Policy returns bad content type = text/html;charset=UTF-8

Hi
Loop back Driver subscriber policy returns error ;

DirXML Log Event -------------------
Driver: \XXX\XXX\services\idm452\Entitlements Loopback
Channel: Subscriber
Status: Error
Message: Code(-9205) Error in vnd.nds.stream://xxx/xxx/services/idm452/Entitlements Loopback/Subscriber/SubEventXform-Roles#XmlData:59 : Couldn't request assignment of role: 'CN=my-role,CN=Application Access,CN=Level,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm452,OU=services,O=netiq' to identity: 'CN=novel.novell,OU=Active,OU=People,O=netiq': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: java.io.IOException: bad content type = text/html;charset=UTF-8; Received Content:

At policy I am using below DTD, Should I use content type = text/xml?

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "E:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201711090043\DTD\dirxmlscript4.6.2.dtd"><policy>
Parents
  • c-pkalla;2480033 wrote:
    Hi
    Loop back Driver subscriber policy returns error ;

    DirXML Log Event -------------------
    Driver: \XXX\XXX\services\idm452\Entitlements Loopback
    Channel: Subscriber
    Status: Error
    Message: Code(-9205) Error in vnd.nds.stream://xxx/xxx/services/idm452/Entitlements Loopback/Subscriber/SubEventXform-Roles#XmlData:59 : Couldn't request assignment of role: 'CN=my-role,CN=Application Access,CN=Level,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm452,OU=services,O=netiq' to identity: 'CN=novel.novell,OU=Active,OU=People,O=netiq': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: java.io.IOException: bad content type = text/html;charset=UTF-8; Received Content:

    At policy I am using below DTD, Should I use content type = text/xml?

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "E:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201711090043\DTD\dirxmlscript4.6.2.dtd"><policy>


    Can we see the trace leading up to this? And a full view of the XML for this policy set?

    The <!DOCTYPE...> node there is from Designer, and is not part of your problem.
  • Is it possible to give me your personal email, I will send it you logs and policy. Send me a test mail to naidu.books@gmail.com
  • On 4/30/2018 3:44 PM, c-pkalla wrote:
    >
    > Is it possible to give me your personal email, I will send it you logs
    > and policy. Send me a test mail to naidu.books@gmail.com


    This looks like the SOAP event it is sending, from the Do-Start-Workflow
    token is missing something. Is there something in between?

    As David suggests post some sanitized trace. Like the entire
    do-start-workflow call in trace and perhaps we will see more of a hint
    there.


  • [05/01/18 14:19:57.827]:loop ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.2.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20180501181957.757Z" class-name="User" event-id="OACTCAPS0017#20180501181957#1#3:50c68d0e-8a2a-4c8a-a4df-0e8dc6502a8a" qualified-src-dn="O=NetIQ\OU=People\OU=Active\CN=kp.idmupgrade" src-dn="\NetIQ-IDV-TEST\NetIQ\People\Active\kp.idmupgrade" src-entry-id="56472" timestamp="1525198797#3">
    <modify-attr attr-name="nrfMemberOf">
    <add-value>
    <value timestamp="1525198797#3" type="dn">\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application Access\cj-users</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [05/01/18 14:19:57.829]:loop ST:Applying policy: % CCSubEventXform-ExclusiveRoles%-C.
    [05/01/18 14:19:57.829]:loop ST: Applying to modify #1.
    [05/01/18 14:19:57.829]:loop ST: Evaluating selection criteria for rule 'If assigning CH, revoke CJ'.
    [05/01/18 14:19:57.829]:loop ST: (if-op-attr 'nrfMemberOf' equal "\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\Application Access\ch-users") = FALSE.
    [05/01/18 14:19:57.830]:loop ST: Rule rejected.
    [05/01/18 14:19:57.830]:loop ST: Evaluating selection criteria for rule 'If assigning CJ, revoke CH'.
    [05/01/18 14:19:57.830]:loop ST: (if-op-attr 'nrfMemberOf' equal "\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application Access\cj-users") = TRUE.
    [05/01/18 14:19:57.831]:loop ST: Query from policy
    [05/01/18 14:19:57.831]:loop ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.2.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="User" dest-dn="\NetIQ-IDV-TEST\NetIQ\People\Active\kp.idmupgrade" dest-entry-id="56472" scope="entry">
    <read-attr attr-name="nrfMemberOf"/>
    </query>
    </input>
    </nds>
    [05/01/18 14:19:57.832]:loop ST: Pumping XDS to eDirectory.
    [05/01/18 14:19:57.832]:loop ST: Performing operation query for \NetIQ-IDV-TEST\NetIQ\People\Active\kp.idmupgrade.
    [05/01/18 14:19:57.832]:loop ST: --JCLNT-- \NetIQ-IDV-TEST\NetIQ\services\idm361\Entitlements Loopback : Duplicating : context = 1774321813, tempContext = 1774321790
    [05/01/18 14:19:57.834]:loop ST: --JCLNT-- \NetIQ-IDV-TEST\NetIQ\services\idm361\Entitlements Loopback : Calling free on tempContext = 1774321790
    [05/01/18 14:19:57.834]:loop ST: Query from policy result
    [05/01/18 14:19:57.834]:loop ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.2.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <instance class-name="User" qualified-src-dn="O=NetIQ\OU=People\OU=Active\CN=kp.idmupgrade" src-dn="\NetIQ-IDV-TEST\NetIQ\People\Active\kp.idmupgrade" src-entry-id="56472">
    <attr attr-name="nrfMemberOf">
    <value timestamp="1525100726#14" type="dn">\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\Application Access\ch-users</value>
    <value timestamp="1525198797#3" type="dn">\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application Access\cj-users</value>
    </attr>
    </instance>
    <status level="success"></status>
    </output>
    </nds>
    [05/01/18 14:19:57.840]:loop ST: (if-src-attr 'nrfMemberOf' equal "\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\Application Access\ch-users") = TRUE.
    [05/01/18 14:19:57.840]:loop ST: Rule selected.
    [05/01/18 14:19:57.840]:loop ST: Applying rule 'If assigning CJ, revoke CH'.
    [05/01/18 14:19:57.840]:loop ST: Action: do-remove-role(id="cn=NetIQ,ou=serviceaccounts,o=NetIQ",role-id="CN=ch-users,CN=Application Access,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ",time-out="300000",url=""role-admin-user-pwd"))).">www.NETIQ.com/IDMProv",arg-password(token-named-password("role-admin-user-pwd"))).
    [05/01/18 14:19:57.841]:loop ST: arg-password(token-named-password("role-admin-user-pwd"))
    [05/01/18 14:19:57.841]:loop ST: token-named-password("role-admin-user-pwd")
    [05/01/18 14:19:57.842]:loop ST: Retrieving password value for named password 'role-admin-user-pwd'.
    [05/01/18 14:19:57.842]:loop ST: Token Value: "-- suppressed --".
    [05/01/18 14:19:57.843]:loop ST: Arg Value: "-- suppressed --".
    [05/01/18 14:19:57.980]:loop ST:
    DirXML Log Event -------------------
    Driver: \NetIQ-IDV-TEST\NetIQ\services\idm361\Entitlements Loopback
    Channel: Subscriber
    Status: Error
    Message: Code(-9206) Error in vnd.nds.stream://NetIQ-IDV-TEST/NetIQ/services/idm361/Entitlements Loopback/Subscriber/SubEventXform-ExclusiveRoles#XmlData:29 : Couldn't request revocation of role: 'CN=ch-users,CN=Application Access,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ' from identity 'CN=kp.idmupgrade,OU=Active,OU=People,O=NetIQ': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: java.io.IOException: bad content type = text/html;charset=UTF-8; Received Content:

    [05/01/18 14:19:57.999]:loop ST: Evaluating selection criteria for rule 'If assigning History, revoke Photos'.
    [05/01/18 14:19:57.999]:loop ST: (if-op-attr 'nrfMemberOf' equal "\NetIQ-IDV-TEST\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application Access\PennDOT Photos Users") = FALSE.
    [05/01/18 14:19:58.000]:loop ST: Rule rejected.
  • > [05/01/18 14:19:57.840]:loop ST: Applying rule 'If assigning CJ,
    > revoke CH'.
    > [05/01/18 14:19:57.840]:loop ST: Action:
    > do-remove-role(id="cn=NetIQ,ou=serviceaccounts,o=NetIQ",role-id="CN=ch-users,CN=Application
    > Access,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ",time-out="300000",url=""role-admin-user-pwd"))).">www.NETIQ.com/IDMProv",arg-password(token-named-password("role-admin-user-pwd"))).
    > [05/01/18 14:19:57.841]:loop ST:
    > arg-password(token-named-password("role-admin-user-pwd"))
    > [05/01/18 14:19:57.841]:loop ST:
    > token-named-password("role-admin-user-pwd")
    > [05/01/18 14:19:57.842]:loop ST: Retrieving password value
    > for named password 'role-admin-user-pwd'.
    > [05/01/18 14:19:57.842]:loop ST: Token Value: "-- suppressed
    > --".
    > [05/01/18 14:19:57.843]:loop ST: Arg Value: "-- suppressed --".
    > [05/01/18 14:19:57.980]:loop ST:
    > DirXML Log Event -------------------
    > Driver: \NetIQ-IDV-TEST\NetIQ\services\idm361\Entitlements
    > Loopback
    > Channel: Subscriber
    > Status: Error
    > Message: Code(-9206) Error in
    > vnd.nds.stream://NetIQ-IDV-TEST/NetIQ/services/idm361/Entitlements Loopback/Subscriber/SubEventXform-ExclusiveRoles#XmlData:29
    > : Couldn't request revocation of role: 'CN=ch-users,CN=Application
    > Access,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ'
    > from identity 'CN=kp.idmupgrade,OU=Active,OU=People,O=NetIQ':
    > com.novell.nds.dirxml.soap.UserAppClientException:
    > java.lang.RuntimeException: java.io.IOException: bad content type =
    > text/html;charset=UTF-8; Received Content:


    So I would say that the SOAP endpoint you are pointiing at (the UA
    instance) is returning text\html instead of text\xml which makes me
    think you hut a 404 HTML page instead of the SOAP endpoint.

    So you nicely obfuscated the trace, I assume the end point
    https://www.NETIQ.com/IDMProv when translated back to your normal
    environment can be tested to see what is returned? I THINK the token
    adds on the needed /role/service or /resource/service to the URL.

    You are running IDM 4.6.2 from the trace so I wonder if this changed in
    between revs? Try with the full URL to the SOAP endpoint? But I think
    /IDMProv is sufficient.

    Did you set up OSP since this is 4.6.2?

  • IDV jre path, I did add Reverse proxy snet Cert. do I have to add osp.der?

    at logs only i can see the URL https://www.snet.com/IDMProv nothing added after IDMProv. Do I have to add /role/service or /resource/service? Userapp URL
    see my policy rule
    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "E:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201711090043\DTD\dirxmlscript4.6.2.dtd"><policy>
    <rule>
    <description>If assigning CH, revoke CJ</description>
    <comment xml:space="preserve">If assigning CH, revoke CJ</comment>
    <conditions>
    <and>
    <if-op-attr mode="nocase" name="nrfMemberOf" op="equal">\~dirxml.auto.treename~\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\Application Access\ch-users</if-op-attr>
    <if-src-attr mode="nocase" name="nrfMemberOf" op="equal">\~dirxml.auto.treename~\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application Access\cj-users</if-src-attr>
    </and>
    </conditions>
    <actions>
    <do-remove-role id="~role-admin-user~" role-id="CN=cj-users,CN=Application Access,CN=Level10,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ" time-out="300000" url="~user-app-url~">
    <arg-password>
    <token-named-password name="role-admin-user-pwd"/>
    </arg-password>
    </do-remove-role>
    </actions>
    </rule>
  • On 5/1/2018 4:56 PM, c-pkalla wrote:
    >
    > IDV jre path, I did add Reverse proxy snet Cert. do I have to add
    > osp.der?


    I do not yet think this is the issue. BUt maybe it is... I would use
    SOAP UI and try to make the call:

    <soapenv:Envelope
    xmlns:soapenv="">schemas.xmlsoap.org/.../"
    xmlns:ser="
    ">www.novell.com/.../service">
    <soapenv:Header/>
    <soapenv:Body>
    <ser:requestRolesAssignmentRequest>
    <!--Optional:-->
    <ser:assignRequest>
    <!--type: RoleAssignmentActionType - enumeration:
    [grant,revoke,extend]-->
    <ser:actionType>grant</ser:actionType>
    <!--type: RoleAssignmentType - enumeration:
    [USER_TO_ROLE,GROUP_TO_ROLE,ROLE_TO_ROLE,CONTAINER_TO_ROLE,CONTAINER_WITH_SUBTREE_TO_ROLE]-->
    <ser:assignmentType>USER_TO_ROLE</ser:assignmentType>
    <!--type: string-->
    <!--type: dateTime-->
    <!-- <ser:effectiveDate/>
    -->
    <!--type: dateTime-->
    <ser:expirationDate>2017-01-12T00:00:00Z</ser:expirationDate>
    <!--type: string-->

    <ser:identity>cn=geoffc,ou=admins,ou=system,o=acme</ser:identity>
    <!--type: string-->

    <ser:originator>cn=geoffc,ou=admins,ou=system,o=acme</ser:originator>
    <!--type: string-->
    <ser:reason>Because I want to</ser:reason>
    <ser:roles>
    <!--Zero or more repetitions:-->
    <ser:dnstring>
    <!--type: string-->

    <ser:dn>cn=RL10-AD-PLC-BusinessDevelopmentUsers,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=dset,ou=idm,ou=system,o=acme</ser:dn>
    </ser:dnstring>
    </ser:roles>
    <ser:sodOveridesRequested>
    <!--Zero or more repetitions:-->
    </ser:sodOveridesRequested>
    </ser:assignRequest>
    </ser:requestRolesAssignmentRequest>
    </soapenv:Body>
    </soapenv:Envelope>

    The actionType is 'revoke' vs 'grant' or 'extend' for removing a role.

    This is what the engine is calling. I would see what SOAP UI sees, it
    will show you the HTMLM that is being returned. Then you can troubleshoot.


    > at logs only i can see the URL https://www.snet.com/IDMProv nothing
    > added after IDMProv. Do I have to add /role/service or
    > /resource/service? Userapp URL
    > see my policy rule
    > <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
    > "policy-builder-dtd"
    > "E:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201711090043\DTD\dirxmlscript4.6.2.dtd"><policy>
    > <rule>
    > <description>If assigning CH, revoke CJ</description>
    > <comment xml:space="preserve">If assigning CH, revoke CJ</comment>
    > <conditions>
    > <and>
    > <if-op-attr mode="nocase" name="nrfMemberOf"
    > op="equal">\~dirxml.auto.treename~\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\Application
    > Access\ch-users</if-op-attr>
    > <if-src-attr mode="nocase" name="nrfMemberOf"
    > op="equal">\~dirxml.auto.treename~\NetIQ\services\idm361\UserApplication\AppConfig\RoleConfig\RoleDefs\Level10\Application
    > Access\cj-users</if-src-attr>
    > </and>
    > </conditions>
    > <actions>
    > <do-remove-role id="~role-admin-user~"
    > role-id="CN=cj-users,CN=Application
    > Access,CN=Level10,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=idm361,OU=services,O=NetIQ"
    > time-out="300000" url="~user-app-url~">
    > <arg-password>
    > <token-named-password name="role-admin-user-pwd"/>
    > </arg-password>
    > </do-remove-role>
    > </actions>
    > </rule>
    >
    >


  • The problem is URL, IDMProv URL recently implemented 2way authentication. NAM path based contact applied ID/pwd OTP Code, so in that case failing. I removed OTP contact from NAM PR. It is working as expected.
    https://www.snet.com/IDMProv/role/service Can I use this URL instead of IDMProv. I can exclude this patch from OTP contract.
    https://www.snet.com/IDMProv/resource/service
Reply Children
  • c-pkalla;2480240 wrote:
    The problem is URL, IDMProv URL recently implemented 2way authentication. NAM path based contact applied ID/pwd OTP Code, so in that case failing. I removed OTP contact from NAM PR. It is working as expected.
    https://www.snet.com/IDMProv/role/service Can I use this URL instead of IDMProv. I can exclude this patch from OTP contract.
    https://www.snet.com/IDMProv/resource/service


    Ah, that would do it. Hadn't considered suddenly having NAM with MFA show up in front of the RBPM like that. Would be nice if they'd dump out a more helpful message at that point, even just the raw HTML would have helped figure that out pretty quickly.

    As Geoff says, from what I recall, you give the IDM token the https://www.snet.com/IDMProv URL and it tacks on the /role/service or /resource/service as needed. So, yeah, if you can except those from NAM processing, that should help.
  • On 5/2/2018 9:36 AM, dgersic wrote:
    >
    > c-pkalla;2480240 Wrote:
    >> The problem is URL, IDMProv URL recently implemented 2way
    >> authentication. NAM path based contact applied ID/pwd OTP Code, so in
    >> that case failing. I removed OTP contact from NAM PR. It is working as
    >> expected.
    >> https://www.snet.com/IDMProv/role/service Can I use this URL instead of
    >> IDMProv. I can exclude this patch from OTP contract.
    >> https://www.snet.com/IDMProv/resource/service

    >
    > Ah, that would do it. Hadn't considered suddenly having NAM with MFA
    > show up in front of the RBPM like that. Would be nice if they'd dump out
    > a more helpful message at that point, even just the raw HTML would have
    > helped figure that out pretty quickly.


    Agreed. The HTML text would have been useful.

    Oh just realized, betcha it is held in the local variable
    error.do-add-role or whatveer it is for this token.

    Agreed, trace it, and store it in the variable, since it now takes code
    to see the message, we should just see it in trace.


    > As Geoff says, from what I recall, you give the IDM token the
    > https://www.snet.com/IDMProv URL and it tacks on the /role/service or
    > /resource/service as needed. So, yeah, if you can except those from NAM
    > processing, that should help.


    This is why switching to https://10.1.1.1:8443/IDMProv works better,
    since that skips NAM proxy redirect/rewrite/whatever and since UA's SOAP
    is using Basic Auth anyway not OSP it should let you in. But that is
    not really a solution.