An XML validation error is often ignored because the returning message does not appear to be serious. However, closer inspection of the Access Gateway Appliance shows that none of the changes have been applied. When a change is applied by using UI, the system writes the configuration data to the configuration store on the Administration Console and to the /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file on the Access Gateway Appliance. If this file passes the schema checks on the Access Gateway Appliance, the /opt/novell/nam/mag/webapps/agm/WEB-INF/config/pending/xxxx-config.xml file (where xxx is the transactionID) is updated with the configuration.
This is the file that the Access Gateway Appliance reads when it loads or refreshes. If the config.xml file from /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current and /opt/novell/nam/mag/webapps/agm/WEB-INF/config/pending/ are not in sync, then all changes you defined have not been applied to the Access Gateway Appliance.
You need to pay attention to XML validation errors and identify the key steps required to solve such problems. There are two main scenarios that are discussed in this section:
One scenario that causes the XML validation errors is when a configuration references an object that has been removed. For example, a custom authentication contract was created and assigned to a protected resource. The contract was manually deleted from the Identity Server configuration, but the Access Gateway protected resource still references it, even though it is not displayed in the user interface. After you identify the missing link, you can use the Access Manager interface to work around the problem.
To troubleshoot this scenario:
Search the /opt/novell/devman/share/logs/app_sc.0.log file on the Administration Console server for #200904025: Error - XML VALIDATION FAILED.
After you find the entry, work backwards to identify the start of the Java exception. Locate the problem strings or entry from the configuration, such as the following string authprocedure_NEIL___Name_Password___Form found in the following entry:
871(D)Wed May 23 15:45:06 BST
2007(L)webui.sc(T)26(C)com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher(M)A(E)org.jdom.input.JDOMParseException: Error on line 1120: cvc-id.1: There is no ID/IDREF binding for IDREF 'authprocedure_NEIL___Name_Password___Form'.
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:468)
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:770)
at com.volera.vcdn.platform.util.XmlUtil.validateXML(y:3304)
at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.A(y:793)
at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.do_deviceCon
fig(y:648)
: :
:
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ssConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
(Msg)<amLogEntry> 2007-05-23T15:45:06Z ERROR DeviceManager: AM#200904025: Error
- XML VALIDATION FAILED. PLEASE CHECK APP_SC LOG </amLogEntry>
On the Access Gateway Appliance, change to the /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current directory and open the config.xml file. Search for the problem string and the corresponding protected resource.
The example below shows that the problem string is tied to the ProtectedResourceID_svhttp_mylag_iMon_root resource. This maps to the HTTP reverse proxy called mylag, the service called iMon, and the protected resource called root.
----- snippet from problem area of config.xml ------
<ProtectedResource Name="root" Enable="1" Description="" LastModified="116973455
5995" LastModifiedBy="cn=admin,o=novell" UserInterfaceID="ProtectedResourceID_sv
http_mylag_iMon_root" ProtectedResourceID="ProtectedResourceID_svhttp_mylag_iMon
_root">
<URLPathList LastModified="4294967295" LastModifiedBy="String">
<URLPath URLPath="/*" UserInterfaceID="/*"/>
</URLPathList>
<PolicyEnforcementList LastModified="1168947602067" schemaVersion="1.34"
LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPri
ority">
<PolicyRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGFormFill_1168947167634" ExternalElementRef="PolicyID_xpemlPEP_AGFormFill_1168947167634"/>
</PolicyEnforcementList>
<AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_NEIL___Name_Password___Form"/>
</ProtectedResource>
----- end of snippet from problem area of config.xml ------Look at the AuthenticationProcedureRef variable, which points to the contract assigned to the protected resource. You can see that the authprocedure_NEIL___Name_Password___ Form contract is assigned to it.
However, when you look at the Access Gateway Appliance configuration in the Administration Console, you can see that the assigned contract is [None], which is not the contract shown in the example. Change it to another contract name, apply the change, then set the contract back to [None] to clear the problem entry. The setup now operates with no XML validation errors.
In this scenario, you apply the same change twice in quick succession, and the information written to the configuration store is invalid. Subsequent schema checks detect this invalid configuration and return an XML validation error. This scenario is more complex because it involves changing the configuration store on the Administration Console.
On the Administration Console, search the /opt/novell/devman/share/logs/app_sc.0.log file for #200904025: Error - XML VALIDATION FAILED.
After you find the entry, work backwards to identify the start of the Java exception. From this, locate the problem strings or entry from the configuration, such as ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340. This message also indicates that a defined protected resource might not be unique. The configuration shows that before the Java exception, there is not enough information to narrow down the problem, so more troubleshooting is required.
The following is a snippet from the problem area of app_sc.0.log file that indicates that there are multiple occurrences of a protected resource.
Caused by: org.xml.sax.SAXParseException: cvc-id.2: There are multiple occurrences of ID value 'ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340'. at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.jdom.input.SAXBuilder.build(SAXBuilder.java:453) at org.jdom.input.SAXBuilder.build(SAXBuilder.java:770) at com.volera.vcdn.platform.util.XmlUtil.validateXML(y:3304) at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.A(y:793) at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.do_deviceconfig(y:648) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.volera.vcdn.webui.sc.dispatcher.DefaultDispatcher.invoke(y:469) at com.volera.vcdn.webui.sc.dispatcher.DefaultDispatcher.processRequest(y:1732) at com.volera.roma.app.handler.DispatcherHandler.processRequest(y:3168) at com.volera.roma.servlet.GenericController.doPost(y:53) at javax.servlet.http.HttpServlet.service(HttpServlet.java:716) at javax.servlet.http.HttpServlet.service(HttpServlet.java:809) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:146) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594) at com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:297) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:152) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) (Msg)<amLogEntry> 2007-05-23T13:22:15Z ERROR DeviceManager: AM#200904025: Error - XML VALIDATION FAILED. PLEASE CHECK APP_SC LOG </amLogEntry>
Confirm that the change has not been applied at the Access Gateway Appliance:
In the Administration Console, select Devices > Access Gateways > Edit > Advanced Options and add the following line:
LogLevel debug
Click OK and then update the Access Gateways.
For more information about Access Gateway log, see Managing Access Gateway Logs.
Search for in-memory errors in the error_log file. When these errors are displayed, the working Access Gateway Appliance configuration has not been updated with the latest changes.
Identify the protected resource with these issues. In the following case, the protected resource is the same, so you must look at the config.xml file and search for this specific protected resource. For example:
May 23 13:22:14 chw-amtlag1-176 : 404502 0: 7168: 0: 0: VcpConfiguration::reconfigure starting AafLog May 23 13:22:14 chw-amtlag1-176 : 404502 0: 7168: 0: 0: VcpConfiguration::reconfigure finished Error at file "in-memory", line 328, column 306 Message: Datatype error: Type:InvalidDatatypeValueException, Message:ID 'ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340' is not unique. ERROR: Error retrieving config.xml: No data available
Search for the preceding string in the /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file. You should see the following type of information:
<ProtectedResourceList>
<ProtectedResource Name="sjh_redirect" Enable="1"
Description="" LastModified="1179934022767"
LastModifiedBy="cn=admin,o=novell"UserInterfaceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340" ProtectedResourceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340">
<URLPathList LastModified="4294967295" LastModifiedBy="String">
<URLPath URLPath="/*" UserInterfaceID="/*"/>
</URLPathList>
<PolicyEnforcementList LastModified="1179934011081" schemaVersion="0.1" LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories=""/>
<AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_Name_Password___Form"/>
</ProtectedResource>
</ProtectedResourceList>
You should also see the following information:
<ProtectedResourceList LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell">
<ProtectedResource Name="sjh_redirect" Enable="1" Description="" LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell" UserInterfaceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340" ProtectedResourceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340">
<URLPathList LastModified="4294967295" LastModifiedBy="String">
<URLPath URLPath="/*" UserInterfaceID="/*"/>
</URLPathList>
<PolicyEnforcementList LastModified="1179949047445" schemaVersion="0.1" LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories="">
<PolicyRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1176770874051" ExternalElementRef="PolicyID_xpemlPEP_AGAuthorization_1176770874051"/>
</PolicyEnforcementList>
<AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_Name_Password___Form"/>
</ProtectedResource>
</ProtectedResourceList>
This is the duplicate entry that is causing the problem. You need to clear one of the entries from the configuration. If you clear it from the /opt/novell/nam/mag/webapps/agm/WEB-INF/config/current/config.xml file, then any change applied in the UI rewrites the information to the config.xml file.
Remove the duplicate entry from the Administration Console server’s configuration store. To do this, you need an LDAP browser.
You can download a free Java-based tool from the Internet.
Start the LDAP browser, then locate the ag-xxxx that matches the Access Gateway Appliance you are having problems with.
The easiest way is to go to the Auditing > General Logging tab of the Access Manager Administration Console and identify your Access Gateway Appliance ID. This ID corresponds to the first four digits of the ag-xxxx in the LDAP browser.
Click the ag-xxxx container. You should see CurrentConfig and WorkingConfig containers within this Access Gateway container.
Select the CurrentConfig, then the RomaAGConfigurationXMLDoc attribute. Copy and paste the attribute value into any editor. This is the configuration from the LAG.
Search for the RomaAGConfigurationXMLDoc attribute string and remove the entire section on one of the hits starting with <ProtectedResourceList> and ending with </ProtectedResourceList>.
Select and save the modified text.
Paste the saved text into the RomaAGConfigurationXMLDoc attribute value.
Repeat these steps for the RomaAGConfigurationXMLDoc attribute in WorkingConfig, and remove the duplicate entry that is causing the XML validation errors.
Restart Tomcat on the Administration Console machine.
Log in to the Administration Console again. Make a small change to the setup and apply that change, and verify that the XML validation error has disappeared.