NetIQ Documentation: Novell Access Manager 3.1 SP5 Administration Console Guide - Configuration UI Writes Incorrect Information to the Local Configuration Store

B.2 Configuration UI Writes Incorrect Information to the Local Configuration Store

In this scenario, you apply the same change twice in quick succession, and the information written to the configuration store is invalid. Subsequent schema checks detect this invalid configuration and return an XML validation error. This scenario is more complex because it involves changing the configuration store on the Administration Console.

Troubleshooting Steps

On the Administration Console, search the /opt/novell/devman/share/logs/app_sc.0.log file for #200904025: Error - XML VALIDATION FAILED.

After you find the entry, work backwards to identify the start of the Java exception. From this, locate the problem strings or entry from the configuration, such as ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340. This message also indicates that a defined protected resource might not be unique. The configuration shows that before the Java exception, there is not enough information to narrow down the problem, so more troubleshooting is required.

The following is a snippet from the problem area of app_sc.0.log file that indicates that there are multiple occurrences of a protected resource.

Caused by: org.xml.sax.SAXParseException: cvc-id.2: There are multiple occurrences of ID value 'ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340'.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:453)
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:770)
at com.volera.vcdn.platform.util.XmlUtil.validateXML(y:3304)
at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.A(y:793)
at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.do_deviceconfig(y:648)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.volera.vcdn.webui.sc.dispatcher.DefaultDispatcher.invoke(y:469)
at com.volera.vcdn.webui.sc.dispatcher.DefaultDispatcher.processRequest(y:1732)
at com.volera.roma.app.handler.DispatcherHandler.processRequest(y:3168)
at com.volera.roma.servlet.GenericController.doPost(y:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:716)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:809)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:146)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594)
at com.novell.accessmanager.tomcat.SynchronizationValve.invoke(y:297)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:152)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
(Msg)<amLogEntry> 2007-05-23T13:22:15Z ERROR DeviceManager: AM#200904025: Error - XML VALIDATION FAILED. PLEASE CHECK APP_SC LOG </amLogEntry>

Confirm that the change has not been applied at the Access Gateway Appliance:
1. Enable the most verbose level of logging in the /etc/laglogs.conf file: log_level=LOG_DEBUG. See Configuring Log Levels in the NetIQ Access Manager 3.1 SP5 Access Gateway Guide.
2. Restart the vmc services by using the following command:
```
/etc/init.d/novell-vmc restart
```
3. Search for in-memory errors in the ics_dyn log file. When these errors are displayed, the working Access Gateway Appliance configuration has not been updated with the latest changes.
4. Identify the protected resource with these issues. In the following case, the protected resource is the same, so you must look at the config.xml file and search for this specific protected resource. For example:
```
May 23 13:22:14 chw-amtlag1-176 : 404502  0: 7168: 0: 0: VcpConfiguration::reconfigure starting AafLog
May 23 13:22:14 chw-amtlag1-176 : 404502  0: 7168: 0: 0: VcpConfiguration::reconfigure finished
Error at file "in-memory", line 328, column 306
   Message: Datatype error: Type:InvalidDatatypeValueException, Message:ID 'ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340' is not unique.
ERROR: Error retrieving config.xml: No data available
```

Search for the preceding string in the /var/novell/cfgdb/vcdn/config.xml file. You should see the following type of information:

<ProtectedResourceList>
<ProtectedResource Name="sjh_redirect" Enable="1"
  Description="" LastModified="1179934022767"
  LastModifiedBy="cn=admin,o=novell"UserInterfaceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340" ProtectedResourceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340">
     <URLPathList LastModified="4294967295"   LastModifiedBy="String">
<URLPath URLPath="/*" UserInterfaceID="/*"/>
  </URLPathList>
  <PolicyEnforcementList LastModified="1179934011081" schemaVersion="0.1" LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories=""/>
  <AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_Name_Password___Form"/>
  </ProtectedResource>
   </ProtectedResourceList>

You should also see the following information:

  <ProtectedResourceList LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell">
        <ProtectedResource Name="sjh_redirect" Enable="1" Description="" LastModified="1179949051828" LastModifiedBy="cn=admin,o=novell" UserInterfaceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340" ProtectedResourceID="ProtectedResourceID_svhttp_sjh_portal_sjh_portal_1179933619340">
        <URLPathList LastModified="4294967295" LastModifiedBy="String">
        <URLPath URLPath="/*" UserInterfaceID="/*"/>
        </URLPathList>
        <PolicyEnforcementList LastModified="1179949047445" schemaVersion="0.1" LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPriority" IncludedPolicyCategories="">
        <PolicyRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGAuthorization_1176770874051" ExternalElementRef="PolicyID_xpemlPEP_AGAuthorization_1176770874051"/>
       </PolicyEnforcementList>
       <AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_Name_Password___Form"/>
       </ProtectedResource>
     </ProtectedResourceList>

This is the duplicate entry that is causing the problem. You need to clear one of the entries from the configuration. If you clear it from the /var/novell/cfgdb/vcdn/config.xml file, then any change applied in the UI rewrites the information to the config.xml file.

Remove the duplicate entry from the Administration Console server’s configuration store. To do this, you need an LDAP browser.

You can download a free Java-based tool from the Internet.
1. Start the LDAP browser, then locate the ag-xxxx that matches the Access Gateway Appliance you are having problems with.
  
  The easiest way is to go to the Auditing > General Logging tab of the Access Manager Administration Console and identify your Access Gateway Appliance ID. This ID corresponds to the first four digits of the ag-xxxx in the LDAP browser.
2. Click the ag-xxxx container. You should see CurrentConfig and WorkingConfig containers within this Access Gateway container.
3. Select the CurrentConfig, then the RomaAGConfigurationXMLDoc attribute. Copy and paste the attribute value into any editor. This is the configuration from the LAG.
4. Search for the RomaAGConfigurationXMLDoc attribute string and remove the entire section on one of the hits starting with <ProtectedResourceList> and ending with </ProtectedResourceList>.
5. Select and save the modified text.
6. Paste the saved text into the RomaAGConfigurationXMLDoc attribute value.
7. Repeat these steps for the RomaAGConfigurationXMLDoc attribute in WorkingConfig, and remove the duplicate entry that is causing the XML validation errors.
Restart Tomcat on the Administration Console machine.
Log in to the Administration Console again. Make a small change to the setup and apply that change, and verify that the XML validation error has disappeared.