8 Replies Latest reply: May 3, 2012 6:45 AM by OldGuy RSS

    OAM default SSO Login screen seems to have vanished

    OldGuy
      With OAM 11g, DB 11.2.0.1, RHEL5.6, and WLS 10.3.5 installed we have come across a strange set of events. When the OAM server is running and we access the OAM Console, WLS Console, or the Enterprise Manager console we have become accustomed to the default OAM SSO Login screen displaying.

      We are not sure why, but in the last week or so the SSO login screen does not appear. The default IAMSuiteAgent -- created by the OAM installation -- appears to be intact and enabled, but no SSO Login. The screens display normally with their own specific logins. We made sure that all the cookies were removed, we have restarted the processes, and even rebooted the hosts... without success.

      This may seem like a small issue, but it appears to be manifesting itself with the protected resources we are accessing. The webgates are installed -- as we have successfully on other machines where everything works -- but the default SSO login will not dislplay. No error... no message... just a blank page.

      Any help or directioon would be appreciated...

      Thanks...
        • 1. Re: OAM default SSO Login screen seems to have vanished
          ColinPurdon-Oracle
          Hello OldGuy,

          An HTTP Header trace should at least show the last GET or POST that produces the blank page, and it may be worth looking at the server's oam_server1-diagnostic.log file for any interesting messages. Also, I suggest using the Access Tester to ensure that the afflicted urls really are protected by a login form scheme. Sorry can't suggest any more, I haven't heard of that happening before.

          Regards,
          Colin
          • 2. Re: OAM default SSO Login screen seems to have vanished
            OldGuy
            The diagnostic log had little in the way of "interesting" comments except for the Mismatch comment. Not sure what is mismatched but this set of entries repeats. It does appear to at least acknowledge the existence of IAMSuiteAgent. We will check the Access Tester to see what output it generates...


            [2012-05-01T06:41:51.974-04:00] [WLS_OAM1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: <anonymous>] [ecid: 0000JS67zc_DGfWFLznJ8A1FboCx00000D,0] [APP: oam_server] Message received from client. Message OpCode = 14 [NAPAuthnChallengeReq], SeqNo = 0 Message = cm=*IAMSuiteAgent* challenge=c22e889a538d258f of=1, Host : 127.0.0.1 Port : 46,049.
            [2012-05-01T06:41:51.975-04:00] [WLS_OAM1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: <anonymous>] [ecid: 0000JS67zc_DGfWFLznJ8A1FboCx00000D,0] [APP: oam_server] Message sent to client. Message OpCode = 14 [NAPAuthnChallengeReq], SeqNo = 0 Message = cm=AccessServerConfigProxy challenge=b747b750d8041b6f st=ma%3d25%20mi%3d2%20sg%3d1%20sm%3d rt=1, Host : 127.0.0.1 Port : 46,049.
            [2012-05-01T06:41:52.016-04:00] [WLS_OAM1] [NOTIFICATION] [OAM-04007] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: <anonymous>] [ecid: 0000JS67zc_DGfWFLznJ8A1FboCx00000D,0] [APP: oam_server] Message received from client. Message OpCode = 15 [NAPAuthnChallengeResponse], SeqNo = 0 Message = response=e3862010c32e10c6317347e60789245e, Host : 127.0.0.1 Port : 46,049.
            *[2012-05-01T06:41:52.017-04:00] [WLS_OAM1] [ERROR] [] [NAPLogger] [tid: NioProcessor-1] [userId: <anonymous>] [ecid: 0000JS67zc_DGfWFLznJ8A1FboCx00000D,0] [APP: oam_server] Mismatch should_be: 382e9e612d9abf40f67cd3322e90dd73 Mismatch response: e3862010c32e10c6317347e60789245e*
            [2012-05-01T06:41:52.018-04:00] [WLS_OAM1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: <anonymous>] [ecid: 0000JS67zc_DGfWFLznJ8A1FboCx00000D,0] [APP: oam_server] Message sent to client. Message OpCode = 15 [NAPAuthnChallengeResponse], SeqNo = 0 Message = st=ma%3d52%20mi%3d2%20sg%3d1%20sm%3d rt=0, Host : 127.0.0.1 Port : 46,049.
            • 3. Re: OAM default SSO Login screen seems to have vanished
              ColinPurdon-Oracle
              The mismatch message means that one (or more) agents (WebGates) are not correctly communicating with the OAM server, probably the artifacts need to be re-copied from the server's output directory to the local WebGate files. It could be any agent.

              Regards,
              Colin
              • 4. Re: OAM default SSO Login screen seems to have vanished
                OldGuy
                What's interesting about this is that we are also dealing with the IAMSuiteAgent... it gets created when we install the Suite. It has not changed. But in the last week or so, it no longer seems to want to protect the OAM Console, WLS Console, or EM. We have compared it to other hosts that are working properly and everything "seems" to be in order... Just very wierd.

                Along with that, when we trry to aaccess the OAM console... the login screen (no errors displayed) just loops...
                • 5. Re: OAM default SSO Login screen seems to have vanished
                  ColinPurdon-Oracle
                  An HTTP Header trace may help for these problems. For the looping login page for the oamconsole, is it the same page (/oam/server/obrareq.cgi?etcetc) that always appears, or does it go to the weblogic server login screen after the first OAM login page?
                  • 6. Re: OAM default SSO Login screen seems to have vanished
                    OldGuy
                    The looping page is actually the default OAM console login not the SSO Login -- as if the OAM Server is not running.
                    • 7. Re: OAM default SSO Login screen seems to have vanished
                      ColinPurdon-Oracle
                      You could try entering the weblogic credentials at that point to see if it lets you in (ie the creds to get into the WLS /console) - I've seen it happen that the authentication providers in the Weblogic security realm are set so that the default authenticator is REQUIRED, when it (and the OAM provider) should be SUFFICIENT. Also, see if the users whose creds you are entering are locked in OIM (obviously only a relevant question if you have integrated OAM with OIM), and can bind to ldap (eg with command-line ldapbind) without returning any error or warnings. Possibly the AdminServer.log or AdminServer-diagnostic.log may have more clues if the above doesn't help.

                      Regards,
                      Colin
                      • 8. Re: OAM default SSO Login screen seems to have vanished
                        OldGuy
                        Thank you for all the responses... we determined that somehow we messed up the credentials within Firefox. Basically, we had to remove the Server certificates and re-establish them. Once that was done the SSO Login came back.