NOTICE: COMMUNITY PERFORMANCE DEGRADATION
Our community is currently experiencing some performance degradation with slow page loading. Our platform SaaS vendor is working on the issue.
Highlighted
Absent Member.
Absent Member.
608 views

Unable to load metadata for Embedded Service Provide


Hi,

I was trying to configure NAM, while trying to hi my protected resource
getting this issue.
Identity server dns : mylogin.mycomny.com
even i am not able to open the url :
https://mylogin.mycomny.com:8443/nidp/idff/metadata

i have gone through :
http://www.novell.com/coolsolutions/appnote/19456.html
but unable to troubleshoot the issue.

Logs :
<amLogEntry> 2013-06-17T17:59:07Z DEBUG NIDS Application:
Method: URLUtil.connectToURL
Thread: TP-Processor20
Error connecting to URL Connection refused </amLogEntry>

<amLogEntry> 2013-06-17T17:59:07Z SEVERE NIDS IDFF: AM#100106001:
AMDEVICEID#esp-2415453936188633: Unable to load metadata for Embedded
Service Provider: https://mylogin.mycomny.com:8443/nidp/idff/metadata,
error: Connection refused </amLogEntry>

<amLogEntry> 2013-06-17T17:59:07Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: TP-Processor20

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@6b466679
from cache session succeeded using key 9438ACCF747224E05EF2681FA3769B4A.
Cache size is 3
</amLogEntry>

any suggestion!

Thanks,
Vaibhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
10 Replies
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide

On 18.06.2013 14:54, vaibhavkhare wrote:
>
> Hi,
>
> I was trying to configure NAM, while trying to hi my protected resource
> getting this issue.
> Identity server dns : mylogin.mycomny.com
> even i am not able to open the url :
> https://mylogin.mycomny.com:8443/nidp/idff/metadata


1. Have you changed the port for your identity server? The default on
install is port 8443, but the documentation suggests you should change
it to 443. Try and see if you can connect to
https://mylogin.mycomny.com/nidp/idff/metadata instead

2. firewalls, default routes etc. Try to access
https://mylogin.mycomny.com:8443/nidp/idff/metadata on the Identity
Server itself

3. is the Identity Server actually running? It hasn't crashed or hung
during startup?


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide


Thanks Alex for your quick reply.
1) I didn't change port from 443 to 8443, its automatically changed
while selecting protocol from http to https.
2) these logs belongs to Access gateway, means access gateway trying to
connect for metadata of NIS.
3) NIS is working fine.

I guess this issue related to certificates and trust root.
but i don't understand why am i not able to ping from my local machine?

Thanks,
Vaiabhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide


vaibhavkhare;230516 Wrote:
> Thanks Alex for your quick reply.
> 1) I didn't change port from 443 to 8443, its automatically changed
> while selecting protocol from http to https.
> 2) these logs belongs to Access gateway, means access gateway trying to
> connect for metadata of NIS.
> 3) NIS is working fine.
>
> I guess this issue related to certificates and trust root.
> but i don't understand why am i not able to ping from my local machine?
>
> Thanks,
> Vaiabhav


Well if you cannot ping the IDP Metadata server name, that probably
means a DNS problem, and that may explain why your AG isn't connecting
to the IDP either.

The IDP and AG must have DNS resolution for "each other" or else things
won't work.

Along with the other items that Alex mentioned (firewall, etc.)


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide

On 18.06.2013 15:44, kjhurni wrote:
>
> vaibhavkhare;230516 Wrote:
>> Thanks Alex for your quick reply.
>> 1) I didn't change port from 443 to 8443, its automatically changed
>> while selecting protocol from http to https.


Your statement is not correct. Your action in changing from HTTP to
HTTPS did not change the port from 443 to 8443.

>> 2) these logs belongs to Access gateway, means access gateway trying to
>> connect for metadata of NIS.


I understood this. Which is why I asked, have you tested connecting to
the NIDP from other hosts than the Access Gateway? For example a
workstation, from the Identity Server, from the Admin Console server etc.

For example, If you can connect from everywhere except the Access
Gateway - then this narrows the problem down to the Access Gateway.

>> 3) NIS is working fine.


How are you sure of this? What have you done to rule out a problem on
the Identity Server?
Does the Admin console connect fine to the Identity Server?

>> I guess this issue related to certificates and trust root.
>> but i don't understand why am i not able to ping from my local machine?


While it's possible that you may also have certificate issues, the
problem you have described so far is something lower level (DNS,
routing, firewall etc).

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide


>>Your statement is not correct. Your action in changing from HTTP to

HTTPS did not change the port from 443 to 8443.

I am talking about NIS configuration.
While configuring NIS cluster using Device->Identity Server->new
Cluster
Base URL: protocol /Domain:Port/Application

here whenever i am changing protocol from http to https, port get change
accordingly.
I am also using SSL certificate for the same.

>> 2) NIS is working fine.

Yes i have verified from admin console and server logs, in admin
consoles its green and log says server started.
>> 3) DNS,routing, firewall etc

I am able ping NIS domain(mylogin.mycomny.com) from AG, AC and WS.
actually i have one more test setup, there i didn't get this issue and
able to get metadata from IDP in my WS. all the machines has same
network.

--
Vaibhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide

On 19.06.2013 08:04, vaibhavkhare wrote:
>
>>> Your statement is not correct. Your action in changing from HTTP to

> HTTPS did not change the port from 443 to 8443.
>
> I am talking about NIS configuration.
> While configuring NIS cluster using Device->Identity Server->new
> Cluster
> Base URL: protocol /Domain:Port/Application
>
> here whenever i am changing protocol from http to https, port get change
> accordingly.


The port does get changed accordingly, but it doesn't change from 443 to
8443

Instead it changes from 8080 (http) to 8443 (https)

What I was asking is: Did you follow the steps to "Translate the
Identity Server Configuration Port"as described here:
https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/b6fyxpk.html
??

> I am also using SSL certificate for the same.


You could be right, the issue could be certificate related. However you
need to rule out all the network level problems first.

>>> 2) NIS is working fine.

> Yes i have verified from admin console and server logs, in admin
> consoles its green and log says server started.


Great.

>>> 3) DNS,routing, firewall etc

> I am able ping NIS domain(mylogin.mycomny.com) from AG, AC and WS.
> actually i have one more test setup, there i didn't get this issue and
> able to get metadata from IDP in my WS. all the machines has same
> network.


OK, that is great.

Just to confirm two things: What URL do you use to retrieve the metadata
from IDP on your workstation?

If you try and retrieve the exact same metadata URL from AG manually
does that work?

For example:
curl -k http(s)://mylogin.mycomny.com:8443/nidp/idff/metadata

if that doesn't work on the AG then test

netcat -vv ip-address-of-the-idp 8443

Replace 8443 with whatever port you use to sucessfully access the
metadata with from your workstation.

If all this works, then enable debug logging via the admin console and
check the LAG logs for any errors related to certificate trust.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide


Hi Alex,

I have used https://mylogin.mycomny.com:8443/nidp/idff/metadata to
retrieve metadata from IDP on WS.
AG also using same DNS to retrieve metadata.

while debugging i came to know letnet 192.100.12.251 8443 is not
working, gives connection refused.
so how can i know in which port my identity server is running?
i have tried for 443 an 8080 ports also with same issue.

is there any other way to know where NIS is running or nor and running
in which port?

--Vaibhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide

On 19.06.2013 12:24, vaibhavkhare wrote:
I have used https://mylogin.mycomny.com:8443/nidp/idff/metadata to
> retrieve metadata from IDP on WS.
> AG also using same DNS to retrieve metadata.


Ok so we've established that the IDP is using SSL and is listening on
port 8443 and that you can connect to it from a host (your workstation)
other than the IDP.

> while debugging i came to know letnet 192.100.12.251 8443 is not
> working, gives connection refused.
> so how can i know in which port my identity server is running?
> i have tried for 443 an 8080 ports also with same issue.


So:

telnet to the IDP (192.100.12.251 8443) gives connection refused (but
where did you telnet from? I'm guessing the AG).

what about the netcat and curl tests I mentioned? Did you try them?

Does your AG have multiple network interfaces?

Does your IDP have multiple network interfaces?

You mentioned earlier that all machines are on the same network. Does
this mean that the IDP on the same IP subnet (192.100.x.x) as the AG?
You also mentioned that you could ping the DNS of the IDP from the AG.
Did you try also pinging the IP of the IDP from the AG.

Is the Access Gateway an appliance (LAG/MAG) or is this the AGS?

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide


>>telnet to the IDP (192.100.12.251 8443) gives connection refused (but

where did you telnet from? I'm guessing the AG).

Yes i am trying from AG.

>>what about the netcat and curl tests I mentioned? Did you try them?


Tried you recommendation but got same result connection refused.

>>Does your AG have multiple network interfaces?


No

>>Does your IDP have multiple network interfaces?


No

>>You mentioned earlier that all machines are on the same network. Does

this mean that the IDP on the same IP subnet (192.100.x.x) as the AG?

Yes all machines like admin console, AG, NIS all are in VM machines on
same subnet.
NIS =192.100.12.251
AG =192.100.12.250
ADMC =192.100.12.256

>>You also mentioned that you could ping the DNS of the IDP from the

AG.
>>Did you try also pinging the IP of the IDP from the AG.


Yes Alex, I am able to ping all the machines each other via "putty" with
their DNS.

>>Is the Access Gateway an appliance (LAG/MAG) or is this the AGS?

I think LAG.

Alex, i have tried iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
443 -j DNAT --to 192.100.12.251:8443 also but doesn't work.
gone through "identityserverhelp" document section "1.5.2 Changing the
Port on a Linux Identity Server" but not able to find
/etc/init.d/AM_IDP_Redirect script file on machine hence used above
approach to do so.

now its really much confused me, really i don't want re-install NIS. 🙂

--
Vaibhav


--
vaibhavkhare
------------------------------------------------------------------------
vaibhavkhare's Profile: https://forums.netiq.com/member.php?userid=5266
View this thread: https://forums.netiq.com/showthread.php?t=47977

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Unable to load metadata for Embedded Service Provide

On 19.06.2013 14:54, vaibhavkhare wrote:
>>> You mentioned earlier that all machines are on the same network. Does

> this mean that the IDP on the same IP subnet (192.100.x.x) as the AG?
>
> Yes all machines like admin console, AG, NIS all are in VM machines on
> same subnet.
> NIS =192.100.12.251
> AG =192.100.12.250
> ADMC =192.100.12.256


I'm assuming this last IP is a mistake, the range for each segment of an
IPv4 address is from 0 to 255, so you can't have an IP of 192.100.12.256

>>> You also mentioned that you could ping the DNS of the IDP from the

> AG.
>>> Did you try also pinging the IP of the IDP from the AG.

>
> Yes Alex, I am able to ping all the machines each other via "putty" with
> their DNS.


I said ping via IP rather than DNS. I'm just trying to rule out a name
resolution issue (DNS, local HOSTS file entry) as the cause.

In other words if you can ping from the AG to the NIS via the DNS name
(mylogin.mycomny.com) but can't ping from the AG to the NIS via IP
(192.100.12.251) then you probably have a local host entry on the AG
that is overriding the correct resolution of the DNS name for the NIS.

>>> Is the Access Gateway an appliance (LAG/MAG) or is this the AGS?

> I think LAG.


Okay, I just wanted to check what OS it ran, so it sounds like you are
on Linux.

> Alex, i have tried iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
> 443 -j DNAT --to 192.100.12.251:8443 also but doesn't work.
> gone through "identityserverhelp" document section "1.5.2 Changing the
> Port on a Linux Identity Server" but not able to find
> /etc/init.d/AM_IDP_Redirect script file on machine hence used above
> approach to do so.


Forget about this procedure for now. You can try and do this later when
you have everything else working.

> now its really much confused me, really i don't want re-install NIS. 🙂


I'd check your iptables on the NIS and the AG to ensure there isn't
anything blocking this type of traffic.

iptables -L -n



--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.