yes max-concurrent-web-sessions = displace prompt-for-displacement = no
optionally
too-many-sessions = too_many_sessions.html
The solution is to enable it via the pdadmin interface:
pdadmin policy set max-concurrent-web-sessions displace
LTPA SSO with Domino in the picture
All domino server documents, server computer names, directory assistance document and server port names have DOMAIN.LOC in upper case. The only item using lower case is the SSO Token. Using lower case for the token made Domino SSO work. When I created it using upper case it didn't work.
SPNEGO Tracing
kerbers toolkit is case sensitive
bst:*.9:TEXTFILE:/tmp/spnegotrace.log
For Linux:
kinit diamon@IBM.com kinit -k -t /var/pdweb/keytab-diamond/diamon_HTTP.keytab
TAM Does not start - Administration limit exceeded
in
/var/ibm/tivoli/common/HPD/logs/msg__pdmgrd_utf8.log
You see
pdmgrd ERROR rgy ira ira_entry.c 2938 0x0000161d HPDRG0201E Error code 0xb was received from the LDAP server. Error text: "Administration limit exceeded".
In plain words TAM failed because of some limitation on Sun One
Administrative limit exceeded Error Number: 11
Cause: An LDAP search was made that was larger than allowed by the directory server's nsslapd-sizelimit attribute. Only partial information will be returned.
Solution: Increase the value of the nsslapd-sizelimit attribute, or implement a VLV index for the failing search.
This is related to the fact that there are about 1300 users in Sun One now and the search is limited to a smaller number. 1
Change the following parameters on the LDAP server
nsslapd-sizelimit, nsslapd-lookthroughlimit
Troubleshooting SPNEGO issues
Problem When a user attempts to access the WebSEAL or WebPI server they receive an error page saying "DPWWA2403E Your browser supplied NTLM authentication data. NTLM is not supported by WebSEAL. Please make sure your browser is configured to use Integrated Windows Authentication."
Cause WebSEAL does not support NTLM authentication.
Solution Some browsers only support NLTM authentication, or are configured so that NTLM authentication tokens are sent instead of SPNEGO tokens. There are several possible reasons that a browser that supports SPNEGO authentication is sending NTLM authentication instead: - Internet Explorer might not be configured so that the WebSEAL server is in the "Trusted sites" or "Local intranet" zone. - Internet Explorer might not be configured for Integrated Windows Authentication. - The client machine might be a member of a different Active Directory domain (Kerberos realm) than the WebSEAL server is using. - The client may not have logged in to the Active Directory domain. - The client may not be accessing the WebSEAL server with the right hostname. The "-princ" option to ktpass must use the same hostname that clients will use to contact the Web security server. For example, if clients contact the Web server at "https://diamond.subnet2.ibm.com" and the Web server is in the IBM.COM Kerberos realm, the argument to ktpass should be "-princ HTTP/diamond.subnet2.ibm.com@IBM.COM".
Under certain circumstances, clients cannot be prevented from sending NTLM authentication data to WebSEAL. Under those circumstances, you may not be able to use SPNEGO authentication directly to the WebSEAL server. Instead, you can configure e-community SSO such that clients authenticate to a WebPI MAS that supports both NTLM and SPNEGO authentication, while the WebSEAL server receives ECSSO authentication tokens from the WebPI server.
WebSEAL screws up paths in cookies
Check the junction settings on how to process cookies. If everything fails place the entry of mangle-path-into-cookie-name = yes in the Webseald.conf. The entry must be under the junction stanza
SMS configuration troubleshooting
smscfg hangs with a blank screen titled "configuration of the session management server is in progress" make sure your DSess application, application server and a cluster have started before you configure the app If it still fails uninstall and redeploy the DSess app to the server.
Troubleshooting plumtree portal behind webseal
I've found a way to correct the issue with the reports and the client accounts
I added a special tag before the window.location in the javascript that tells the portal not to transform the url. Plumtree has a bunch of tags that you can insert into your html/javascript that basically issue commands to the portal and the portal parses and acts accordingly. You probably noticed the pt_###.transformURL around the url . The portal added that automatically, although we sometimes have to code it manually. In this case we didn't need it, so I was able to disable it.
@Troubleshooting @TAM