Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
217 views

Contracts missing TOPR and modifies are not updating MAGs


We have raised a support call for the following but thought I would post
it and keep it updated in case anybody else has the same issue.

We went live with a new implementation of NAM 4.0.1-88 two weeks ago.
Consoles and NIDPs are running on RHEL 6.4 64bit.
MAGs are 64bit Virtual appliances.
Post go live we had reports from users saying they were getting random
behaviour where after a relatively short time of inactivity (comfortably
less than 30 minutes) the users session would become useless. The
browser instance (IE 😎 would be unable to re-authenticate or navigate
to any of the NAM domains.
After doing some investigation I discovered the sessions were seeing
soft timeouts occur well before they should be (Contract's
"Authentication Timeout" are set to 240 minutes).
After some further digging I located the following TID which explains
what appears to be similar behaviour to our current symptoms:


*https://www.netiq.com/support/kb/doc.php?id=7011596*


We found that the same issue applied to us were there was no TOPR values
for AuthContractTimeout and AuthContractRefreshRate.
We DID NOT apply the patch to Prod.

The contracts on new NAM were LDIF exported from the previous NAM 3.0.4
and imported to NAM 4.0.1-88. This process was provided by NetIQ
consulting.

To resolve the issue quickly on the MAGs we edited
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml and
added to each of the problem contracts
AuthContractTimeout="240" AuthContractRefreshRate="168"

Then did a /etc/init.d/novell-ac restart and verified that
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/apache2/NovellAgSettings.conf
was updated.

This solved the issue for the time being.

However after more testing in our DEV environment I have found an issue
with the Contract timeouts not updating after the initial creation and
application to a reverse proxy protected resource.
This goes for the existing and new Contracts.
Here is what we see:
1. Create new Class, Method and Contract based on Secure
Name/Password – Form

2. In the Contract I set the Authentication Timeout to 60mins.

3. Apply the Contract to a Project Resource on the MAGs

4. Admin console Auditing -> Troubleshooting -> Configuration ->
Cached Access Gateway Configurations both the cluster and Nodes shows:

5. <AuthenticationProcedure
AuthProcedureID="authprocedure_Secure_Name_Password___Form___Aaron"
Name="Secure Name/Password - Form - Aaron" SelectedOption="idp"
UserInterfaceID="authprocedure_Secure_Name_Password___Form___Aaron"
LastModified="4294967295" LastModifiedBy="String"
*AuthContractTimeout="60" AuthContractRefreshRate="0"*>

6. ON THE MAGS THE
/OPT/NOVELL/NAM/MAG/WEBAPPS/AGM/WEB-INF/CONFIG/CURRENT/CONFIG.XML FILE
SHOWS
*AUTHCONTRACTTIMEOUT=\"60\"* *AUTHCONTRACTREFRESHRATE=\"0\"
7. An LDAP browser shows nidsACTimeout=*60*,nidsACRefreshRate=*0*

8. Change the Contract’s Authentication Timeout to *_120_*mins

9. Update the NIDP and NESP

10. An LDAP browser shows nidsACTimeout=*120*,nidsACRefreshRate=*0*

11. Admin console Auditing -> Troubleshooting -> Configuration ->
Cached Access Gateway Configurations both the cluster and Nodes shows:

12. <AuthenticationProcedure
AuthProcedureID="authprocedure_Secure_Name_Password___Form___Aaron"
Name="Secure Name/Password - Form - Aaron" SelectedOption="idp"
UserInterfaceID="authprocedure_Secure_Name_Password___Form___Aaron"
LastModified="4294967295" LastModifiedBy="String"
*AuthContractTimeout="60" AuthContractRefreshRate="0"*>

13. On the MAGs the
/opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file
shows
AUTHCONTRACTTIMEOUT=\"60\"* AUTHCONTRACTREFRESHRATE=\"0\"

This shows the Timeouts have not been applied to the MAGs.


--
aaronsayer
------------------------------------------------------------------------
aaronsayer's Profile: https://forums.netiq.com/member.php?userid=500
View this thread: https://forums.netiq.com/showthread.php?t=51895

0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Contracts missing TOPR and modifies are not updating MAGs

aaronsayer wrote:


> 13. On the MAGs the
> /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file
> shows
> AUTHCONTRACTTIMEOUT=\"60\"* AUTHCONTRACTREFRESHRATE=\"0\"
>
> This shows the Timeouts have not been applied to the MAGs.


What do you see in the jcc logs when you apply an update of this type?
Any errors?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Contracts missing TOPR and modifies are not updating MAGs


Hi Ed,
there are no errors in the jcc logs.
It does not appear the contract changes even get that far.
When you make a change to a contract, the changes are not reflected on
the console in either the node or the cluster config:
Admin console Auditing -> Troubleshooting -> Configuration -> Cached
Access Gateway Configurations

Another interesting point on the AuthContractRefreshRate.
I'm guessing this is the Soft Timeout of the contract and in our new
environment this for some reason is always set to zero.
If I use an LDAP browser to edit the contract's nidsACRefreshRate and
change it to say 66% of the hard timeout.
Then make a change to the "Contract’s Authentication Timeout" in the
console, the nidsACRefreshRate always gets set back to zero.

Im thinking this is a bug.


--
aaronsayer
------------------------------------------------------------------------
aaronsayer's Profile: https://forums.netiq.com/member.php?userid=500
View this thread: https://forums.netiq.com/showthread.php?t=51895

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Contracts missing TOPR and modifies are not updating MAGs

aaronsayer wrote:

>
> Hi Ed,
> there are no errors in the jcc logs.
> It does not appear the contract changes even get that far.
> When you make a change to a contract, the changes are not reflected on
> the console in either the node or the cluster config:
> Admin console Auditing -> Troubleshooting -> Configuration -> Cached
> Access Gateway Configurations
>
> Another interesting point on the AuthContractRefreshRate.
> I'm guessing this is the Soft Timeout of the contract and in our new
> environment this for some reason is always set to zero.
> If I use an LDAP browser to edit the contract's nidsACRefreshRate and
> change it to say 66% of the hard timeout.
> Then make a change to the "Contract�s Authentication Timeout" in the
> console, the nidsACRefreshRate always gets set back to zero.
>
> Im thinking this is a bug.


Can you send me the LDIF of your contracts, methods and classes? I
don't think its a bug given that I don't think there have been any
other posts about it.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Contracts missing TOPR and modifies are not updating MAGs


Thanks Ed,
I have emailed them to you.

AS


--
aaronsayer
------------------------------------------------------------------------
aaronsayer's Profile: https://forums.netiq.com/member.php?userid=500
View this thread: https://forums.netiq.com/showthread.php?t=51895

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Contracts missing TOPR and modifies are not updating MAGs


Update:
Looks like our import/export process broke some of the back end object
links in eDirectory.
Creating a new IDP Cluster, creating identical contracts, then pulling
one of the MAGs out of the old cluster, creating a new cluster, and
everything looks good.
We are testing the process in DEV at the moment but all looking good so
far.


--
aaronsayer
------------------------------------------------------------------------
aaronsayer's Profile: https://forums.netiq.com/member.php?userid=500
View this thread: https://forums.netiq.com/showthread.php?t=51895

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.