Login page does not load or ssoadm fails in AM (All versions) running on Apache Tomcat 8.5 or 9
The purpose of this article is to provide assistance if the login page does not load or ssoadm fails in AM running on Apache Tomcat™ 8.5 or 9. The following error is shown when this happens: "An invalid domain [.example.com] was specified for this cookie".
4 readers recommend this article
Symptoms
Login page
The browser shows a Loading... message; no errors are logged when trying to accessing the login page in AM.
ssoadm
The following response is shown when ssoadm fails:
Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.The corresponding error is shown in the CoreSystem log when this happens:
ERROR: Exception during LoginIndex java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183) at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125) at org.apache.catalina.connector.Response.generateCookieString(Response.java:989) at org.apache.catalina.connector.Response.addCookie(Response.java:937)Recent Changes
Upgraded Tomcat to 8.5 or 9.
Installed AM in a new environment that is running Tomcat 8.5 or 9.
Causes
Tomcat enforces stricter checking for valid cookie domain values per RFC 1034 and RFC 6265. In Tomcat 8.0.x, a leading dot was required for cookie domains, whereas this is no longer permitted in 8.5 and later.
Solution
This issue can be resolved by correcting your cookie domain name as follows:
- Revert Tomcat to use the legacy cookie processor in order to get your system back up and running. Add the following line to the context.xml file (you should create this file in the /path/to/tomcat/webapps/openam/META-INF directory if it does not already exist): <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" /> A default context.xml file exists in the /path/to/tomcat/conf directory; this applies to all web applications, but it is preferable to create separate contexts for individual web applications as needed. See Apache Tomcat 8.5 Configuration Reference - Defining a context for further information on contexts.
- Modify the cookie domain name to remove the leading dot. You can remove the leading dot from your cookie domain name (for example, example.com rather than .example.com) using either the console or ssoadm:
- Console: navigate to: Configure > Global Services > Platform > Cookie Domains and modify the cookie domain.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMPlatformService -t Global -u [adminID] -f [passwordfile] -a iplanet-am-platform-cookie-domains=["domainname"]replacing [adminID], [passwordfile] and ["domainname"] with appropriate values.
- Reinstate the default cookie processor in Tomcat by removing the line you added in step 1.
See Also
Apache Tomcat 8.5 Configuration Reference - The Cookie Processor Component
Apache Tomcat 8.5 Configuration Reference - Defining a context
ssoadm fails in AM (All versions) with FATAL ERROR: Cannot obtain Application SSO token
Related Training
N/A
Related Issue Tracker IDs
N/A