This chapter offers solutions to issues during installation of OpenAM policy agents.
Solutions to Common Issues
This section offers solutions to common problems when installing OpenAM policy agents.
Q: |
I am trying to install a policy agent, connecting to OpenAM over HTTPS, and seeing the following error. OpenAM server URL: https://openam.example.com:8443/openam WARNING: Unable to connect to OpenAM server URL. Please specify the correct OpenAM server URL by hitting the Back button (<) or if the OpenAM server URL is not started and you want to start it later, please proceed with the installation. If OpenAM server is SSL enabled and the root CA certificate for the OpenAM server certificate has been not imported into installer JVMs key store (see installer-logs/debug/Agent.log for detailed exception), import the root CA certificate and restart the installer; or continue installation without verifying OpenAM server URL. What should I do? |
|
A: |
The Java platform includes certificates from many Certificate Authorities (CAs). If however you run your own CA, or you use self-signed certificates for HTTPS on the container where you run OpenAM, then the agentadmin command cannot trust the certificate presented during connection to OpenAM, and so cannot complete installation correctly. After setting up the container where you run OpenAM to use HTTPS, get the certificate to trust in a certificate file. The certificate you want is the that of the CA who signed the container certificate, or the certificate itself if the container certificate is self-signed. Copy the certificate file to the system where you plan to install the policy agent. Import the certificate into a trust store that you will use during policy agent installation. If you import the certificate into the default trust store for the Java platform, then the agentadmin command can recognize it without additional configuration. Export and import of self-signed certificates is demonstrated in the Administration Guide chapter on Managing Certificates. |
Q: |
I am trying to install the policy agent on SELinux and I am getting error messages after installation. What happened? |
|
A: |
SELinux must be properly configured to connect the web policy agent and OpenAM nodes. Either re-configure SELinux or disable it, then reinstall the policy agent. |
Q: |
My Apache HTTPD server is not using port 80. But when I install the web policy agent it defaults to port 80. How do I fix this? |
|
A: |
You probably set Instead you must set both the host name and port number for
<VirtualHost *:8080> ServerName www.localhost.example:8080 |
Q: |
My web server and web policy agent are installed as root, and the agent cannot rotate logs. I am seeing this error. Could not rotate log file ... (error: 13) What should I do? |
|
A: |
First, avoid installing the web server (and therefore also the web policy agent) as root, but instead create a web server user and install as that user. If however you cannot avoid installing the web server and policy agent
as root, the you must give all users read and write permissions to the
|
Q: |
I have multiple web servers on a single system, and want to protect each of them with a policy agent. |
|
A: |
Once both web policy agents are installed, navigate to the com.forgerock.agents.instance.id= Set that attribute to an appropriate unique value such as |
