Troubleshooting
Problem
After upgrading to ISAM 9.0.3.0 firmware existing Web Reverse Proxy instances fail to start/restart even though no configuration changes were made
Symptom
The Web Reverse Proxy message log will contain the following messages :
HPDST0130E The security service function gss_acquire_cred returned the error 'Unspecified GSS failure. Minor code may provide more information' (code 0x000d0000/851968).
HPDST0130E The security service function gss_acquire_cred returned the error 'Cannot create replay cache: No such file or directory' (code 0x96c73aab/-1765328213).
HPDIA0100E An internal error has occurred.
HPDIA0100E An internal error has occurred.
Cause
Security updates to the underlying Kerberos implementation now attempt to initalize the Replay Cache upon starting the proxy instance. The default directories used by the Kerberos implementation are not writable by the Proxy instance, causing a startup issue.
Environment
ISAM 9.0.3.0 Reverse Proxy with 'SPNEGO' authentication enabled (Windows Desktop SSO)
Diagnosing The Problem
Navigate to :
Secure Web Settings -> Manage -> Reverse Proxy -> {instance} -> Manage -> Logging
Select the 'msg__webseald-<instance>.log
Review the latest log entries for the messages specified in the Symptom
Resolving The Problem
A fix for this issue (APAR IV98177) has been delivered in 9.0.3.0-ISS-ISAM-IF0002 but it only prevents the problem for newly created reverse proxy instances at 9.0.3. The manual workaround is still required for any instances created prior to upgrade to 9.0.3.
The following is the manual approach to resolve this issue :
Update the Web Reverse Proxy Configuration file with the following system environment variable :
[system-environment-variables]
...
KRB5RCACHEDIR=/var/PolicyDirector/log
This will set the Kerberos Replay Cache directory to initialize in a location that is reachable via the Appliance LMI and is not proxy specific.
After implementing this system environment variable, a Proxy restart is required for the variable to take effect.
*** Please Note ***
A fix for this issue (APAR IV98177) has been delivered in 9.0.3.0-ISS-ISAM-IF0002 but it only prevents the problem for newly created reverse proxy instances at 9.0.3. The manual workaround is still required for any instances created prior to upgrade to 9.0.3.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22004261