3.0 Identity Server (001)

Cause: An action using Liberty or SAML protocols could not be completed because the server and trusted provider are not compatibly configured to interact to complete the action.

Action: Set the desired protocol profiles in the administration tool to match those supported at the trusted provider.

Cause: The ESP cannot connect to the metadata URL for the IDP. The ESP may not be able to resolve the domain name for the IDP or if HTTPS is being used, the ESP may not trust the SSL certificate for the IDP. The IDP may also not be running

Action: Make sure the IDP is running and that all certificates are imported and trusted. Check the metadata URL for the IDP and make sure the metadata can be retrieved from a browser: http://<DNS_name>/nidp/idff/metadata A common cause is the base URL on the IDP is set incorrectly.

Cause: The web service instance type (attribute nidsWsfServiceInstanceType on the nidsWsfService object) is not available in the service definition.

Action: Delete the associated web service definition and recreate it.

Cause: Some Java error (probably a classpath issue) is causing the main authority class to not instantiate.

Action: Review how the Access Manager product was installed and attempt to determine if Java class files are being accessed from an unexpected source.

Cause: The LDAP connection between the IDP and the User Store must be secure LDAP if Novell Secret Store is to be used as the back end storage for Credential Profile.

Action: Go to the associated user store and change the connection type to secure LDAP.

Cause: Could not find the password callback class in the classpath.

Action: Make sure the password callback class to check UsernameToken that decrypts an encrypted message in WSS is in the classpath.

Cause: This error occurred when processing WSS headers (Receiver side). It may happen due to incorrect WSS headers in WSC requests.

Action: Check the WSS headers in WSC (Sender side) request and resent it.

Cause: This error occurred after processing WSS headers (Receiver side). It may happen due to incorrect or no WSS headers in WSC requests.

Action: Check the WSS headers in WSC (Sender side) request and resend it.

Cause: The Discovery Service has not been enabled or created.

Action: Create and enable a Liberty Discovery Service using the Access Manager administration utility.

Cause: Failure at GSS-API

Action: Check the following according the details of the error message: Keytab file - validity, presently only understands DES; Service Principal Name (SPN)

Cause: SPNEGO/Kerberos NegTokenInit not implemented.

Action: NegTokenInit token not implemented as the server side does not need to generate it new. No Action needed.

Cause: NIDP attempts to create JNDI connections to each user store replica during NIDP startup. In this case, NIDP was unable to establish connections with the indicated host.

Action: Ensure that the host is available and that the configuration information for the replica is correct.

Cause: A SOAP request was made and a response was expected, the response was obtained but the format of it was unexpected.

Action: Evaluate the indicated reason and take appropriate action.

Cause: The audit logging system can, in rare circumstances, become non-operational.

Action: Examine the error description supplied and take appropriate action.

Cause: The web service definition has a service level user interaction policy that is not ALWAYS or NEVER. Disallowed values are NO and ONCE.

Action: Using Access Manager management tools, edit the policy associated with the web service.

Cause: The web service definition has a service type specifier (attribute nidsWsfServiceInstanceType on object nidsWsfService) that is not recognized.

Action: Using Access Manager management tools, delete the associated web service and recreate it.

Cause: When an IDSIS web service is reading or writing data it follows the configured data locations to know where to perform its operations. If the administrator has not set up any data locations then the operation must fail.

Action: Add at least one data location the web service.

Cause: Writing to web services is prone to various unexpected errors.

Action: Evaluate the reason for the error and take appropriate action.

Cause: The user session has expired.

Action: The user must login again.

Cause: A web service of the provided type does not exist, or is not enabled.

Action: Create or enable a web service of this type.

Cause: Processing web service requests may result in a number of unexpected errors.

Action: Evaluate the reason given in the error message, and take appropriate action.

Cause: The web service resource id, an identifier indicating what user the request is destined for, did not contain the information required to identify the user.

Action: Notify your system administrator that invalid web service requests are being made to the system.

Cause: The user session has expired.

Action: The user must login again.

Cause: The Web Service Consumer received a request but there were zero service resource offerings provided. So, the web service has no destination service to which a request can be made.

Action: The user must login again.

Cause: Could not get user certificate from the client browser

Action: Install user X509 certificate on the client browser and try again.

Cause: User Certificate Authentication Failed due to the reasons in detailed message

Action: Take appropriate action as per the reasons in the detailed message

Cause: Principal from X509Certificate Multiple users found in User store which matched Principal from X509Certificate based on X509Class attribute mapping profile.\

Action: Check the X509Class Method and it's attribute mapping profile as defined using administrator tool. Also, check if multiple user exists in the User store(s).

Cause: X509 certificate is valid in the future

Action: Use a valid certificate

Cause: The Certificate has been revoked

Action: Use a valid certificate which is not revoked.

Cause: Could not get to the CRL/OCSP URL for validations.

Action: Make sure the CRL/OCSP URLs are accessible Or disable validations in administration. Additionally, can define a different CRL/OCSP URL in the administration tool which the X509Class can also use for validations.

Cause: Could not find Key/Cert for NIDP/ESP server towards authenticating to OCSP server

Action: Make sure the NIDP/ESP Signing keystore has appropriate Key/Cert in it.

Cause: Issuer of user certificate not found which is required for OCSP validations

Action: Make sure the issuer of user/client certificate is either found in certificate-chain or in NIDP/ESP trust store.

Cause: OCSP response could not be processed

Action: Make sure its going to the right OCSP server and that it is operating correctly.

Cause: OCSP request was already generated for certificate(s)

Action: Check the client certificate chain.

Cause: OCSP server responded to the request with an internal error.

Action: Contact OCSP server administrator.

Cause: Request to OCSP server needs to be signed.

Action: Enable signing of OCSP requests in X509Class administration.

Cause: OCSP server could not authenticate Novell Identity server.

Action: Make sure Signing of OCSP requests is enabled and NIDP signing keystore has appropriate key in it. Also, make sure the OCSP server trusts Nidp server.

Cause: Invalid OCSP response obtained.

Action: Check the OCSP server response version and contact administrator.

Cause: This may happen when reading the OCSP trust store during OCSP validations.

Action: Make sure OCSP trust store exists on NIDP server.

Cause: The response ID received in OCSP response does not match.

Action: Make sure NIDP's OCSP trust store has the right OCSP server public-key certificate.

Cause: Empty response from OCSP server.

Action: Verify the OCSP server URL.

Cause: OCSP response not yet valid.

Action: Verify the OCSP server URL.

Cause: Could not connect to OCSP server.

Action: Verify the OCSP server URL.

Cause: No OCSPResponse message.

Action: Verify the OCSP server URL.

Cause: Error getting CRL.

Action: Verify the connection to CRL server URL.

Cause: Error processing CRL Response.

Action: Check X509class config and user/client certificate CRL extension.

Cause: Transport protocol not supported to fetch CRL.

Action: Currently, CRLs can be fetched over http and LDAP protocols. Make sure the X509class config and/or user/client certificate CRL extension does not have any other transport protocol specified.

Cause: Could not process HTTP Authorization header

Action: Try with correct authorization header with base64 encoded SPNEGO token

Cause: Failure at GSS-API

Action: Make sure the Kerberos keytab file is generated correctly by KDC

Cause: GSS Context already established

Action: Close the browser and try again

Cause: Malformed token NegTokenInit

Action: Try again with correct NegTokenInit token

Cause: Multiple users matched in the user stores

Action: Make sure the users are unique in user stores

Cause: This could occur when all the CDPs are unreachable.

Action: Change the Certificate with correct CDPs or make sure CDP is up and able to serve.

Cause: An action that can only be performed by an authenticated user was attempted.

Action: User must be authenticated to perform operation.

Cause: An action was requested related to a trusted provider that does not exist.

Action: Add the desired provider as a trusted entity or check for invalid access to system.

Cause: An artifact was received from an identity provider that is invalid or has not been used within a reasonable time frame.

Action: Make sure that the provider sending the artifact is trusted or check for possible security intrusions.

Cause: A response was received from a provider that is not trusted.

Action: Make sure intended provider is trusted or check for possible intrusions.

Cause: An assertion has been received that was already used to authenticate a user at the service provider.

Action: This is a security mechanism that if persists may require some investigation to determine who is trying to replay the assertion. Assertions are only good for single use.

Cause: A subject may not have been sent in the assertion or was not valid. This check protects from certain assertion attacks.

Action: If persistent, check the protocol message sent for a time discrepancy between the providers or a missing subject, then notify the administrator of the trusted site.

Cause: An assertion was received that had a time validity period that is in the past.

Action: Check server's clock for accuracy. Attempt to validate the clock accuracy of the computer generating the assertion. Try to authenticate again.

Cause: The identity provider did not sign.

Action: Check with provider of assertion to determine why assertion is not signed.

Cause: A protocol message was received that was expected to be digitally signed, but was not.

Action: It may be necessary to contact the trusted provider administrator to determine why the message is not signed. Make sure authentication request signing settings match those for the trusted provider.

Cause: An error was detected in the exchange of either a Liberty or SAML protocol message.

Action: Turn logging/tracing on to print out the message that is problematic. It may be necessary to contact Novell Technical Services in this case.

Cause: A Java class failed to be loaded during program execution.

Action: Check the logs to determine the class that is failing to load. Make sure the class being loaded is in the classpath of the JVM.

Cause: SSL mutual authentication is being used to authenticate a SOAP back channel session and the credentials cannot be validated.

Action: Make sure certificates for back channel communications are trusted on each end.

Cause: An error was detected in the transmission of protocols using SOAP.

Action: Turn tracing on and look for any obvious causes for the problem.

Cause: The use of the assertion to authenticate the server did not occur within the time limits specified by the assertion.

Action: Try and re-authenticate. Determine if there are any network latencies that may cause the assertion not to arrive in a timely fashion. Look for misuse of the assertion.

Cause: A request was made of the server's intersite transfer service without specifying a target resource.

Action: Requests for the intersite transfer service must include an id of the intended service provider to be authenticated as well as the target resource to be displayed. To avoid this error, provide an &amp;TARGET="value" on the URL.

Cause: The system does not have enough memory to complete the requested action.

Action: Wait a few moments for memory to free up and retry request. It may be necessary to add additional memory to the server.

Cause: An attempt was made to load a JSP page that does not exist.

Action: Determine the JSP not loading and make sure it is in the correct location.

Cause: A user has attempted to authenticate to the system with a password that is expired.

Action: The user needs to create a new password.

Cause: A set of conditions that are not understood were sent as part of an assertion.

Action: Check with the provider of the assertion to determine what these conditions are and why they are being sent.

Action: Use logs to determine the provider that is untrusted and then create a trusted relationship if desired.

Cause: Accessing the site was done via http, not https.

Action: Access the site again using https.

Cause: User has already logged in the maximum allowable times.

Action: Logout of one or more sessions.

Cause: TrustedProvider failed to load (probably due to certificate errors).

Action: Check the certificates for the trusted provider and make sure they are valid.

Cause: Request to broker an authentication to a target Service Provider denied, either the Identity Provider or target Service Provider are part of a brokering group, but both does not belong to same group.

Action: Check the brokering group to verify if the Identity Provider and target Service Provider belong to the same group.

Cause: The system administrator did not create or enable a Discovery service.

Action: Create or enable a Discovery web service.

Cause: The select string (XPath) is either incorrectly formed or not supported by the web service.

Action: The system administrator must enable services to support the select string.

Cause: An internal system error.

Action: The system has encountered an invalid configuration and should be restarted by the system administrator.

Cause: The web service making the request did not provide valid or complete information about the trusted user interaction service.

Action: The system administrator must complete the definition of the trusted interaction service.

Cause: There was an error converting the redirect request to an XML DOM.

Action: Evaluate the reason and take the appropriate actions.

Cause: If a web service's data locations includes LDAP, then LDAP data attribute plugins are used to read data from the LDAP user store. This error provides descriptions of various errors that can happen while doing this.

Action: Evaluate the reason and take the appropriate actions.

Cause: All Credential Profile reads and writes end up operating on a user object in a user store. If this user object cannot be found, then the operation must fail. This may happen if a temporary identifier is being used for the authentication.

Action: Use a permanent federation to the service provider if your system allows it.

Cause: An internal error has occurred.

Action: The user must login again.

Cause: An internal error has occurred.

Action: Evaluate the reason and take the appropriate actions.

Cause: The X509 certificate cannot be encoded.

Action: Review the type of X509 certificates that are being used for authentication.

Cause: The web service consumer waited for the web service request to return a response, but it did not during the allowed waiting period.

Action: This waiting period may be increased by click Access Manager > Identity Servers > Edit > Liberty > Web Service Consumer, and setting the Protocol Timeout to a higher value.

Cause: After user interaction, processing of the original request returns to the web service consumer. A data packet containing information about how to continue the request is cached on the web service consumer. The id of that packet must be passed through all redirections and requests associated with the user interaction. If that id is not available when the web service consumer regains control, then the request cannot continue.

Action: Submit the request again.

Cause: PKIX Certificate Path Checker Class not found.

Action: Warning message that PKIX Certificate Path Checker Class not found. This optional class is used to process custom certificate extensions. If required, this class needs to be in NIDP classpath. It may not be present on ESP.

Cause: User authenticated using X509. An additional check of the directory's user login policy needs to be made using an LDAP method extension. However, the directory indicated does not support the required LDAP extension method.

Action: Make sure the LDAP extension method with OID 2.16.840.1.113719.1.39.42.100.25 is present in the user store. Versions 8.7.3 and greater of eDirectory should support this method.

Cause: On startup, the NIDP Image Pool is synchronized from eDirectory to the file system. This allows HTML pages to access images from a well known file system structure. Part of synchronization process involves deleting from the file system images that no longer exist in eDirectory. Also, the reverse is true, images that are new to eDirectory and do not yet exist on the file system are created in directories that reflect the image set. File system errors may occur during this synchronization process if a file or directory cannot be deleted or created.

Action: Ensure that no errant files are copied or directories manually created in the file system path [TOMCAT_HOME]/webapps/nidp/images/pool. Make sure the disk is not full.

Cause: On startup, the NIDP Image Pool is synchronized from eDirectory to the file system. This allows HTML pages to access images from a well known file system structure. Part of synchronization process involves deleting from the file system images that no longer exist in eDirectory. Also, the reverse is true, images that are new to eDirectory and do not yet exist on the file system are created in directories that reflect the image set. File system errors may occur during this synchronization process if a file or directory cannot be deleted or created.

Action: Make sure the disk is not full.

Cause: Periodically, the IDP attempts to clean up (delete) identity objects that have not been used for a configurable period of time. If an old unused identity is found, an attempt will be made to delete it. If that delete fails, this error will be logged.

Action: Make sure the administrator object for the Trust/Config data store has rights to the indicated directory context.

Cause: When a CardSpace Managed Card that is backed by a Personal Card is issued, an Identity object is created to represent the "Federation" that allows that card to log into the IDP without supplying any additional credentials. For security reasons, the user may delete that Identity object, or that "federation," when the associated card becomes out of date or compromised. However, when the system attempted to delete the Identity object, the indicated error happened.

Action: Examine the supplied error detail and take applicable actions.

Cause: The java.lang.Class.newInstance() method call failed to instantiate the LDAP Store Plugin class.

Action: Ensure a valid Java class file is available in Access Manager's class path for the referenced plugin class file. Also, ensure the LDAP Store Plugin has a zero parameter constructor.