Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Some ssoadm commands fail with Service URL not found:session error when module based authentication is disabled in AM (All versions)

Last updated May 10, 2022

The purpose of this article is to provide assistance if you encounter a "Service URL not found:session" error or a "java.lang.NullPointerException" error when running some ssoadm commands in AM. You may also encounter a 401 Unauthorized: Access denied response when running the ssoadm start-recording command. These issues occur when module based authentication is disabled.


1 reader recommends this article

Symptoms

When module based authentication is disabled in the top level realm, many ssoadm functions will fail with one of the following errors in response to the ssoadm command:

Service URL not found:session java.lang.NullPointerException com.sun.identity.cli.CLIException: Message:New Generic Exception

com.sun.identity.cli.CLIException: java.lang.ArrayIndexOutOfBoundsException: 2

The following response is shown when you run the ssoadm start-recording command:

{"code":401,"reason":"Unauthorized","message":"Access Denied"}

An error similar to the following is shown in the CoreSystem debug log when the ssoadm command fails:

amXMLHandler:12/07/2015 02:52:34:165 PM EST: Thread[WebContainer : 7,5,main] ERROR: Exception during LoginIndex com.sun.identity.authentication.spi.AuthLoginException: Module Based Authentication is not allowed.   at com.sun.identity.authentication.service.AMLoginContext.executeLogin(AMLoginContext.java:297)    at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:544)    at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:419) ...

ssoadm commands that do not include the realm parameter are successful, whereas ones that include the realm parameter, such as agent related ones (show-agent, list-agents, create-agent and update-agent) fail.

An error similar to the following is shown in the coreSystem debug log when the ssoadm command fails:

amJAXRPC:10/03/2021 11:09:36:285 AM UTC: Thread[main,5,main]: TransactionId[unknown] SOAP Client: READ Exception java.io.IOException: Server returned HTTP response code: 500 for URL: http://host1.example.com:8080/openam/jaxrpc/SMSObjectIF  at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)    at com.sun.identity.shared.jaxrpc.SOAPClient.call(SOAPClient.java:247) ...

Recent Changes

Disabled module based authentication (sunEnableModuleBasedAuth=false) in the top level realm. Module based authentication can be checked via the console or ssoadm:

  • Console: navigate to: Realms > Top Level Realm / > Authentication > Settings > Security and check if Module Based Authentication is enabled.
  • ssoadm: enter the following command and check the value of the sunEnableModuleBasedAuth property: $ ./ssoadm get-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] replacing [adminID] and [passwordfile] with appropriate values.

Causes

The ssoadm command fails during the authentication process, as successful admin authentication relies on module based authentication being enabled (sunEnableModuleBasedAuth=true) in AM. Admin privileges are needed for some ssoadm commands.

Solution

You can re-enable module based authentication if this is viable. If you do re-enable module based authentication, you can secure your environment by defining policies to have a condition that enforces authentication against a given authentication module/chain. In this scenario, the agent will ensure that the user is authenticated by the configured authentication module/chain; this means it would not be possible to access the application using different authentication mechanisms.

JVM options

Alternatively, this issue can be resolved by setting JVM options to identify which authentication service/module should be used for authenticating as an administrator.

Add the following JVM options to the ssoadm or ssoadm.bat script and set appropriately:

  • org.forgerock.openam.ssoadm.auth.indexType - specify the type of authentication mechanism that should be used for authenticating the administrator in the top level realm; this can be one of the following values:
    • module_instance (this value can only be used if module based authentication is enabled)
    • service
    • user
    • role
    • level
    • composite_advice
    • resource
  • org.forgerock.openam.ssoadm.auth.indexName - enter the name of the actual authentication mechanism that should be used. This must be consistent with the indexType specified. For example, if you set indexType to module_instance, indexName would be the name of the actual authentication module to use, such as LDAP.

If these JVM options are missing, authentication will continue to rely on module based authentication being enabled.

Caution

Do not use module_instance as your IndexType if module based authentication is disabled as ssoadm will still fail. For a default configuration, you can set the following JVM options to provide an alternative authentication mechanism: org.forgerock.openam.ssoadm.auth.indexType=service | org.forgerock.openam.ssoadm.auth.indexName=ldapService 

See Also

Core Authentication Attributes (Security)

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.