Symantec Access Management

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Hi Anwar,

You will want to examine the Access Gateway Web Agent Trace Log to see how the agent is behaving.  You may need to edit the ACO (Agent Configuration Object) if web agent tracing is not already enabled as this log is not enabled by default.  Based on the behavior you described, it sounds like you are successfully authenticating, but failing authorization, so you most likely have to examine the policy that should allow access to this resource (assuming you did indeed configure such a policy which would contain an Allow Access rule.  

The errors you highlighted pertain to Access Gateway clusters and can be safely ignored if you are not setting up one or more clusters.

Regards,
Pete
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Hi Guys,

Thanks for the suggestions. I went to try to enable the trace logs to see if I can see anything and couldn't locate the "WebAgentTrace.conf" file. Does this point to the SPS not being installed properly?

During the installation of the SPS, I selected a compatible JDK (AdoptOpenJDK) and it warned me that it was "Unable to install the Java Virtual Machine included with this installer." However, it still let me continue with the installation. Could this be why it did not install properly and what is the right JDK to use?

Kind Regards,
Anwar

------------------------------
Securience
------------------------------

Original Message:
Sent: 03-13-2020 03:33 AM
From: Patrick Dussault
Subject: Can't login to the proxy ui

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Patrick,

This thread has been quiet for a while. Unfortunately, I have a similar -- if not the same -- issue. One difference: my environment is non-production so I'm using Oracle JDK 1.8.0_241 rather than AdoptOpenJDK. The access gateway and policy server are both r12.8 sp03. And, my configuration was completely functional when access gateway and policy server were both r12.8 sp02. ProxyUI broke when I upgraded the access gateway to r12.8 sp03. Other details follow:

• server.conf contains:

• My access gateway host is missy2. netstat -an shows listeners on all ports/interfaces for access gateway and ProxyUI as expected:

• In the ACO, I specify:

• I've attached SecureProxyTrace.log for a login attempt.
• I've attached a spreadsheet populated with data from smtracedefault.log for a single transaction. That log shows my user ID (x-rfaust2) is authenticated, but "no applicable policy found". For what it's worth, the x-rfaust2 user is also a member of the MirimarAdminLevel_000 group.
• I've attached some screen shots from the AdminUI that show a policy appears to be configured, contrary to what is indicated by smtracedefault.
• OneView Monitor shows the IsProtected count increases by one for the rjf_gateway_agent after a login attempt.

------------------------------
Sr. Services Consultant
HCL Technologies
------------------------------

Original Message:
Sent: 03-13-2020 03:33 AM
From: Patrick Dussault
Subject: Can't login to the proxy ui

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Here are the files promised in my previous post, including a REST API export of the domain protecting the ProxyUI.

------------------------------
Sr. Services Consultant
HCL Technologies
------------------------------

Original Message:
Sent: 05-05-2020 03:24 PM
From: Rich Faust
Subject: Can't login to the proxy ui

Patrick,

This thread has been quiet for a while. Unfortunately, I have a similar -- if not the same -- issue. One difference: my environment is non-production so I'm using Oracle JDK 1.8.0_241 rather than AdoptOpenJDK. The access gateway and policy server are both r12.8 sp03. And, my configuration was completely functional when access gateway and policy server were both r12.8 sp02. ProxyUI broke when I upgraded the access gateway to r12.8 sp03. Other details follow:

• server.conf contains:

local.host=*

local.http.port=8080

local.https.port=8543

• My access gateway host is missy2. netstat -an shows listeners on all ports/interfaces for access gateway and ProxyUI as expected:

[root@missy2 logs]# netstat -an | head -2; netstat -an | egrep ":80 |:8080 |:443 |:8543 "

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:8543 0.0.0.0:* LISTEN

[root@missy2 logs]#

• In the ACO, I specify:

TraceConfigFile=/apps/CA/secure-proxy/gateway/proxy-engine/conf/defaultagent/SecureProxyTrace.conf

TraceFile=yes

TraceFileName=/apps/CA/secure-proxy/gateway/proxy-engine/logs/SecureProxyTrace.log

• I've attached SecureProxyTrace.log for a login attempt.
• I've attached a spreadsheet populated with data from smtracedefault.log for a single transaction. That log shows my user ID (x-rfaust2) is authenticated, but "no applicable policy found". For what it's worth, the x-rfaust2 user is also a member of the MirimarAdminLevel_000 group.
• I've attached some screen shots from the AdminUI that show a policy appears to be configured, contrary to what is indicated by smtracedefault.
• OneView Monitor shows the IsProtected count increases by one for the rjf_gateway_agent after a login attempt.

------------------------------
Sr. Services Consultant
HCL Technologies

Original Message:
Sent: 03-13-2020 03:33 AM
From: Patrick Dussault
Subject: Can't login to the proxy ui

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Hi Richard,

This does not appear to be a policy setup issue.  I can see from the agent trace log that after the user successfully authenticated, no cookie was presented on the subsequent request for /proxyui despite an SMSESSION cookie being set during authentication.  With no session cookie, the user is considered not authenticated at that point and is redirected to the login form.  Is the browser not accepting the session cookie?  Can this user access other protected resources?  A fiddler trace may shed some light on what is going wrong.

Regards,
Pete
Original Message:
Sent: 05-05-2020 03:28 PM
From: Rich Faust
Subject: Can't login to the proxy ui

Here are the files promised in my previous post, including a REST API export of the domain protecting the ProxyUI.

------------------------------
Sr. Services Consultant
HCL Technologies

Original Message:
Sent: 05-05-2020 03:24 PM
From: Rich Faust
Subject: Can't login to the proxy ui

Patrick,

This thread has been quiet for a while. Unfortunately, I have a similar -- if not the same -- issue. One difference: my environment is non-production so I'm using Oracle JDK 1.8.0_241 rather than AdoptOpenJDK. The access gateway and policy server are both r12.8 sp03. And, my configuration was completely functional when access gateway and policy server were both r12.8 sp02. ProxyUI broke when I upgraded the access gateway to r12.8 sp03. Other details follow:

• server.conf contains:

local.host=*

local.http.port=8080

local.https.port=8543

• My access gateway host is missy2. netstat -an shows listeners on all ports/interfaces for access gateway and ProxyUI as expected:

[root@missy2 logs]# netstat -an | head -2; netstat -an | egrep ":80 |:8080 |:443 |:8543 "

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:8543 0.0.0.0:* LISTEN

[root@missy2 logs]#

• In the ACO, I specify:

TraceConfigFile=/apps/CA/secure-proxy/gateway/proxy-engine/conf/defaultagent/SecureProxyTrace.conf

TraceFile=yes

TraceFileName=/apps/CA/secure-proxy/gateway/proxy-engine/logs/SecureProxyTrace.log

• I've attached SecureProxyTrace.log for a login attempt.
• I've attached a spreadsheet populated with data from smtracedefault.log for a single transaction. That log shows my user ID (x-rfaust2) is authenticated, but "no applicable policy found". For what it's worth, the x-rfaust2 user is also a member of the MirimarAdminLevel_000 group.
• I've attached some screen shots from the AdminUI that show a policy appears to be configured, contrary to what is indicated by smtracedefault.
• OneView Monitor shows the IsProtected count increases by one for the rjf_gateway_agent after a login attempt.

------------------------------
Sr. Services Consultant
HCL Technologies

Original Message:
Sent: 03-13-2020 03:33 AM
From: Patrick Dussault
Subject: Can't login to the proxy ui

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Thanks, Peter, your reply got me headed in the right direction. I started reviewing ACO parameters and discovered these:

UseHTTPOnlyCookies=yes
UseSecureCookies=yes

I was doing some ACO parameter testing in my lab environment about the time I upgraded from r12.8 sp02 to sp03 and always associated my proxyUI problems with the upgrade rather than the ACO changes.

I set both to "no", did an "sps-ctl stop" then "sps-ctl startssl" and now the ProxyUI is working again on port 8080. I've configured SSL access on port 8543 and unfortunately get this error when I try to access it:

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

I'll do some more research on that before I raise it as a separate topic.

------------------------------
Sr. Services Consultant
HCL Technologies
------------------------------

Original Message:
Sent: 05-05-2020 05:12 PM
From: Peter Burant
Subject: Can't login to the proxy ui

Hi Richard,

This does not appear to be a policy setup issue.  I can see from the agent trace log that after the user successfully authenticated, no cookie was presented on the subsequent request for /proxyui despite an SMSESSION cookie being set during authentication.  With no session cookie, the user is considered not authenticated at that point and is redirected to the login form.  Is the browser not accepting the session cookie?  Can this user access other protected resources?  A fiddler trace may shed some light on what is going wrong.

Regards,
Pete
Original Message:
Sent: 05-05-2020 03:28 PM
From: Rich Faust
Subject: Can't login to the proxy ui

Here are the files promised in my previous post, including a REST API export of the domain protecting the ProxyUI.

------------------------------
Sr. Services Consultant
HCL Technologies

Original Message:
Sent: 05-05-2020 03:24 PM
From: Rich Faust
Subject: Can't login to the proxy ui

Patrick,

This thread has been quiet for a while. Unfortunately, I have a similar -- if not the same -- issue. One difference: my environment is non-production so I'm using Oracle JDK 1.8.0_241 rather than AdoptOpenJDK. The access gateway and policy server are both r12.8 sp03. And, my configuration was completely functional when access gateway and policy server were both r12.8 sp02. ProxyUI broke when I upgraded the access gateway to r12.8 sp03. Other details follow:

• server.conf contains:

local.host=*

local.http.port=8080

local.https.port=8543

• My access gateway host is missy2. netstat -an shows listeners on all ports/interfaces for access gateway and ProxyUI as expected:

[root@missy2 logs]# netstat -an | head -2; netstat -an | egrep ":80 |:8080 |:443 |:8543 "

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:8543 0.0.0.0:* LISTEN

[root@missy2 logs]#

• In the ACO, I specify:

TraceConfigFile=/apps/CA/secure-proxy/gateway/proxy-engine/conf/defaultagent/SecureProxyTrace.conf

TraceFile=yes

TraceFileName=/apps/CA/secure-proxy/gateway/proxy-engine/logs/SecureProxyTrace.log

• I've attached SecureProxyTrace.log for a login attempt.
• I've attached a spreadsheet populated with data from smtracedefault.log for a single transaction. That log shows my user ID (x-rfaust2) is authenticated, but "no applicable policy found". For what it's worth, the x-rfaust2 user is also a member of the MirimarAdminLevel_000 group.
• I've attached some screen shots from the AdminUI that show a policy appears to be configured, contrary to what is indicated by smtracedefault.
• OneView Monitor shows the IsProtected count increases by one for the rjf_gateway_agent after a login attempt.

------------------------------
Sr. Services Consultant
HCL Technologies

Original Message:
Sent: 03-13-2020 03:33 AM
From: Patrick Dussault
Subject: Can't login to the proxy ui

Hi Anwar,

In addition to my colleague comments, you might check those both
documents which present similar issue as function
GroupConfigurationDAO cannot get info from the installaiton :

Cannot Bind to specifc local Address
https://knowledge.broadcom.com/external/article?articleId=99443

and

Tech Tip : CA Single Sign-On : Cannot Bind to specifc local Address

Scenario 1:
Steps:
In SPS server.conf file change the local.host = "IP which is resolved from the SPS host"
Verify that netstat -an | grep 8080 showing the ip which is provided in server.conf
tcp 0 0 ::ffff:10.130.160.13:8080 :::* LISTEN

Scenario 2:
In case of local.host= localhost below is the out put for netstat -an | grep 8080
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=798342

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar

Hi Anwar,
Did you end up getting this resolved?  I had the exact same issue and had been troubleshooting for a whole week now.  I even open a case with Broadcom support but they are of no help at all on this.  Finally I came across this community thread and found a response from @Rich_Faust that mentioned about the "UseSecureCookies" ACO parameter.  This was the root cause.  By default this parameter is disabled, but when I created the ACO for the access gateway, I chose to "Create new ACO from existing ACO" and I chose one of the existing ACO that has the "UseSecureCookies" enabled.

The problem is that the access gateway admin UI is listening on HTTP port 8080 which is NOT HTTPS, but the ACO parameter requires that the connection is over HTTPS.  It would be nice if Broadcom would add some better logging for this event so others could find the problem easier next time.​  Anyway, I simply disabled that ACO parameter and now I am able to login to the AG admin UI.
Original Message:
Sent: 03-12-2020 08:44 AM
From: Anwar Koromah
Subject: Can't login to the proxy ui

Hi Community,

I have recently installed the Access Gateway and I am trying to log into it for the first time. I have configured the domain policy to include a user that I can use for logging in.

When I enter the correct credentials and try to log in, the pages just refreshes and I am presented with the same login screen. However, when I use incorrect credentials, it complains about an incorrect username or password. So it seems like its correctly recognising my user, but just doesn't load the next page.

Can anyone please guide me on what might've gone wrong?

ProxyUI Log:

2020-Mar-12 08:47:56,344 - ERROR - com.ca.sps.adminui.dao.groupconfiguration.GroupConfigurationDAO - Null ProxyServerDTO for current group, Version details can't be queried
2020-Mar-12 08:47:56,361 - ERROR - com.ca.sps.adminui.sync.SynchJob - Synch Periodic Status= Group Configuration data is not loaded properly into application context

Nohup.out just seems to repeat this message a few times:

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Mar 12, 2020 8:47:39 AM org.apache.catalina.startup.TldConfig execute


Kind Regards,
Anwar