7 Replies Latest reply on Nov 17, 2009 3:46 AM by 807573

    InternalException in amAgent logs causing Error 500 in Apache 2 webserver?

    807573
      Everyday, at random times of the day, there'll be a log entry that says:

      Error 25233:5d8d70 PolicyEngine: am_policy_evaluate: InternalException in Service::do_update_policy with error message:Policy query failed. and code:6

      And there appears to be periodical 500 errors happening, and the times of their occurrences coincides with the above amAgent exception

      agent version: Version: 2.2-01
      apache version: 2.0.54

      Any ideas for possible causes?

      Would appreciate if anyone could shed some light on what's Code:6

      Thanks
        • 1. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserver?
          807812
          I don't know what the error means.

          Are there corresponding 500 server errors in the web server logs for the Access Manager container?

          What OS is the Apache http server running?
          • 2. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
            807573
            Error code 6 means some policy related processig has failed. You can enable debug on the server and see what you can find in amPolicy debug file.

            http://docs.sun.com/app/docs/doc/820-5816/gaudv?a=view
            • 3. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
              807573
              Hi all,

              we have the same problem.

              Did you resolve it?

              In our environment the problem occurs only when there is a certain number of concurrent users (10 or plus) and sporadically (depends on the traffic - every 5 minutes). When occurs the browser returns internal Server Error.


              We have the following scenario:

              LVS Load Balancer
              Apache 2.0.63
              Sun Policy Agent v 2.2.01 per Apache 2.0.54

              LVS Load Balancer
              Sun Web Server 7.0u3
              Sun Access Manager 7.1
              Sun Directory Server 6.3



              The logs are:

              access.log on Apache web Server
              "GET /Applicazione/dir1/file1?action_name=xyz HTTP/1.1" 500 695
              amAgent on Policy Agent - Apache web Server
              Error 17774:87e2c20 ThreadPool: ThreadPool::~ThreadPool(): Active thread count is not zero.
              Error 17579:9adbc20 PolicyEngine: am_policy_evaluate: InternalException in Service::do_update_policy with error message:Policy query failed. and code:6 
              amAutentication.error on AMServer "Login Timed Out." LDAP AUTHENTICATION-207 dc=xyz,dc=xyz,dc=xyz "Not Available" INFO "Not Available" xxx.xxx.xxx.xxx "cn=dsameuser,ou=DSAME Users,dc=xyz,dc=xyz,dc=xyz" firewall.<dominio>

              amPolicy.access on AMServer "index|dc=xyz,dc=xyz,dc=xyz|iPlanetAMWebAgentService|https://xxx.xxxx.xxxx-xxxx.xx:443|[GET, POST]|POST=[allow]\\nGET=[allow]\\n" amPolicy.access POLICY-1 "Not Available" f0c5fc9c266c9e702 INFO "Not Available" xxx.xxx.xxx.xxx "cn=dsameuser,ou=DSAME Users,dc=xyz,dc=xyz,dc=xyz" firewall.<dominio>

              debug/amPolicy on AMServer
              ERROR: PolicyRequestHandler: Evaluation error
              com.iplanet.sso.SSOException: Session state is invalid.
                      at com.iplanet.sso.providers.dpro.SSOTokenImpl.addSSOTokenListener(SSOTokenImpl.java:405)
                      at com.sun.identity.policy.plugins.AMIdentitySubject.isMember(AMIdentitySubject.java:447)
                      at com.sun.identity.policy.Subjects.isMember(Subjects.java:622)
                      at com.sun.identity.policy.Policy.getPolicyDecisionSRC(Policy.java:1960)
                      at com.sun.identity.policy.Policy.getPolicyDecision(Policy.java:1549)
                      at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:596)
                      at com.sun.identity.policy.PolicyEvaluator.getPolicyDecision(PolicyEvaluator.java:529)
                      (...)
              debug/amSession on AMServer
              ERROR: SessionRequestHandler encounterd exception
              com.iplanet.sso.SSOException: AQIC5wM2LY4SfcwmGdPXuFXAbqKO6vDYo6/KrBHC+0UfOm4=@AAJTSQACMTAAAlMxAAIwMg==# Invalid session ID.AQIC5wM2LY4SfcwmGdPXuFXAbqKO6vDYo6/KrBHC+0UfOm4=@AAJTSQACMTAAAlMxAAIwMg==#
                      at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:178)
                      at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:305)
                      at com.sun.identity.session.util.RestrictedTokenContext.unmarshal(RestrictedTokenContext.java:125)
                      at com.iplanet.dpro.session.service.SessionRequestHandler.processRequest(SessionRequestHandler.java:140)
                                  (...)
              Do you have any suggestions?


              Thanks.
              • 4. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
                807573
                Hi all,

                i would like to inform you that this problem occurs only if either (we have 2 instances behind load balancer) Access Manager are up and working.      
                We tried to shut down the second instance of Access Manager and the sistem works fine, without error.

                -z-
                • 5. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
                  807573
                  Has anyone found out how to fix this? I am receiving the exact same error and problems described.

                  Is it time to open a support case?
                  • 6. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
                    807573
                    Hi,

                    I came across the same problem. It could be due to policy conflict.
                    Have a look at the agent debug logs?

                    I hardly remember this error is fixed in Agent 2.2.01. Error code 6 deals with NSS/NSPR.
                    Best way is to have a look at the debug log and update to latest agent and see if the error remains.

                    Regards,
                    • 7. Re: InternalException in amAgent logs causing Error 500 in Apache 2 webserv
                      807573
                      After looking at the access logs again, I noticed a trend during when the errors occurred.

                      In the access log, the time on the line with http 500 error is 1 or 2 seconds earlier than the previous line on the log.

                      My servers are using NTP to synchronize the clocks.

                      Will the access manager get an exception if the NTP adjusts the web server's clock by a second?
                      Or it's just a coincidence that the errors occured when the NTP adjusted the clock?