Web Policy Agent 3.3.3 fails to connect to OpenAM if HTTP server starts first

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if the Web Policy Agent 3.3.3 fails to connect to OpenAM if the HTTP server of the protected resource (for example, Apache™ HTTP server) is started before OpenAM server.

2 readers recommend this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the browser when attempting to access the policy agent protected resource:

Error 403 Access Denied/Forbidden

An error similar to the following is shown in the agent debug log:

2015-04-10 11:43:21.190 Error 8103:7fb1740010d0 all: fetchAndUpdateAgentConfigCache():There is an error while fetching attributes by user agentUser, using REST service. Status: REST attributes service encountered an error

You may see an error similar to this one in the agent debug log in the context of the NamingService:

2015-04-10 11:43:21.190 Error 8372:1405c00 NamingService: BaseService::doRequest() caught NSPRException: PR_Connect called by Connection::Connection PR_Connect returned PR_CONNECT_RESET_ERROR 2015-04-10 11:43:21.191 Error 8372:1405c00 NamingService: BaseService::doRequest() Invoking markSeverDown 2015-04-10 11:43:21.191 Error 8372:1405c00 Agent Profile Service: isRESTServiceAvailable(): An error occured while doing naming request. NSPR error 2015-04-10 11:43:21.191 Error 8372:1405c00 all: agent_worker_init() am_agent_init failed 2015-04-10 11:45:42.598 Error 8373:7f6c38013070 Agent Profile Service: Error in rest url :'' 2015-04-10 11:45:42.599 Error 8373:7f6c38013070 all: fetchAndUpdateAgentConfigCache():There is an error while fetching attributes by user agentUser, using REST service. Status: REST attributes service encountered an error

Or an error similar to this one in the agent debug log in the context of the AuthService:

2015-04-10 11:43:21.190 Error 9642:483ffd0 AuthService: BaseService::doRequest() caught NSPRException: PR_Connect called by Connection::Connection PR_Connect returned PR_CONNECT_RESET_ERROR 2015-04-10 11:43:21.190 Error 9642:483ffd0 AuthService: BaseService::doRequest() Invoking markSeverDown 2015-04-10 11:43:21.190 Error 9642:483ffd0 all: agent_worker_init() am_agent_init failed 2015-04-10 11:49:52.815 Error 9642:483ffd0 all: fetchAndUpdateAgentConfigCache():There is an error while fetching attributes by user agentUser, using REST service. Status: REST attributes service encountered an error

Recent Changes

Upgraded to Web Policy Agent 3.3.3.

Restarted servers, so that the HTTP server started before the OpenAM server.

Causes

OpenAM is not fully initialized when the web policy agent starts and attempts to connect; the policy agent only makes three attempts to connect. If OpenAM is not available in this time, the connection fails.

Solution

This issue can be resolved by upgrading to Web Policy Agent 3.3.4 or later; you can download this from BackStage.

Note

Do not extract the new policy agent files over the old installation. You must perform a full uninstall of the existing policy agent, followed by a clean install of Web Policy Agent 3.3.4 or later (as documented in OpenAM Web Policy Agent Release Notes › Web Policy Agents 3.3.4 › Upgrading & Installing Web Policy Agents). This ensures the new bootstrap properties appear in the OpenSSOAgentBootstrap.properties file.

The following new bootstrap properties have been introduced in this release, which need setting appropriately:

com.forgerock.agents.init.retry.max - this is the maximum number of consecutive agent initialization retries. The default value is 0 (not set).
com.forgerock.agents.init.retry.wait - this is the wait time (in seconds) between retries. The default value is 0 (not set).

You should set these properties in the following file depending on version:

Web policy agents 4.x - agent.conf file located in the /instances/agent_n/config directory where the web policy agent is installed.
Web policy agents 3.3.4 - OpenSSOAgentBootstrap.properties file located in the /config directory where the web policy agent is installed.

For example, if you would like the policy agent (each agent worker process) to keep trying to initialize for one hour with a 5 second wait time between retries, you would set the properties as follows:

com.forgerock.agents.init.retry.max = 720 com.forgerock.agents.init.retry.wait = 5

Related Training

N/A

Related Issue Tracker IDs

OPENAM-4629 (Web policy agent 3.3.3 fails to connect to OpenAM when http starts first, doesn't continuously try to reconnect)

OPENAM-5021 (More flexibility/different logic in the way the Policy Agent tries to reconnect to OpenAM)