Web Agent Error Codes

The Cams web agent attempted to authenticate a user but the request failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

The Cams client does not have a required authentication service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

Cams web agents only support POST requests for authentication requests. A non-POST HTTP request was received by a Cams web agent for the URI configured for user authentication.

Query parameter cams_security_domain is invalid

An authentication request was received by a Cams web agent, but the required cams_security_domain parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_security_domain provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_security_domain. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

An authentication request was received by a Cams web agent, but the required cams_login_config parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_login_config provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_login_config. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

The Cams policy server denied access to the login page because the access control policy requires authentication. Authentication cannot occur unless the login page is presented to the user, without authentication. For example, the following access-control-policy.xml would cause this error to display:

...
<permission desc="Cams login, error and denied pages" actions="">
   <resource-pattern id="*://*:*/cams/*"/>
   <acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule">
   <role-constraint>
      <role-name>everyone</role-name>
   </role-constraint>
</auth-acr>
...

In this case, if the Cams login page URL is:

https://www.myhost.com/cams/login.jsp

the access control policy will deny access unless the user is authenticated. The Cams web agent will attempt to redirect the user's browser to the login page, but access will once again be denied by the access control policy. To avoid infinite redirection, the Cams web agents detects this case. To fix the problem, either grant access to the Cams login page or limit access to it using a rule that does not require authentication, such as an IP address rule.

Could not determine the security domain name

An AUTOLOGIN cookie is being removed because the name value is malformed. Specifically, it does not contain a security domain name field.

Invalid login parameter value

One or more login parameters are invalid. The cams-webagent.log for the web server where the error occurred will contain detailed error information.

Non-Secure login attempt when secure session cookie required

A form-based login request was received via a non-secure (non-SSL) connection. The login attempt was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

• SSL support on web servers where Cams login requests are handled.
• a Cams login page that posts form fields (login credentials) to a secure (SSL-enabled) Cams login URL.

Non-Secure AUTO-LOGIN attempt when secure session cookie required

A Cams AUTO-LOGIN cookie was received via a non-secure (non-SSL) connection. AUTO-LOGIN was aborted rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

• SSL support on web servers where Cams AUTO-LOGIN requests are handled.
• secure AUTO-LOGIN cookie support (cams.autologin.cookie.secure=true)

As a general rule for Cams environments using AUTO-LOGIN, the session and AUTO-LOGIN cookies should use the same "secure" setting: (cams.cookie.secure=false and cams.autologin.cookie.secure=false) or (cams.cookie.secure=true and cams.autologin.cookie.secure=true).

Unable to create secure AUTO-LOGIN cookie over non-secure connection

Cams AUTO-LOGIN is enabled for the agent and authentication succeeded, but the agent refused to create a "secure" AUTO-LOGIN cookie over a non-secure (HTTP) connection.

If a secure Cams AUTO-LOGIN cookie is desired (cams.autologin.cookie.secure=true), then make sure form-based login is attempted over a secure (HTTPS) connection.

Access control failed

The Cams web agent attempted to execute an access control check, but it failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

The Cams client does not have a required access control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

Invalid resource request type or action

The Cams web agent made an access control request for an unknown resource type or action. Cams web agents only make access control requests for resources of types cams or http. For resource type cams, the action must be ACCESS. For resource type http, the action must be HTTP method GET, POST, PUT, DELETE, HEAD, OPTIONS or TRACE.

NOTE: HTTP request methods used by WebDAV clients such as PROPFIND, PROPPATCH, MKCOL, COPY, MOVE. LOCK and UNLOCK are not supported by Cams at this time. When HTTP requests with these methods are sent to a web server with a Cams web agent, a 5102 Cams web agent error will result.

The Cams web agent's attempt to access an authenticated user's session failed due to an error in the Cams session access service.

The Cams client does not have a required session-access service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

General transport error

An error occurred when the Cams web agent attempted to communicate with the Cams policy server.

Session control failed

The Cams web agent's attempt to logout the user failed due to an error in the Cams session control service.

Could not find the session control service

The Cams client does not have a required session-control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

Could not logout user because session id is invalid

The Cams web agent received a logout request, but no session identifier was provided. The user may have attempted to logout when not currently logged in or the logout page did not specify a valid cams_security_domain query parameter.

Query parameter cams_security_domain is invalid

The Cams web agent received a cams_security_domain query parameter value that was invalid, or empty. A misconfigured login page that either contains a bad hard-coded security domain name or if a dynamic web page does not properly store the security domain name passed to it by a Cams web agent may be the cause.

A possible session hijacking attempt occurred: expected hash value does not match

An session hijacking attempt was detected and thwarted or a possible Cams web agent misconfiguration resulted in what appeared to be a session hijacking attempt. If not an actual session hijacking attempt, inconsistent configuration of session hijacking values for different Cams web agents may be the cause. Confirm that the following properties have the same values for all Cams agents:

• cams.session.hijacking.protection.enable
• cams.session.hijacking.protection.algorithm
• cams.session.hijacking.protection.salt

Session hijacking misconfiguration

Session hijacking protection is not enabled for this Cams web agent, but appears to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

• cams.session.hijacking.protection.enable
• cams.session.hijacking.protection.algorithm
• cams.session.hijacking.protection.salt

Session hijacking misconfiguration

Session hijacking protection is enabled for this Cams web agent agent, but appears not to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

• cams.session.hijacking.protection.enable
• cams.session.hijacking.protection.algorithm
• cams.session.hijacking.protection.salt

Non-Secure logout attempt when secure session cookie required

A logout request was received via a non-secure (non-SSL) connection, but the Cams session cookie is not likely present because it is configured as a secure cookie. The login attempt continues in case an old session cookie for the requested security domain is present from a time prior to when secure session cookies were enabled or from an agent where secure session cookies are disabled.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

• SSL support on web servers where Cams logout requests are handled.
• a Cams logout link to an SSL-enabled URL (e.g. https://www.mydomain.com/cams/logout?cams_security_domain=system

Invalid logout parameter value

One or more logout parameters are invalid. The cams-webagent.log for the web server where the error occurred will contain detailed error information.

Multiple redirect obligations

The Cams web agent was sent more than one redirect obligation by the Cams policy server for a single access control response. To avoid situations where the Cams web agent would need to decide which redirect to send to the browser, the Cams web agent rejects access control responses that include more than one obligation redirect. Check the access control policy to correct the rule that is sending a multiple redirect obligation.

Obligation not supported

The Cams web agent was sent an obligation that is not supported. Check the release notes to verify the obligation support level for this Cams web agent.

Missing obligation attribute value

The Cams web agent was sent an HTTP redirect obligation but did not specify the URL for the redirect.

Internal obligation attribute value handling error

An internal Cams web agent error occurred while attempting to handle an obligation attribute value. A pointer was NULL when not expected.

Cross DNS Domain Single Sign-On failed

This is a general error indicating that the web agent attempted to handle a cross DNS domain single sign-on request, but the request failed. See the context-sensitive error messages in the cams-webagent.log file and the Cams Policy Server "trace" log file for details on why CDSSO failed. Common causes include a configuration error in the Cams Policy Server CDSSO authenticaiton valve and an expired cams_sso_context caused by network latency or a too short expiration period of the context.

Authentication service not available

Cross DNS Domain Single Sign-On failed because the authentication service needed to handle the CDSSO request was not available. This is most likely caused by misconfiguration of the camsclient component within the cams-webagent.conf file.

Invalid HTTP request method for CDSSO

Cross DNS Domain Single Sign-On failed because the request did not use the HTTP "GET" method. HTTP requests for Cams CDSSO must be made using the "GET" method: not "POST", "PUT", "HEAD", nor any other HTTP method for this agent.

A CDSSO authentication request failed because the required cams_login_config parameter is missing, empty or invalid.

The cams_session_id query parameter is missing or empty.

A cross DNS domain single sign-on request failed because the cams_session_id query parameter was missing or empty.

The cams_session_id query parameter is invalid

A cross DNS domain single sign-on request failed because the cams_session_id query parameter contained a malformed value. See the context-sensitive message for more information.

The cams_sso_context query parameter is invalid

A cross DNS domain single sign-on request failed because the cams_sso_context was missing, empty, or malformed. See the context-sensitive message for more information.

Non-Secure CDSSO attempt when secure session cookie required

A cross DNS domain single sign-on (CDSSO) request was received via a non-secure (non-SSL) connection. The CDSSO attempt was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

• SSL support on web servers where Cams CDSSO cookie provider requests are handled (/cams/sso)
• a CamsCDSSOAuthValve configuration (in your cams-security-domain.xml file) that uses only "https" cookieProviderUrls.

Automatic Enterprise Sign-On (AESO) failed

This is a general error indicating that the web agent attempted to handle an automatic enterprise sign-on request, but the request failed. See the context-sensitive error messages in the cams-webagent.log file and the Cams Policy Server "trace" log file for details on why AESO failed.

In most cases, this message indicates that native web server authentication succeeded (e.g. HTTP Basic, Kerberos, or other authentication method) and the Cams web agent received a recognized AESO request (e.g. to URI /cams/aeso), but there was a problem when assembling the corresponding Cams authentication request or in handling the authentication request on the Cams Policy Server. A common problem on the Cams Policy Server is misconfiguration of the "aeso" login-config-entry and/or a LoginModule used for handling AESO requests. See the Cams Policy Server "trace" log for the security domain in which AESO is configured.

Authentication service not available

Automatic Enterprise Sign-On failed because the authentication service needed to handle the AESO request was not available. This is most likely caused by misconfiguration of the camsclient component within the cams-webagent.conf file.

Invalid HTTP request method for AESO

Cams Automatic Enterprise Sign-On failed because the request did not use the HTTP "GET" method. HTTP requests for Cams AESO must be made using the "GET" method: not "POST", "PUT", "HEAD", nor any other HTTP method for this agent.

The cams_security_domain query parameter is missing or empty

A Cams AESO request was received, but the cams_security_domain query parameter was either missing or empty (a zero length string). The Cams web agent must received the cams_security_domain query parameter for a valid Cams security domain in order to request authentication with that security domain.

A Cams AESO request was received, but it did not contain a valid cams_login_config query parameter, which is required to select the rules in cams-webagent.conf for assembling the associated authentication request.

Query parameter cams_original_url is missing

A Cams AESO request was received, but it did not contain a valid cams_original_url query parameter, which is needed to redirect the user to a URL after successful login.

No callback values configured for the requested security domain

The cams-webagent.conf file does not contains Cams AESO configuration properties for the specified cams_security_domain. For example, if cams_security_domain=mydomain and cams_login_config=aeso, then cams-webagent.conf should contain configuration properties like:

cams.aeso.callback.names.system=username,agent_secret
cams.aeso.callback.value.system.username={http_request:REMOTE_USER}
cams.aeso.callback.value.system.agent_secret=foobar

NOTE: your values may differ depending on authentication method, agent environment, Cams login config, and/or security domain. See the Cams AESO documentation for more information.

Obligation not supported

The Cams web agent handled an AESO request, but was sent an authentication obligation that is not supported. Check the release notes to verify the obligation support level for this Cams web agent.

Non-Secure AESO attempt when secure session cookie required

A Cams automatic enterprise sign-on (AESO) request was received via a non-secure (non-SSL) connection. AESO was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

• SSL support on web servers where Cams AESO requests are handled (/cams/aeso)
• a secure "camsLoginUrl" (in your security domain login-config.xml file) for the login-config-entry that references the Cams AESO action. For example: <login-parameter name="camsLoginUrl" value="https://www.mydomain.com/cams/aeso"/>