Back | Next | Contents Cams Administrator's Guide

Log and Error Codes

Cams policy server logs, the Cams web agent log and dynamic web pages supply information that can be helpful during system integration and debug. This document provides a quick reference to the most important logs and the associated codes.

Authentication Log

Cams replies to each authentication request with a status of pending, succeeded or failed. If authentication failed, then a reason is also sent. The status and reason codes are logged in the security domain's authentication log. These values are useful in debugging and analyzing authentication requests.

Example 1 shows a typical authentication log entry, which has the formats:

  1. date/time
  2. requesting host address
  3. login config entry from the security domain's login-config.xml file
  4. response code
  5. reason code
  6. user session ID (only if authenticated)
  7. username
[24/Mar/2005:10:43:58 -0800] 192.168.0.1 "http" 1 -
MyCamsCluster-MyCamsServer-system-51f015b574cd90b823f022bd3d15bca58bc06
foo@mycompany.com

Example 1 - A sample authentication log entry

Status Codes

Cams policy server answers to authentication requests are communicated using the status codes shown in Table 1.

Value Description
0 Authentication is in progress
1 Authentication succeeded
2 Authentication failed

Table 1 - Cams authentication codes

Reason Codes

A reason code is returned with each authentication request to provide additional context. Table 2 shows the possible reason codes.

Code Description
0 Not applicable.
1 General error, probably due to a misconfiguration.
2 The remote host IP address is not valid.
3 The remote hostname is not valid.
4 The agent making the request is not authorized.
5 An unknown security domain was referenced.
6 An unknown login configuration entry was referenced.
7 Incomplete or invalid authentication credentials (normal login failure).
8 An unrecoverable error during authentication (runtime exception).
9 The account specified by the user has expired.
10 The credential specified by the user has expired.
11 Unused (obsolete).
12 An unrecoverable error within a callback handler (runtime exception).

Table 2 - Cams authentication reason codes

Access Control Log

Cams replies to each access request with a status of pending, granted or denied. If the response is denied, then a reason is also sent. The status and reason values are logged in the security domain's access control log. These values are useful in debugging and analyzing secure resource requests.

Example 1 shows a typical access control log entry. The access control log format is:

  1. date/time
  2. requesting host address
  3. user session ID (if authenticated)
  4. authenticated username (if authenticated)
  5. login config entry from the security domain's login-config.xml file
  6. fully-qualified resource identifier of the requested resource
  7. the requested action(s) on the resource
  8. status code
  9. reason code
[10/Dec/2002:13:14:59 -0800] 127.0.0.1
MyCamsServer-examples-145e13a8561341691d65c3580d81f3ab37f870ca
guest http http://localhost:8080/examples/styles/cswebapp.css "GET" 1 -

Example 1 - A single access control log entry

Status Codes

Cams policy server access control request responses are communicated using the status codes shown in Table 3.

Code Description
0 Access control decision for the resource is in progress
1 Access to the resource is granted
2 Access to the resource is denied

Table 3 - Cams access control status codes

Reason Codes

A reason code is returned with each access control response to provide additional context. Table 2 shows the possible reason codes.

Code Description
0 Not applicable (because access was granted).
1 General error, probably due to a misconfiguration.
2 The remote host IP address is not valid.
3 The remote hostname is not valid.
4 The agent making the request is not authorized.
5 An unknown security domain was referenced.
6 An unknown resource type was referenced.
7 An invalid resource identifier was specified.
8 An unknown resource action was requested on a resource.
9 Access was denied unconditionally.
10 Authentication is required.
11 Authentication is required and a referenced session expired.
12 An error occurred while evaluating an access control rule.
13 Confidentiality (SSL/TLS connection) is required.
14 The session id submitted was invalid.
15 The default bias (either granted or denied) was applied because no permission is protecting the requested resource.
16 Authentication is required, but the login configuration for the specified login config entry could not be found.
17 A general transport error occurred. Something within the response was corrupted.
18 Access was granted conditionally.
19 Access was granted unconditionally.
20 Access was denied conditionally.
21 Access was denied because one or more required attributes was missing from the request.
22 Access was denied because the authentication method is insufficient.
23 The default bias (either granted or denied) was applied because no permission is protecting the requested resource, but the session referenced by the access control request is expired or closed.
24 Access was granted conditionally, but the session referenced by the access control request is expired or closed.
25 Access was granted unconditionally, but the session referenced by the access control request is expired or closed.

Table 4 - Cams access control reason codes

Web Agent Error Codes

An error code is sent to a Cams web agent to give additional context about an error that has occurred within a Cams web agent. The error code is displayed both on the configured Cams error page and in the cams-webagent.log file. Table 5 shows the error codes in numerical order and classified by:

Code Description
5000 Authentication failed

The Cams web agent attempted to authenticate a user but the request failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

5001 Could not find the authentication service

The Cams client does not have a required authentication service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5002 Invalid HTTP method for authentication

Cams web agents only support POST requests for authentication requests. A non-POST HTTP request was received by a Cams web agent for the URI configured for user authentication.

5003

Query parameter cams_security_domain is invalid

An authentication request was received by a Cams web agent, but the required cams_security_domain parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_security_domain provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_security_domain. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

5004 Query parameter cams_login_config is invalid

An authentication request was received by a Cams web agent, but the required cams_login_config parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_login_config provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_login_config. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

5005 The access control rule protecting the Cams login page is invalid

The Cams policy server denied access to the login page because the access control policy requires authentication. Authentication cannot occur unless the login page is presented to the user, without authentication. For example, the following access-control-policy.xml would cause this error to display:

...
<permission desc="Cams login page" actions="">
   <resource-pattern id="*://*:*/cams/*"/>
   <acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule">
<role-constraint>
<role-name>everyone</role-name>
</role-constraint>
</auth-acr> ...

In this case, if the Cams login page URL is:

https://www.myhost.com/cams/login.jsp

the access control policy will deny access unless the user is authenticated. The Cams web agent will attempt to redirect the user's browser to the login page, but access will once again be denied by the access control policy. To avoid infinite redirection, the Cams web agents detects this case. To fix the problem, either grant access to the Cams login page or limit access to it using a rule that does not require authentication, such as an IP address rule.

5006

Could not determine the security domain name

An AUTOLOGIN cookie is being removed because the name value is malformed. Specifically, it does not contain a security domain name field.

5007

Invalid login parameter value

One or more login parameters are invalid. The cams-webagent.log for the web server where the error occurred will contain detailed error information.

5100

Access control failed

The Cams web agent attempted to execute an access control check, but it failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

5101 Could not find the access control service

The Cams client does not have a required access control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5102

Invalid resource request type or action

The Cams web agent made an access control request for an unknown resource type or action. Cams web agents only make access control requests for resources of types cams or http. For resource type cams, the action must be ACCESS. For resource type http, the actions can only be GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK or DEBUG. When HTTP requests with unrecognized actions are sent to a web server with a Cams web agent, a 5102 web agent error will result.

5105 Unknown access control response

An unknown access control response status code was received from the Cams policy server.
5200 Session access failed

The Cams web agent's attempt to access an authenticated user's session failed due to an error in the Cams session access service.

5201 Could not find the session access service

The Cams client does not have a required session-access service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5202

General transport error

An error occurred when the Cams web agent attempted to communicate with the Cams policy server.

5300

Session control failed

The Cams web agent's attempt to logout the user failed due to an error in the Cams session control service.

5301

Could not find the session control service

The Cams client does not have a required session-control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5302

Could not logout user because session id is invalid

The Cams web agent received a logout request, but no session identifier was provided. The user may have attempted to logout when not currently logged in or the logout page did not specify a valid cams_security_domain query parameter.

5303

Query parameter cams_security_domain is invalid

The Cams web agent received a cams_security_domain query parameter value that was invalid, or empty. A misconfigured login page that either contains a bad hard-coded security domain name or if a dynamic web page does not properly store the security domain name passed to it by a Cams web agent may be the cause.

5304

A possible session hijacking attempt occurred: expected hash value does not match

An session hijacking attempt was detected and thwarted or a possible Cams web agent misconfiguration resulted in what appeared to be a session hijacking attempt. If not an actual session hijacking attempt, inconsistent configuration of session hijacking values for different Cams web agents may be the cause. Confirm that the following properties have the same values for all Cams agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5305

Session hijacking misconfiguration

Session hijacking protection is not enabled for this Cams web agent, but appears to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5306

Session hijacking misconfiguration

Session hijacking protection is enabled for this Cams web agent agent, but appears not to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5400

Multiple redirect obligations

The Cams web agent was sent more than one redirect obligation by the Cams policy server for a single access control response. To avoid situations where the Cams web agent would need to decide which redirect to send to the browser, the Cams web agent rejects access control responses that include more than one obligation redirect. Check the access control policy to correct the rule that is sending a multiple redirect obligation.

5401

Obligation not supported

The Cams web agent was sent an obligation that is not supported. Check the release notes to verify the obligation support level for this Cams web agent.

5402

Missing obligation attribute value

The Cams web agent was sent an HTTP redirect obligation but did not specify the URL for the redirect.

5405

Internal obligation attribute value handling error

An internal Cams web agent error occurred while attempting to handle an obligation attribute value. A pointer was NULL when not expected.

Table 5 - Cams web agent error codes

Back | Next | Contents