Cams policy server logs, the Cams web agent log and dynamic web pages supply
information that can be helpful during system integration and debug. This document
provides a quick reference to the most important logs and the associated codes.
Cams replies to each authentication request with a status of pending, succeeded
or failed. If authentication failed, then a reason is also sent. The status
and reason codes are logged in the security domain's authentication log. These
values are useful in debugging and analyzing authentication requests.
Cams policy server answers to authentication requests are communicated using
the status codes shown in Table 1.
A reason code is returned with each authentication request to provide additional
context. Table 2 shows the possible reason codes.
Cams replies to each access request with a status of pending, granted or denied.
If the response is denied, then a reason is also sent. The status and reason
values are logged in the security domain's access control log. These values
are useful in debugging and analyzing secure resource requests.
Example 1 shows a typical access control log entry. The access control log
format is:
Cams policy server access control request responses are communicated using
the status codes shown in Table 3.
A reason code is returned with each access control response to provide additional
context. Table 2 shows the possible reason codes.
| Code |
Description |
| 0 |
Not applicable (because access was granted). |
| 1 |
General error, probably due to a misconfiguration. |
| 2 |
The remote host IP address is not valid. |
| 3 |
The remote hostname is not valid. |
| 4 |
The agent making the request is not authorized. |
| 5 |
An unknown security domain was referenced. |
| 6 |
An unknown resource type was referenced. |
| 7 |
An invalid resource identifier was specified. |
| 8 |
An unknown resource action was requested on a resource. |
| 9 |
Access was denied unconditionally. |
| 10 |
Authentication is required. |
| 11 |
Authentication is required and a referenced session expired. |
| 12 |
An error occurred while evaluating an access control rule. |
| 13 |
Confidentiality (SSL/TLS connection) is required. |
| 14 |
The session id submitted was invalid. |
| 15 |
The default bias (either granted or denied) was applied because no permission
is protecting the requested resource. |
| 16 |
Authentication is required, but the login configuration for the specified
login config entry could not be found. |
| 17 |
A general transport error occurred. Something within the response was
corrupted. |
| 18 |
Access was granted conditionally. |
| 19 |
Access was granted unconditionally. |
| 20 |
Access was denied conditionally. |
| 21 |
Access was denied because one or more required attributes was missing
from the request. |
| 22 |
Access was denied because the authentication method is insufficient. |
An error code is sent to a Cams web agent to give additional context about
an error that has occurred within a Cams web agent. The error code is displayed
both on the configured Cams error page and in the cams-webagent.log
file. Table 5 shows the error codes in numerical order and classified by:
| Code |
Description |
| 5000 |
Authentication failed
The Cams web agent attempted to authenticate a user but the request failed
due to an unknown error. The Cams web agent trace log and/or a Cams policy
server trace log for the associated security domain should contain additional
information.
|
| 5001 |
Could not find the authentication service
The Cams client does not have a required authentication service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5002 |
Invalid HTTP method for authentication
Cams web agents only support POST requests for authentication requests.
A non-POST HTTP request was received by a Cams web agent for the URI configured
for user authentication.
|
| 5003 |
Query parameter cams_security_domain
is invalid
An authentication request was received by a Cams web agent, but the required
cams_security_domain parameter
is missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_security_domain
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_security_domain.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
| 5004 |
Query parameter cams_login_config
is invalid
An authentication request was received by a Cams web agent, but the required
cams_login_config parameter is
missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_login_config
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_login_config.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
| 5005 |
The access control rule protecting the Cams login page is invalid
The Cams policy server denied access to the login page because the access
control policy requires authentication. Authentication cannot occur unless
the login page is presented to the user, without authentication. For example,
the following access-control-policy.xml
would cause this error to display:
...
<permission desc="Cams login, error and denied pages" actions="">
<resource-pattern id="*://*:*/cams/*"/>
<acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule">
<role-constraint>
<role-name>everyone</role-name>
</role-constraint>
</auth-acr>
...
In this case, if the Cams login page URL is:
https://www.myhost.com/cams/login.jsp
the access control policy will deny access unless the user is authenticated.
The Cams web agent will attempt to redirect the user's browser to the
login page, but access will once again be denied by the access control
policy. To avoid infinite redirection, the Cams web agents detects this
case. To fix the problem, either grant access to the Cams login page or
limit access to it using a rule that does not require authentication,
such as an IP address rule.
|
| 5006 |
Could not determine the security domain name
An AUTOLOGIN cookie is being removed because the name value is malformed.
Specifically, it does not contain a security domain name field.
|
| 5007 |
Invalid login parameter value
One or more login parameters are invalid. The cams-webagent.log
for the web server where the error occurred will contain detailed error
information.
|
| 5100 |
Access control failed
The Cams web agent attempted to execute an access control check, but
it failed due to an unknown error. The Cams web agent trace log and/or
a Cams policy server trace log for the associated security domain should
contain additional information.
|
| 5101 |
Could not find the access control service
The Cams client does not have a required access control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5102 |
Invalid resource request type or action
The Cams web agent made an access control request for an unknown resource
type or action. Cams web agents only make access control
requests for resources of types cams
or http. For resource type cams,
the action must be ACCESS. For resource type
http, the actions can only be GET, POST, PUT,
DELETE, HEAD, OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE,
LOCK, UNLOCK or DEBUG. When HTTP requests
with unrecognized actions are sent to a web server with a Cams web agent,
a 5102 web agent error will result.
|
| 5105 |
Unknown access control response
An unknown access control response status code was received from the Cams
policy server. |
| 5200 |
Session access failed
The Cams web agent's attempt to access an authenticated user's session
failed due to an error in the Cams session access service.
|
| 5201 |
Could not find the session access service
The Cams client does not have a required session-access service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5202 |
General transport error
An error occurred when the Cams web agent attempted to communicate with
the Cams policy server.
|
| 5300 |
Session control failed
The Cams web agent's attempt to logout the user failed due to an error
in the Cams session control service.
|
| 5301 |
Could not find the session control service
The Cams client does not have a required session-control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
| 5302 |
Could not logout user because session id is invalid
The Cams web agent received a logout request, but no session identifier
was provided. The user may have attempted to logout when not currently
logged in or the logout page did not specify a valid cams_security_domain
query parameter.
|
| 5303 |
Query parameter cams_security_domain
is invalid
The Cams web agent received a cams_security_domain
query parameter value that was invalid, or empty. A misconfigured login
page that either contains a bad hard-coded security domain name or if
a dynamic web page does not properly store the security domain name passed
to it by a Cams web agent may be the cause.
|
| 5304 |
A possible session hijacking attempt occurred: expected hash value does
not match
An session hijacking attempt was detected and thwarted or a possible
Cams web agent misconfiguration resulted in what appeared to be a session
hijacking attempt. If not an actual session hijacking attempt, inconsistent
configuration of session hijacking values for different Cams web agents
may be the cause. Confirm that the following properties have the same
values for all Cams agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5305 |
Session hijacking misconfiguration
Session hijacking protection is not enabled for this Cams web agent,
but appears to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5306 |
Session hijacking misconfiguration
Session hijacking protection is enabled for this Cams web agent agent,
but appears not to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
| 5400 |
Multiple redirect obligations
The Cams web agent was sent more than one redirect obligation by the
Cams policy server for a single access control response. To avoid situations
where the Cams web agent would need to decide which redirect to send to
the browser, the Cams web agent rejects access control responses that
include more than one obligation redirect. Check the access control policy
to correct the rule that is sending a multiple redirect obligation.
|
| 5401 |
Obligation not supported
The Cams web agent was sent an obligation that is not supported. Check
the release notes to verify the obligation support level for this Cams
web agent.
|
| 5402 |
Missing obligation attribute value
The Cams web agent was sent an HTTP redirect obligation but did not specify
the URL for the redirect.
|
| 5405 |
Internal obligation attribute value handling error
An internal Cams web agent error occurred while attempting to handle
an obligation attribute value. A pointer was NULL when not expected.
|