Redirect loop between OpenAM and JEE Policy Agent 3.5.0 causes high session numbers and poor performance
The purpose of this article is to provide assistance if you get a redirect loop between OpenAM and JEE Policy Agent 3.5.0 that causes high session numbers, poor performance and potentially Out of Memory exceptions. The associated error is "Application token passed in, is invalid.token error".
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown multiple times in the amAgent debug log, where the same token is being passed in each time:
Session.processSessionResponseException: exception received from server:Application token passed in, is invalid.token:AQIC5...QACMDM.* amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] Session.processSessionResponseException: AppTokenInvalid = TRUE amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] Session.processSessionResponseException: Destorying AppToken amSecurity:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] AdminTokenAction:invalid called amSession:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] WARNING: Session.processSessionResponseException processSessionResponseException: server responded with app token invalid error,refetching the app sso token amSecurity:05/10/2016 05:19:52:021 PM CST: Thread[catalina-exec-6,5,main] AdminTokenAction::run Unable to get SSOToken from serverconfig.xmlSession numbers keep increasing as sessions do not expire, which can cause poor performance and potentially Out of Memory exceptions. Eventually, this may result in an outage of the OpenAM server.
Recent Changes
Upgraded to, or installed the JEE policy agent 3.5.0.
Causes
The policy agent receives an invalid application token from OpenAM and authenticates again to refresh it. However, the policy agent keeps using the invalid token rather than replacing it with a new application token and keeps trying to refresh it, which causes the redirect loop between the policy agent and OpenAM. Meanwhile, the number of sessions keep increasing as this process continues to create new and unused sessions on the server.
Solution
This issue can be resolved by upgrading to JEE policy agent 3.5.1 or later; you can download this version from BackStage.
Note
This issue only applies to the JEE policy agent and can only be resolved by upgrading the JEE policy agent. No changes are required to OpenAM.
See Also
How do I monitor session statistics in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
OPENAM-5835 (Redirect loop between OpenAM and J2EE Agent in case of invalid admin token)