Monday, May 5, 2014

OpenAM Policy Agent 3.3.0 - Extended URL validation


In the latest release of OpenAM Policy Agent 3.3.0, some behaviours have been changed - see Important Changes to Web Policy Agent Functionality.



One of the changes is the way how Naming URL validation works.

Naming URL validation was introduced after release 3.0.4. The initial implementation of naming URL validation for web policy agents enabled validation by default. Naming URL validation is now fully disabled by default. You can adjust this setting by using the bootstrap configuration property, com.forgerock.agents.ext.url.validation.level.


# Extended URL validation
#
# - level:              0 - extended URL validation;
#                          1 - simple URL validation;
#                          2 - (default) validation disabled.

com.forgerock.agents.ext.url.validation.level = 2



The default value in Policy Agent 3.3.0 onwards is 2, which means validation is disabled. Is this good? Well, it's debatable.


Below is what will be shown upon Policy Agent starts up:


2014-04-30 10:20:57.887       -1 12817:d7b0450 all: =======================================
2014-04-30 10:20:57.887       -1 12817:d7b0450 all: Version: 3.3.0
2014-04-30 10:20:57.887       -1 12817:d7b0450 all: 
2014-04-30 10:20:57.887       -1 12817:d7b0450 all: Build Date: Nov  8 2013 21:58:51
2014-04-30 10:20:57.887       -1 12817:d7b0450 all: Build Machine: constable.internal.forgerock.com
2014-04-30 10:20:57.887       -1 12817:d7b0450 all: =======================================
2014-04-30 10:20:58.072       -1 12817:d7b0450 all: naming_validator(): validation disabled


Personally, I do not like it, especially if this is a new agent installation.

If com.forgerock.agents.ext.url.validation.level is set to 1, simple URL validation will be enabled. The logs is showing more information.


2014-04-30 10:57:32.869       -1 26488:151d5470 all: =======================================
2014-04-30 10:57:32.869       -1 26488:151d5470 all: Version: 3.3.0
2014-04-30 10:57:32.869       -1 26488:151d5470 all: 
2014-04-30 10:57:32.869       -1 26488:151d5470 all: Build Date: Nov  8 2013 21:58:51
2014-04-30 10:57:32.869       -1 26488:151d5470 all: Build Machine: constable.internal.forgerock.com
2014-04-30 10:57:32.869       -1 26488:151d5470 all: =======================================
2014-04-30 10:57:32.883       -1 26488:151ee220 all: naming_validator(): failed to read current index value, defaulting to https://xxo-uat.true.th:11443/openam/namingservice
2014-04-30 10:57:32.884       -1 26488:151ee220 all: naming_validator(): still staying with https://www-uat.xxx.com:11443/openam/namingservice
2014-04-30 10:57:33.935       -1 26488:151ee8c0 all: url_validator(0): https://www-uat.xxx.com:11443/openam/namingservice validation succeeded




But .... that's still not enough to verify whether the agent has been installed correctly. If the agent profile name and/or password are set up wrongly, you'll still be getting url_validator(0): https://www-uat.xxx.com:11443/openam/namingservice validation succeeded.

Try setting com.forgerock.agents.ext.url.validation.level to 0, extended URL validation will be enabled. The logs will display even more information.


2014-04-30 10:58:41.831       -1 26617:1a923420 all: =======================================
2014-04-30 10:58:41.831       -1 26617:1a923420 all: Version: 3.3.0
2014-04-30 10:58:41.831       -1 26617:1a923420 all: 
2014-04-30 10:58:41.831       -1 26617:1a923420 all: Build Date: Nov  8 2013 21:58:51
2014-04-30 10:58:41.831       -1 26617:1a923420 all: Build Machine: constable.internal.forgerock.com
2014-04-30 10:58:41.831       -1 26617:1a923420 all: =======================================
2014-04-30 10:58:41.846       -1 26617:1a93c210 all: naming_validator(): failed to read current index value, defaulting to https://www-uat.xxx.com:11443/openam/namingservice
2014-04-30 10:58:41.846       -1 26617:1a93c210 all: naming_validator(): still staying with https://www-uat.xxx.com:11443/openam/namingservice
2014-04-30 10:58:43.015       -1 26617:1a93cae0 all: NamingValidateHttpLogin() response:



2014-04-30 10:58:43.015       -1 26617:1a93cae0 all: url_validator(0): https://www-uat.xxx.com:11443/openam/namingservice validation failed with OpenAM authentication service failure (3), http status (200)


Now that the agent is verified to be installed correctly, switch com.forgerock.agents.ext.url.validation.level to 2 and we are ready to go!



.

No comments:

Post a Comment