An error code is sent to a Cams web agent to give additional context about
an error that has occurred within a Cams web agent. The error code is displayed
both on the configured Cams error page and in the cams-webagent.log
file. Table 1 shows the error codes in numerical order and classified by:
Code |
Description |
5000 |
Authentication failed
The Cams web agent attempted to authenticate a user but the request failed
due to an unknown error. The Cams web agent trace log and/or a Cams policy
server trace log for the associated security domain should contain additional
information.
|
5001 |
Could not find the authentication service
The Cams client does not have a required authentication service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
5002 |
Invalid HTTP method for authentication
Cams web agents only support POST requests for authentication requests.
A non-POST HTTP request was received by a Cams web agent for the URI configured
for user authentication.
|
5003 |
Query parameter cams_security_domain
is invalid
An authentication request was received by a Cams web agent, but the required
cams_security_domain parameter
is missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_security_domain
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_security_domain.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
5004 |
Query parameter cams_login_config
is invalid
An authentication request was received by a Cams web agent, but the required
cams_login_config parameter is
missing, empty or invalid. A dynamic login page that does not correctly
use the Cams cams_login_config
provided to it by a Cams web agent may be the cause.
NOTE: The login page should receive this value
as a query parameter and store it in a hidden field named cams_login_config.
When the associated HTML form is posted during authentication, this parameter
will be sent with the authentication request.
|
5005 |
The access control rule protecting the Cams login page is invalid
The Cams policy server denied access to the login page because the access
control policy requires authentication. Authentication cannot occur unless
the login page is presented to the user, without authentication. For example,
the following access-control-policy.xml
would cause this error to display:
...
<permission desc="Cams login, error and denied pages" actions="">
<resource-pattern id="*://*:*/cams/*"/>
<acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule"> <role-constraint> <role-name>everyone</role-name> </role-constraint> </auth-acr>
...
In this case, if the Cams login page URL is:
https://www.myhost.com/cams/login.jsp
the access control policy will deny access unless the user is authenticated.
The Cams web agent will attempt to redirect the user's browser to the
login page, but access will once again be denied by the access control
policy. To avoid infinite redirection, the Cams web agents detects this
case. To fix the problem, either grant access to the Cams login page or
limit access to it using a rule that does not require authentication,
such as an IP address rule.
|
5006 |
Could not determine the security domain name
An AUTOLOGIN cookie is being removed because the name value is malformed.
Specifically, it does not contain a security domain name field.
|
5007 |
Invalid login parameter value
One or more login parameters are invalid. The cams-webagent.log
for the web server where the error occurred will contain detailed error
information.
|
5008 |
Non-Secure login attempt when secure session cookie required
A form-based login request was received via a non-secure (non-SSL) connection.
The login attempt was aborted and HTTP status 500 was returned rather
than risking return of a secure Cams session cookie over the non-secure
connection.
If secure Cams session cookies are desired (cams.cookie.secure=true),
then make sure your environment includes:
- SSL support on web servers where Cams login requests are handled.
- a Cams login page that posts form fields (login credentials) to a
secure (SSL-enabled) Cams login URL.
|
5009 |
Non-Secure AUTO-LOGIN attempt when secure session cookie required
A Cams AUTO-LOGIN cookie was received via a non-secure (non-SSL) connection.
AUTO-LOGIN was aborted rather than risking return of a secure Cams session
cookie over the non-secure connection.
If secure Cams session cookies are desired (cams.cookie.secure=true),
then make sure your environment includes:
- SSL support on web servers where Cams AUTO-LOGIN requests are handled.
- secure AUTO-LOGIN cookie support (cams.autologin.cookie.secure=true)
As a general rule for Cams environments using AUTO-LOGIN, the session
and AUTO-LOGIN cookies should use the same "secure" setting:
(cams.cookie.secure=false and cams.autologin.cookie.secure=false) or (cams.cookie.secure=true
and cams.autologin.cookie.secure=true).
|
5010 |
Unable to create secure AUTO-LOGIN cookie over non-secure connection
Cams AUTO-LOGIN is enabled for the agent and authentication succeeded,
but the agent refused to create a "secure" AUTO-LOGIN cookie
over a non-secure (HTTP) connection.
If a secure Cams AUTO-LOGIN cookie is desired (cams.autologin.cookie.secure=true),
then make sure form-based login is attempted over a secure (HTTPS) connection.
|
5100 |
Access control failed
The Cams web agent attempted to execute an access control check, but
it failed due to an unknown error. The Cams web agent trace log and/or
a Cams policy server trace log for the associated security domain should
contain additional information.
|
5101 |
Could not find the access control service
The Cams client does not have a required access control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
5102 |
Invalid resource request type or action
The Cams web agent made an access control request for an unknown resource
type or action. Cams web agents only make access control
requests for resources of types cams
or http. For resource type cams,
the action must be ACCESS. For resource type
http, the action must be HTTP method GET, POST,
PUT, DELETE, HEAD, OPTIONS or TRACE.
NOTE: HTTP request methods used by WebDAV
clients such as PROPFIND, PROPPATCH, MKCOL, COPY, MOVE.
LOCK and UNLOCK are not supported by
Cams at this time. When HTTP requests with these methods are sent to a
web server with a Cams web agent, a 5102 Cams web agent error will result.
|
5105 |
Unknown access control response
An unknown access control response status code was received from the Cams
policy server. |
5200 |
Session access failed
The Cams web agent's attempt to access an authenticated user's session
failed due to an error in the Cams session access service.
|
5201 |
Could not find the session access service
The Cams client does not have a required session-access service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
5202 |
General transport error
An error occurred when the Cams web agent attempted to communicate with
the Cams policy server.
|
5300 |
Session control failed
The Cams web agent's attempt to logout the user failed due to an error
in the Cams session control service.
|
5301 |
Could not find the session control service
The Cams client does not have a required session-control service. For
Java-based Cams web agents, this service name and implementation are configured
in cams-webagent.conf. For native
code Cams web agents, the service is included in the Cams client library.
|
5302 |
Could not logout user because session id is invalid
The Cams web agent received a logout request, but no session identifier
was provided. The user may have attempted to logout when not currently
logged in or the logout page did not specify a valid cams_security_domain
query parameter.
|
5303 |
Query parameter cams_security_domain
is invalid
The Cams web agent received a cams_security_domain
query parameter value that was invalid, or empty. A misconfigured login
page that either contains a bad hard-coded security domain name or if
a dynamic web page does not properly store the security domain name passed
to it by a Cams web agent may be the cause.
|
5304 |
A possible session hijacking attempt occurred: expected hash value does
not match
An session hijacking attempt was detected and thwarted or a possible
Cams web agent misconfiguration resulted in what appeared to be a session
hijacking attempt. If not an actual session hijacking attempt, inconsistent
configuration of session hijacking values for different Cams web agents
may be the cause. Confirm that the following properties have the same
values for all Cams agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
5305 |
Session hijacking misconfiguration
Session hijacking protection is not enabled for this Cams web agent,
but appears to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
5306 |
Session hijacking misconfiguration
Session hijacking protection is enabled for this Cams web agent agent,
but appears not to be enabled for another Cams web agent in the same Cams
cluster. Confirm that the following properties have the same values for
all Cams web agents:
- cams.session.hijacking.protection.enable
- cams.session.hijacking.protection.algorithm
- cams.session.hijacking.protection.salt
|
5307 |
Non-Secure logout attempt when secure session cookie required
A logout request was received via a non-secure (non-SSL) connection,
but the Cams session cookie is not likely present because it is configured
as a secure cookie. The login attempt continues in case an old session
cookie for the requested security domain is present from a time prior
to when secure session cookies were enabled or from an agent where secure
session cookies are disabled.
If secure Cams session cookies are desired (cams.cookie.secure=true),
then make sure your environment includes:
- SSL support on web servers where Cams logout requests are handled.
- a Cams logout link to an SSL-enabled URL (e.g. https://www.mydomain.com/cams/logout?cams_security_domain=system
|
5308 |
Invalid logout parameter value
One or more logout parameters are invalid. The cams-webagent.log
for the web server where the error occurred will contain detailed error
information.
|
5400 |
Multiple redirect obligations
The Cams web agent was sent more than one redirect obligation by the
Cams policy server for a single access control response. To avoid situations
where the Cams web agent would need to decide which redirect to send to
the browser, the Cams web agent rejects access control responses that
include more than one obligation redirect. Check the access control policy
to correct the rule that is sending a multiple redirect obligation.
|
5401 |
Obligation not supported
The Cams web agent was sent an obligation that is not supported. Check
the release notes to verify the obligation support level for this Cams
web agent.
|
5402 |
Missing obligation attribute value
The Cams web agent was sent an HTTP redirect obligation but did not specify
the URL for the redirect.
|
5405 |
Internal obligation attribute value handling error
An internal Cams web agent error occurred while attempting to handle
an obligation attribute value. A pointer was NULL when not expected.
|
5500 |
Cross DNS Domain Single Sign-On failed
This is a general error indicating that the web agent attempted to handle
a cross DNS domain single sign-on request, but the request failed. See
the context-sensitive error messages in the cams-webagent.log file and
the Cams Policy Server "trace" log file for details on why CDSSO
failed. Common causes include a configuration error in the Cams Policy
Server CDSSO authenticaiton valve and an expired cams_sso_context caused
by network latency or a too short expiration period of the context.
|
5501 |
Authentication service not available
Cross DNS Domain Single Sign-On failed because the authentication service
needed to handle the CDSSO request was not available. This is most likely
caused by misconfiguration of the camsclient component within the cams-webagent.conf
file.
|
5502 |
Invalid HTTP request method for CDSSO
Cross DNS Domain Single Sign-On failed because the request did not use
the HTTP "GET" method. HTTP requests for Cams CDSSO must be
made using the "GET" method: not "POST", "PUT",
"HEAD", nor any other HTTP method for this agent.
|
5503 |
Query parameter cams_login_config
is invalid
A CDSSO authentication request failed because the required cams_login_config
parameter is missing, empty or invalid.
|
5504 |
The cams_session_id query parameter is missing or empty.
A cross DNS domain single sign-on request failed because the cams_session_id
query parameter was missing or empty.
|
5505 |
The cams_session_id query parameter is invalid
A cross DNS domain single sign-on request failed because the cams_session_id
query parameter contained a malformed value. See the context-sensitive
message for more information.
|
5506 |
The cams_sso_context query parameter is invalid
A cross DNS domain single sign-on request failed because the cams_sso_context
was missing, empty, or malformed. See the context-sensitive message for
more information.
|
5507 |
Non-Secure CDSSO attempt when secure session cookie required
A cross DNS domain single sign-on (CDSSO) request was received via a
non-secure (non-SSL) connection. The CDSSO attempt was aborted and HTTP
status 500 was returned rather than risking return of a secure Cams session
cookie over the non-secure connection.
If secure Cams session cookies are desired (cams.cookie.secure=true),
then make sure your environment includes:
- SSL support on web servers where Cams CDSSO cookie provider requests
are handled (/cams/sso)
- a CamsCDSSOAuthValve configuration (in your cams-security-domain.xml
file) that uses only "https" cookieProviderUrls.
|
5600 |
Automatic Enterprise Sign-On (AESO) failed
This is a general error indicating that the web agent attempted to handle
an automatic enterprise sign-on request, but the request failed. See the
context-sensitive error messages in the cams-webagent.log file and the
Cams Policy Server "trace" log file for details on why AESO
failed.
In most cases, this message indicates that native web server authentication
succeeded (e.g. HTTP Basic, Kerberos, or other authentication method)
and the Cams web agent received a recognized AESO request (e.g. to URI
/cams/aeso), but there was a problem when assembling the corresponding
Cams authentication request or in handling the authentication request
on the Cams Policy Server. A common problem on the Cams Policy Server
is misconfiguration of the "aeso" login-config-entry and/or
a LoginModule used for handling AESO requests. See the Cams Policy Server
"trace" log for the security domain in which AESO is configured.
|
5601 |
Authentication service not available
Automatic Enterprise Sign-On failed because the authentication service
needed to handle the AESO request was not available. This is most likely
caused by misconfiguration of the camsclient component within the cams-webagent.conf
file.
|
5602 |
Invalid HTTP request method for AESO
Cams Automatic Enterprise Sign-On failed because the request did not
use the HTTP "GET" method. HTTP requests for Cams AESO must
be made using the "GET" method: not "POST", "PUT",
"HEAD", nor any other HTTP method for this agent.
|
5603 |
The cams_security_domain query parameter is missing or empty
A Cams AESO request was received, but the cams_security_domain query
parameter was either missing or empty (a zero length string). The Cams
web agent must received the cams_security_domain query parameter for a
valid Cams security domain in order to request authentication with that
security domain.
|
5604 |
Query parameter cams_login_config
is invalid
A Cams AESO request was received, but it did not contain a valid cams_login_config
query parameter, which is required to select the rules in cams-webagent.conf
for assembling the associated authentication request.
|
5605 |
Query parameter cams_original_url is missing
A Cams AESO request was received, but it did not contain a valid cams_original_url
query parameter, which is needed to redirect the user to a URL after successful
login.
|
5606 |
No callback values configured for the requested security domain
The cams-webagent.conf file does not contains Cams AESO configuration
properties for the specified cams_security_domain. For example, if cams_security_domain=mydomain
and cams_login_config=aeso, then cams-webagent.conf should contain configuration
properties like:
cams.aeso.callback.names.system=username,agent_secret
cams.aeso.callback.value.system.username={http_request:REMOTE_USER}
cams.aeso.callback.value.system.agent_secret=foobar
NOTE: your values may differ depending on authentication
method, agent environment, Cams login config, and/or security domain.
See the Cams AESO documentation for more information.
|
5607 |
Obligation not supported
The Cams web agent handled an AESO request, but was sent an authentication
obligation that is not supported. Check the release notes to verify the
obligation support level for this Cams web agent.
|
5608 |
Non-Secure AESO attempt when secure session cookie required
A Cams automatic enterprise sign-on (AESO) request was received via a
non-secure (non-SSL) connection. AESO was aborted and HTTP status 500
was returned rather than risking return of a secure Cams session cookie
over the non-secure connection.
If secure Cams session cookies are desired (cams.cookie.secure=true),
then make sure your environment includes:
- SSL support on web servers where Cams AESO requests are handled (/cams/aeso)
- a secure "camsLoginUrl" (in your security domain login-config.xml
file) for the login-config-entry that references the Cams AESO action.
For example: <login-parameter name="camsLoginUrl" value="https://www.mydomain.com/cams/aeso"/>
|