Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Login page does not load or ssoadm fails in AM (All versions) running on Apache Tomcat 8.5 or 9

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if the login page does not load or ssoadm fails in AM running on Apache Tomcat™ 8.5 or 9. The following error is shown when this happens: "An invalid domain [.example.com] was specified for this cookie".

4 readers recommend this article

Symptoms

Login page

The browser shows a Loading... message; no errors are logged when trying to accessing the login page in AM.

ssoadm

The following response is shown when ssoadm fails:

Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.

The corresponding error is shown in the CoreSystem log when this happens:

ERROR: Exception during LoginIndex java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie        at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:183)         at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:125)         at org.apache.catalina.connector.Response.generateCookieString(Response.java:989)         at org.apache.catalina.connector.Response.addCookie(Response.java:937)

Recent Changes

Upgraded Tomcat to 8.5 or 9.

Installed AM in a new environment that is running Tomcat 8.5 or 9.

Causes

Tomcat enforces stricter checking for valid cookie domain values per RFC 1034 and RFC 6265. In Tomcat 8.0.x, a leading dot was required for cookie domains, whereas this is no longer permitted in 8.5 and later.

Solution

This issue can be resolved by correcting your cookie domain name as follows:

  1. Revert Tomcat to use the legacy cookie processor in order to get your system back up and running. Add the following line to the context.xml file (you should create this file in the /path/to/tomcat/webapps/openam/META-INF directory if it does not already exist): <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" /> A default context.xml file exists in the /path/to/tomcat/conf directory; this applies to all web applications, but it is preferable to create separate contexts for individual web applications as needed. See Apache Tomcat 8.5 Configuration Reference - Defining a context for further information on contexts.
  2. Modify the cookie domain name to remove the leading dot. You can remove the leading dot from your cookie domain name (for example, example.com rather than .example.com) using either the console or ssoadm:
    • Console: navigate to: Configure > Global Services > Platform > Cookie Domains and modify the cookie domain.
    • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMPlatformService -t Global -u [adminID] -f [passwordfile] -a iplanet-am-platform-cookie-domains=["domainname"]replacing [adminID], [passwordfile] and ["domainname"] with appropriate values.
  3. Reinstate the default cookie processor in Tomcat by removing the line you added in step 1.

See Also

Apache Tomcat 8.5 Configuration Reference - The Cookie Processor Component

Apache Tomcat 8.5 Configuration Reference - Defining a context

FAQ: Cookies in AM

AM (All versions) fails to start due to SEVERE: ContainerBase.addChild: start: error on Apache Tomcat

ssoadm fails in AM (All versions) with FATAL ERROR: Cannot obtain Application SSO token

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.