1–1) The application has not been configured to use the agent. 

1–1) For information about deploying the agent application, see Chapter 4, Post-Installation Tasks of Policy Agent 2.2 for Apache Tomcat Servlet/JSP Container.

1–2) The application fails to create an SSO token because a valid agent profile does not exist. J2EE agents authenticate with Access Manager using an agent profile, which is created in Access Manager Console. 

1–2) Using Access Manager Console, ensure that a valid agent profile exists. Using the command line, encrypt the agent profile password with the agentadmin --encrypt command. In the J2EE AMAgent.properties configuration file, ensure that the following properties have the updated agent profile name and password:

com.sun.identity.agents.app.username =
com.iplanet.am.service.secret=

1–3) The resources match entries in the not-enforced list. 

1–3) Make sure that the resources being accessed do not match the entries in the not-enforced list, and ensure that the list is not empty or inverted. 

1–4) The agent filter mode is set to NONE.

1–4) Change the agent filter mode to ALL or J2EE_POLICY as necessary.

2–1) The agent and Access Manager have been installed on the same machine and the browser might not be setting the HOST header correctly when redirected from Access Manager to the agent. 

2–1) Enable port check functionality. For information about enabling port check functionality, see Enabling Port Check Functionality in J2EE Agents.

2–2) The deployment container is running as a user who does not have write privileges to the audit log directory of the agent. 

2–2) Refer to the path specified in the J2EE agent AMAgent.properties configuration file for the agent’s local audit file and grant the necessary write permissions for the user of the deployment container process.

2–3) The agent filter is configured for a mode that enforces URL policies and no applicable URL policies have yet been defined in Access Manager. 

2–3) Define the appropriate URL policies in Access Manager. 

2–4) The agent filter is configured for a mode that enforces URL polices and the system time on the agent machine is not in sync with the system time on the Access Manager machine. 

2–4) Synchronize the time on the agent machine with the time on the Access Manager machine.  

2–5) The agent filter is configured for a mode that does not support J2EE polices and the resources being accessed are protected by declarative security constraints. 

2–5) Change the agent filter mode to a mode that supports J2EE policy such as ALL or J2EE_POLICY. 

2–6) The agent filter is configured for a mode that supports J2EE polices but they are being negatively evaluated by the agent. 

2–6) Change the agent filter mode to a mode that supports J2EE policy such as ALL or J2EE_POLICY. 

2–7) The agent is unable to validate user’s session token issued by Access Manager. 

2–7) Ensure that the agent is installed on the same domain that is specified as the cookie domain in Access Manager. If not, enable CDSSO functionality. If that is not the case, try changing the value of the following property: com.sun.identity.agents.config.sso.decode

2–8) The agent is configured for CDSSO and the validity time of the authorization response is smaller than the processing time required by the agent. 

2–8) Set an appropriate value for the following property: com.sun.identity.agents.config.cdsso.clock.skew

2–9) The Login URL specified in the J2EE agent AMAgent.properties configuration file is not reachable by the agent.

2–9) Ensure that the Access Manager Login URL is reachable from the machine where the agent is installed. 

2–10) The Access Manager is installed with SSL and the agent cannot communicate with it correctly. 

2–10) Install the appropriate root CA certificate in the keystore used by the deployment container on which the agent is installed. 

3–1) The protected application does not have the agent filter installed. 

3–1) Redeploy the application with the agent filter installed and the log-in configuration added. For more information, see Chapter 4, Post-Installation Tasks of Policy Agent 2.2 for Apache Tomcat Servlet/JSP Container.

3–2) The agent filter is operating in a mode that does not support J2EE policies. 

3–2) Change the agent filter mode to either ALL or J2EE_POLICY. 

3–3) The agent realm is not installed for the deployment container. 

3–3) To ensure that the agent realm is properly configured, see Key Features and Tasks Performed With Apache Tomcat Servlet/JSP Container.

3–4) The agent realm is installed and configured correctly but was previously disabled. 

3–4) For information on disabling the agent realm, see Disabling the Agent Realm of Policy Agent 2.2 for Apache Tomcat Servlet/JSP Container.

3–5) An invalid password was specified for the agent profile user during the agent installation. J2EE agents authenticate with Access Manager using an agent profile, which is created in Access Manager Console. 

3–5) Using Access Manager Console, ensure that a valid agent profile exists. Using the command line, encrypt the agent profile password with the agentadmin --encrypt command. In the J2EE AMAgent.properties configuration file, ensure that the following properties have the updated agent profile name and password:

com.sun.identity.agents.app.username =
com.iplanet.am.service.secret=

3–6) The specified role-to-principal mapping is incorrect. 

3–6) Ensure that the specified role-to-principal mapping for the protected application is correct and maps to actual users, actual roles, or both as they exist in Access Manager. 

4–1) The agent and Access Manager have been installed on the same machine and the browser being used might not be setting the HOST header correctly when redirected from Access Manager to the agent. 

4–1) Enable Port Check Functionality. For more information about performing this task, see Enabling Port Check Functionality in J2EE Agents.

4–2) The resource is protected by a J2EE declarative security constraint which is not being evaluated correctly and the server is trying to display form-error-page, which does not exist within the application.

4–2) Make sure that the resource specified by form-error-page in the web application’s web.xml deployment descriptor actually exists within the application.

4–3) The resource is being accessed by a legacy browser such as Netscape 4.x and during the installation of the agent no valid value was entered for agent application URI field. 

4–3) Reinstall the agent and specify a valid agent application URI value. 

4–4) The agent is operating in the CDSSO mode and no valid value was entered for the primary application context path field during agent installation. 

4–4) Reinstall the agent and specify a valid primary application context path. 

5–1) The agent does not have the root CA certificate of the signer of the certificate used by Access Manager. 

5–1) Install the appropriate root CA certificate in the keystore used by the deployment container on which the agent is installed. 

6–1) The requested resource that expects to use the attributes is in the not-enforced list of the agent. 

6–1) Change the not-enforced list so that the requested resource is enforced. The agent does not provide support for LDAP attributes for resources that are not-enforced. 

6–2) The agent is unable to fetch user roles from Access Manager. 

6–2) Ensure that the following property is set correctly in the J2EE agent AMAgent.properties configuration file:

com.sun.identity.agents.config.organization.name

7–1) The agent is installed on a server with the preferred listening protocol set to HTTPS and the root CA certificate for the signer of the agent’s server certificate is not available in the keystore used by Access Manager. 

7–1) Add the root CA certificate for the signer of agent’s server certificate to the keystore used by Access Manager. 

7–2) No valid value was entered for agent application URI during agent installation. 

7–2) Reinstall the agent and specify a valid agent application URI. For example, /agentapp. The same URI should be used as a context root for deploying the agent application through the administration console of the container.

8–1) These messages are logged by the JDK 1.4 logging framework in use, which treats the J2EE agent AMAgent.properties configuration file as the logging configuration file.

8–1) These messages are harmless and can be safely ignored.