IBM Support

Proxy instances using SPNEGO fail to start after upgrade to ISAM 9.0.3.0 Firmware Version

Troubleshooting


Problem

After upgrading to ISAM 9.0.3.0 firmware existing Web Reverse Proxy instances fail to start/restart even though no configuration changes were made

Symptom

The Web Reverse Proxy message log will contain the following messages :


HPDST0130E The security service function gss_acquire_cred returned the error 'Unspecified GSS failure. Minor code may provide more information' (code 0x000d0000/851968).
HPDST0130E The security service function gss_acquire_cred returned the error 'Cannot create replay cache: No such file or directory' (code 0x96c73aab/-1765328213).
HPDIA0100E An internal error has occurred.
HPDIA0100E An internal error has occurred.

Cause

Security updates to the underlying Kerberos implementation now attempt to initalize the Replay Cache upon starting the proxy instance. The default directories used by the Kerberos implementation are not writable by the Proxy instance, causing a startup issue.

Environment

ISAM 9.0.3.0 Reverse Proxy with 'SPNEGO' authentication enabled (Windows Desktop SSO)

Diagnosing The Problem

Navigate to :

Secure Web Settings -> Manage -> Reverse Proxy -> {instance} -> Manage -> Logging

Select the 'msg__webseald-<instance>.log

Review the latest log entries for the messages specified in the Symptom

Resolving The Problem

A fix for this issue (APAR IV98177) has been delivered in 9.0.3.0-ISS-ISAM-IF0002 but it only prevents the problem for newly created reverse proxy instances at 9.0.3. The manual workaround is still required for any instances created prior to upgrade to 9.0.3.


The following is the manual approach to resolve this issue :

Update the Web Reverse Proxy Configuration file with the following system environment variable :

[system-environment-variables]

...


KRB5RCACHEDIR=/var/PolicyDirector/log

This will set the Kerberos Replay Cache directory to initialize in a location that is reachable via the Appliance LMI and is not proxy specific.

After implementing this system environment variable, a Proxy restart is required for the variable to take effect.

*** Please Note ***
A fix for this issue (APAR IV98177) has been delivered in 9.0.3.0-ISS-ISAM-IF0002 but it only prevents the problem for newly created reverse proxy instances at 9.0.3. The manual workaround is still required for any instances created prior to upgrade to 9.0.3.

[{"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Reverse Proxy","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"9.0.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22004261