Appendix B Troubleshooting a Web Agent Deployment

This appendix applies to Agent for IBM Lotus Domino 7.0. If a problem is discussed in this appendix, it either applies only to this agent or it applies to two or more agents with one of them being this agent. This appendix explains how you can resolve problems that you might encounter while deploying or using this web agent. Be sure to also check the Sun Java System Access Manager Policy Agent 2.2 Release Notes, to see if the problem that you encounter is a known limitation of the web agent. If workarounds are available for such problems, they will be provided in the release notes.

In this chapter, refer to the troubleshooting section applicable to your platform as follows:

• Solaris Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

• AIX Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

• Windows Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

• Linux Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

Solaris Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

This section includes various problems you might encounter with this agent on Solaris systems. The symptom of the problem is followed by possible causes and solutions.

Solaris Systems: Troubleshooting Symptom 1

Symptom: Cannot install the web agent after a previous installation has been removed.

The following is an example message that is displayed when you run the web agent installation program:

Launching installer... Sun Java(tm) System; Access Manager Policy Agent for IBM Lotus Domino 7.0 is installed. Please refer to installation manual to configure this agent for another web server instance or uninstall it before installing another agent.

Possible Causes:

• You might have an existing installation of the web agent.

• You might have a previously-installed web agent and did not use the web agent’s uninstallation program to uninstall the agent.

• The installation program’s productregistry file might be corrupted.

Possible Solutions: Performing the following troubleshooting activities might resolve the issue:

• Check that you have uninstalled any existing installation of the web agent.

• The productregistry file may be corrupted if there is no existing installation of the web agent. This file is used by the installation program to track installed products. It is found in /var/sadm/install directory.

Make a backup copy of productregistry file before you make changes.

Remove the web agent entry in this file. This entry starts with the following lines:

<compid>SUNWamdmn
        <compversion>2.2
                <uniquename>SUNWamdmn</uniquename>
                <vendor></vendor>
                <compinstance>1
                        <parent>Agent for Lotus Domino HTTP Server
                                <instance>1
                                        <version>2.2</version>
                               </instance>
                        </parent>
                <comptype>COMPONENT</comptype>
                <location>/opt/dm22</location>
                <dependent>
                                <compref>Agent for Lotus Domino HTTP Server
                                        <instance>1
                                                <version>2.2</version>
                                        </instance>
                                </compref>
                </dependent>
                         <data>
                                <key>pkgs
                                        <value>SUNWamdmn</value>
                                </key>
                         </data>
                </compinstance>
        </compversion>
</compid>
<compid>Agent for Lotus Domino HTTP Server
        <compversion>2.2
            <uniquename>Agent for Lotus Domino HTTP Server</uniquename>
               <vendor></vendor>
                 <compinstance>1
                       <parent>Sun Java(tm) System Access Manager Policy Agent
                             <instance>4
                                       <version>2.2</version>
                             </instance>
                       </parent>
                        <children>
                               <compref>SUNWamdmn
                                       <instance>1
                                         <version>2.2</version>
                                      </instance>
                              </compref>
                        </children>
                                        <comptype>FEATURE</comptype>
                                        <location>/opt/dm22</location>
                                        <dependent>
                               <compref>Sun Java(tm) System Access Manager Policy Agent
                                     <instance>4
                                           version>2.2</version>
                                     </instance>
                               </compref>
                                        </dependent>
                        <required>
                               <compref>SUNWamdmn
                        <instance>1
                                          <version>2.2</version>
                        </instance>
                               </compref>
                        </required>
                </compinstance>
        </compversion>
</compid>

Solaris Systems: Troubleshooting Symptom 2

Symptom: The uninstallation program does not remove entries from the agent’s web container.

Possible Cause: Another instance of the web agent exists that was configured using the configuration script.

Possible Solution: Remove all the instances of the web agent using the unconfig script before running the uninstallation program.

Solaris Systems: Troubleshooting Symptom 3

Symptom: The browser goes into a loop for approximately a minute before displaying an access-denied page.

Possible Cause: The user tries to access a resource for which a policy with a time condition has been set and the time on the web agent host and the Access Manager host are not in sync.

Possible Solution: Login as root and run the command rdate hostname to synchronize the time on both hosts.

Solaris Systems: Troubleshooting Symptom 4

Symptom: IBM Lotus Domino 7.0 server starts with the following error message:

Unable to load filter

Possible Cause: The DSAPI filter is configured incorrectly. Generally, if any path issue or associated library issue occurs while the DSAPI filter is being added, this error is generated.

Possible Solution: Ensure that the DSAPI filter has been configured with the correct information. For example, verify that the following path has been specified:

PolicyAgent-base/SUNWam/agents/domino/lib/libamdomino6.so

Solaris Systems: Troubleshooting Symptom 5

Symptom: The DSAPI filter is not functioning properly on a server instance.

Possible Causes:

• When the DSAPI filter was configured, the database selected was not correct.

• The DSAPI filter change may not be updated in the database

Possible Solutions:

• Ensure that the correct database was selected during configuration.

• Replicate the database from the IBM Lotus Domino 7.0 administration server.

Solaris Systems: Troubleshooting Symptom 6

Symptom: The agent goes into an infinite loop.

Possible Cause: The value for the following property in the web agent AMAgent.properites configuration file is a resource to which users are assigned:

com.sun.am.policy.agents.config.accessdenied.url

The users assigned to this resource, do not have allow in the policy definition.

Possible Solution: For the get method, specify allow in the policy definition.

Solaris Systems: Troubleshooting Symptom 7

Symptom:When a user attempts to access a resource using Internet Explorer as the browser, access is denied.

Possible Cause: Internet Explorer overrides the port number of the web agent with the Access Manager port number. In such cases, the agent log file lists the URL that is being evaluated. The port number for that URL is incorrect.

Possible Solution: You can ensure this problem does not occur by setting the following property in the web agent AMAgent.properties configuration file to true as shown:

com.sun.am.policy.agents.config.override_port = true

AIX Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

This section includes various problems you might encounter with this agent on AIX systems. The symptom of the problem is followed by possible causes and solutions.

AIX Systems: Troubleshooting Symptom 1

Symptom: The browser goes into a loop for approximately a minute before displaying an access-denied page.

Possible Cause: The user tries to access a resource for which a policy with a time condition has been set and the time on the web agent host and the Access Manager host are not in sync.

Possible Solution: Login as root and run the command rdate hostname to synchronize the time on both hosts.

AIX Systems: Troubleshooting Symptom 2

Symptom: IBM Lotus Domino 7.0 server starts with the following error message:

Unable to load filter

Possible Cause: The DSAPI filter is configured incorrectly. Generally, if any path issue or associated library issue occurs while the DSAPI filter is being added, this error is generated.

Possible Solutions:

• Ensure that the DSAPI filter has been configured with the correct information. For example, verify that the following path has been specified:

• Ensure that LIBPATH is set properly as explained in AIX Systems: Setting LIBPATH to Include Libraries Specific to the IBM Lotus Domino 7.0 Agent.

PolicyAgent-base/agents/domino6/lib/libamdomino6.a

AIX Systems: Troubleshooting Symptom 3

Symptom: The DSAPI filter is not functioning properly on a server instance.

Possible Causes:

• When the DSAPI filter was configured, the database selected was not correct.

• The DSAPI filter change may not be updated in the database

Possible Solutions:

• Ensure that the correct database was selected during configuration.

• Replicate the database from the IBM Lotus Domino 7.0 administration server.

AIX Systems: Troubleshooting Symptom 4

Symptom: The agent goes into an infinite loop.

Possible Cause: The value for the following property in the web agent AMAgent.properites configuration file is a resource to which users are assigned:

com.sun.am.policy.agents.config.accessdenied.url

The users assigned to this resource, do not have allow in the policy definition.

Possible Solution: For the get method, specify allow in the policy definition.

AIX Systems: Troubleshooting Symptom 5

Symptom:When a user attempts to access a resource using Internet Explorer as the browser, access is denied.

Possible Cause: Internet Explorer overrides the port number of the web agent with the Access Manager port number. In such cases, the agent log file lists the URL that is being evaluated. The port number for that URL is incorrect.

Possible Solution: You can ensure this problem does not occur by setting the following property in the web agent AMAgent.properties configuration file to true as shown:

com.sun.am.policy.agents.config.override_port = true

Windows Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

This section includes various problems you might encounter with this agent on Windows systems. The symptom of the problem is followed by possible causes and solutions.

Windows Systems: Troubleshooting Symptom 1

Symptom: Cannot install the web agent after a previous installation has been removed.

Possible Causes:

• You might have an existing installation of the web agent.

• You might have a previously-installed web agent and did not use the web agent’s uninstallation program to uninstall the agent.

• The installation program’s productregistry file might be corrupted.

Possible Solution: To resolve the issue, manually remove the web agent as explained in the following task description.

To Manually Remove Agent for IBM Lotus Domino 7.0

1. Using the Lotus Domino Web console, remove the amdomino6.dll file from the DSAPI filter field.

2. Stop the Domino HTTP server.

3. Remove Agent for IBM Lotus Domino 7.0.

   1. In the Start menu, select Control Panel->Add/Remove programs

   2. Select Sun Java System Access Manager Lotus Domino Agent

   3. Click Remove

4. Remove entries from the product registry

   1. Issue the following command in the command line:

      regedit

   2. Traverse to the following:

      HKEY_LOCAL_MACHINE

   3. Click Software

   4. Click Sun Microsystems

   5. Remove the following entry:

      Access Manager Lotus Domino Agent

5. Remove the PolicyAgent-base directory from the server.

   where PolicyAgent-base represents the directory in which the web agent was originally installed.

6. Remove the following entries from the PATH variable:

   • PolicyAgent-base\bin

   • PolicyAgent-base\domino\bin

7. Restart the server.

Windows Systems: Troubleshooting Symptom 2

Symptom: Unable to uninstall the agent from a Windows system using the Add/Remove Program option in the Control Panel.

Possible Cause: Java’s class path might not be set correctly on the machine.

Possible Solution: Perform the following task.

To Uninstall a Web Agent on a Windows System When the GUI Uninstallation Fails

1. Open Command Prompt Window.

2. Change directories to PolicyAgent-base

3. Execute the following command:

   java uninstall_Sun_Java_tm_System_Access_Manager_Policy_Agent

Windows Systems: Troubleshooting Symptom 3

Symptom: IBM Lotus Domino 7.0 server starts with the following error message:

Unable to load filter

Possible Cause: The DSAPI filter is configured incorrectly. Generally, if any path issue or associated library issue occurs while the DSAPI filter is being added, this error is generated.

Possible Solution: Ensure that the DSAPI filter has been configured with the correct information. For example, verify that the following path has been specified:

PolicyAgent-base\\domino\\bin\\amdomino6.dll

Windows Systems: Troubleshooting Symptom 4

Symptom: The DSAPI filter is not functioning properly on a server instance.

Possible Causes:

• When the DSAPI filter was configured, the database selected was not correct.

• The partitioned database was not updated.

Possible Solutions:

• Ensure that the correct database was selected during configuration.

• Replicate the database from the IBM Lotus Domino 7.0 administration server.

Windows Systems: Troubleshooting Symptom 5

Symptom: The agent goes into an infinite loop.

Possible Cause: The value for the following property in the web agent AMAgent.properites configuration file is a resource to which users are assigned:

com.sun.am.policy.agents.config.accessdenied.url

The users assigned to this resource, do not have allow in the policy definition.

Possible Solution: For the get method, specify allow in the policy definition.

Windows Systems: Troubleshooting Symptom 6

Symptom:When a user attempts to access a resource using Internet Explorer as the browser, access is denied.

Possible Cause: Internet Explorer overrides the port number of the web agent with the Access Manager port number. In such cases, the agent log file lists the URL that is being evaluated. The port number for that URL is incorrect.

Possible Solution: You can ensure this problem does not occur by setting the following property in the web agent AMAgent.properties configuration file to true as shown:

com.sun.am.policy.agents.config.override_port = true

Windows Systems: Troubleshooting Symptom 7

Symptom: When a user attempts to access a resource using a browser, access is denied.

Possible Cause: One or more properties in the web agent AMAgent.properties configuration file is set incorrectly. Specific properties, as specified in the following “Possible Solution” section, can cause access to resources to be denied.

Possible Solution: Verify that the values of the following properties are set correctly:

• com.sun.am.naming.url

• com.sun.am.policy.am.login.url

• com.sun.am.policy.am.username

• com.sun.am.policy.am.password

Windows Systems: Troubleshooting Symptom 8

Symptom: After the agent is installed, the web server fails to start.

Possible Cause: Libraries that agents depend on for Windows systems are missing. Ensuring that the libraries msvcp70.dll and msvcr70.dll are available is a pre-installation step in this guide. If the libraries were not properly added, the web server might not start.

Possible Solution: Obtain the appropriate libraries as described in Preparing to Install the IBM Lotus Domino 7.0 Agent on Windows Systems.

Linux Systems: Troubleshooting Symptoms for the IBM Lotus Domino 7.0 Agent

This section includes a problem you might to encounter with this agent on Linux systems. The symptom of the problem is followed by possible causes and solutions.

Linux Systems: Troubleshooting Symptom 1

Symptom: IBM Lotus Domino 7.0 server starts with the following error message:

Unable to load filter

Possible Cause: The DSAPI filter is configured incorrectly. Generally, if any path issue or associated library issue occurs while the DSAPI filter is being added, this error is generated.

Possible Solution: Ensure that the DSAPI filter has been configured with the correct information. For example, verify that the following path has been specified:

PolicyAgent-base/agents/domino6/lib/libamdomino6.so

Linux Systems: Troubleshooting Symptom 2

Symptom: The DSAPI filter is not functioning properly on a server instance.

Possible Causes:

• When the DSAPI filter was configured, the database selected was not correct.

• The partitioned database was not updated.

Possible Solutions:

• Ensure that the correct database was selected during configuration.

• Replicate the database from the IBM Lotus Domino 7.0 administration server.

Linux Systems: Troubleshooting Symptom 3

Symptom: The agent goes into an infinite loop.

Possible Cause: The value following property in the web agent AMAgent.properites configuration file is a resource to which users are assigned:

com.sun.am.policy.agents.config.accessdenied.url

The users assigned to this resource, do not have allow in the policy definition.

Possible Solution: For the get method, specify allow in the policy definition.

Linux Systems: Troubleshooting Symptom 4

Symptom:When a user attempts to access a resource using Internet Explorer as the browser, access is denied.

Possible Cause: Internet Explorer overrides the port number of the web agent with the Access Manager port number. In such cases, the agent log file lists the URL that is being evaluated. The port number for that URL is incorrect.

Possible Solution: You can ensure this problem does not occur by setting the following property in the web agent AMAgent.properties configuration file to true as shown:

com.sun.am.policy.agents.config.override_port = true