Back | Next | Contents Cams Web Agent Guide

Web Agent Error Codes

An error code is sent to a Cams web agent to give additional context about an error that has occurred within a Cams web agent. The error code is displayed both on the configured Cams error page and in the cams-webagent.log file. Table 1 shows the error codes in numerical order and classified by:

Code Description
5000 Authentication failed

The Cams web agent attempted to authenticate a user but the request failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

5001 Could not find the authentication service

The Cams client does not have a required authentication service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5002 Invalid HTTP method for authentication

Cams web agents only support POST requests for authentication requests. A non-POST HTTP request was received by a Cams web agent for the URI configured for user authentication.

5003

Query parameter cams_security_domain is invalid

An authentication request was received by a Cams web agent, but the required cams_security_domain parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_security_domain provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_security_domain. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

5004 Query parameter cams_login_config is invalid

An authentication request was received by a Cams web agent, but the required cams_login_config parameter is missing, empty or invalid. A dynamic login page that does not correctly use the Cams cams_login_config provided to it by a Cams web agent may be the cause.

NOTE: The login page should receive this value as a query parameter and store it in a hidden field named cams_login_config. When the associated HTML form is posted during authentication, this parameter will be sent with the authentication request.

5005 The access control rule protecting the Cams login page is invalid

The Cams policy server denied access to the login page because the access control policy requires authentication. Authentication cannot occur unless the login page is presented to the user, without authentication. For example, the following access-control-policy.xml would cause this error to display:

...
<permission desc="Cams login, error and denied pages" actions="">
   <resource-pattern id="*://*:*/cams/*"/>
   <acr-ref id="require authentication"/>
</permission>
...
<auth-acr id="cams administrator rule">
<role-constraint>
<role-name>everyone</role-name>
</role-constraint>
</auth-acr> ...

In this case, if the Cams login page URL is:

https://www.myhost.com/cams/login.jsp

the access control policy will deny access unless the user is authenticated. The Cams web agent will attempt to redirect the user's browser to the login page, but access will once again be denied by the access control policy. To avoid infinite redirection, the Cams web agents detects this case. To fix the problem, either grant access to the Cams login page or limit access to it using a rule that does not require authentication, such as an IP address rule.

5006

Could not determine the security domain name

An AUTOLOGIN cookie is being removed because the name value is malformed. Specifically, it does not contain a security domain name field.

5007

Invalid login parameter value

One or more login parameters are invalid. The cams-webagent.log for the web server where the error occurred will contain detailed error information.

5008

Non-Secure login attempt when secure session cookie required

A form-based login request was received via a non-secure (non-SSL) connection. The login attempt was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

  • SSL support on web servers where Cams login requests are handled.
  • a Cams login page that posts form fields (login credentials) to a secure (SSL-enabled) Cams login URL.
5009

Non-Secure AUTO-LOGIN attempt when secure session cookie required

A Cams AUTO-LOGIN cookie was received via a non-secure (non-SSL) connection. AUTO-LOGIN was aborted rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

  • SSL support on web servers where Cams AUTO-LOGIN requests are handled.
  • secure AUTO-LOGIN cookie support (cams.autologin.cookie.secure=true)

As a general rule for Cams environments using AUTO-LOGIN, the session and AUTO-LOGIN cookies should use the same "secure" setting: (cams.cookie.secure=false and cams.autologin.cookie.secure=false) or (cams.cookie.secure=true and cams.autologin.cookie.secure=true).

5010

Unable to create secure AUTO-LOGIN cookie over non-secure connection

Cams AUTO-LOGIN is enabled for the agent and authentication succeeded, but the agent refused to create a "secure" AUTO-LOGIN cookie over a non-secure (HTTP) connection.

If a secure Cams AUTO-LOGIN cookie is desired (cams.autologin.cookie.secure=true), then make sure form-based login is attempted over a secure (HTTPS) connection.

5100

Access control failed

The Cams web agent attempted to execute an access control check, but it failed due to an unknown error. The Cams web agent trace log and/or a Cams policy server trace log for the associated security domain should contain additional information.

5101 Could not find the access control service

The Cams client does not have a required access control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5102

Invalid resource request type or action

The Cams web agent made an access control request for an unknown resource type or action. Cams web agents only make access control requests for resources of types cams or http. For resource type cams, the action must be ACCESS. For resource type http, the action must be HTTP method GET, POST, PUT, DELETE, HEAD, OPTIONS or TRACE.

NOTE: HTTP request methods used by WebDAV clients such as PROPFIND, PROPPATCH, MKCOL, COPY, MOVE. LOCK and UNLOCK are not supported by Cams at this time. When HTTP requests with these methods are sent to a web server with a Cams web agent, a 5102 Cams web agent error will result.

5105 Unknown access control response

An unknown access control response status code was received from the Cams policy server.
5200 Session access failed

The Cams web agent's attempt to access an authenticated user's session failed due to an error in the Cams session access service.

5201 Could not find the session access service

The Cams client does not have a required session-access service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5202

General transport error

An error occurred when the Cams web agent attempted to communicate with the Cams policy server.

5300

Session control failed

The Cams web agent's attempt to logout the user failed due to an error in the Cams session control service.

5301

Could not find the session control service

The Cams client does not have a required session-control service. For Java-based Cams web agents, this service name and implementation are configured in cams-webagent.conf. For native code Cams web agents, the service is included in the Cams client library.

5302

Could not logout user because session id is invalid

The Cams web agent received a logout request, but no session identifier was provided. The user may have attempted to logout when not currently logged in or the logout page did not specify a valid cams_security_domain query parameter.

5303

Query parameter cams_security_domain is invalid

The Cams web agent received a cams_security_domain query parameter value that was invalid, or empty. A misconfigured login page that either contains a bad hard-coded security domain name or if a dynamic web page does not properly store the security domain name passed to it by a Cams web agent may be the cause.

5304

A possible session hijacking attempt occurred: expected hash value does not match

An session hijacking attempt was detected and thwarted or a possible Cams web agent misconfiguration resulted in what appeared to be a session hijacking attempt. If not an actual session hijacking attempt, inconsistent configuration of session hijacking values for different Cams web agents may be the cause. Confirm that the following properties have the same values for all Cams agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5305

Session hijacking misconfiguration

Session hijacking protection is not enabled for this Cams web agent, but appears to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5306

Session hijacking misconfiguration

Session hijacking protection is enabled for this Cams web agent agent, but appears not to be enabled for another Cams web agent in the same Cams cluster. Confirm that the following properties have the same values for all Cams web agents:

  • cams.session.hijacking.protection.enable
  • cams.session.hijacking.protection.algorithm
  • cams.session.hijacking.protection.salt
5307

Non-Secure logout attempt when secure session cookie required

A logout request was received via a non-secure (non-SSL) connection, but the Cams session cookie is not likely present because it is configured as a secure cookie. The login attempt continues in case an old session cookie for the requested security domain is present from a time prior to when secure session cookies were enabled or from an agent where secure session cookies are disabled.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

  • SSL support on web servers where Cams logout requests are handled.
  • a Cams logout link to an SSL-enabled URL (e.g. https://www.mydomain.com/cams/logout?cams_security_domain=system
5308

Invalid logout parameter value

One or more logout parameters are invalid. The cams-webagent.log for the web server where the error occurred will contain detailed error information.

5400

Multiple redirect obligations

The Cams web agent was sent more than one redirect obligation by the Cams policy server for a single access control response. To avoid situations where the Cams web agent would need to decide which redirect to send to the browser, the Cams web agent rejects access control responses that include more than one obligation redirect. Check the access control policy to correct the rule that is sending a multiple redirect obligation.

5401

Obligation not supported

The Cams web agent was sent an obligation that is not supported. Check the release notes to verify the obligation support level for this Cams web agent.

5402

Missing obligation attribute value

The Cams web agent was sent an HTTP redirect obligation but did not specify the URL for the redirect.

5405

Internal obligation attribute value handling error

An internal Cams web agent error occurred while attempting to handle an obligation attribute value. A pointer was NULL when not expected.

5500

Cross DNS Domain Single Sign-On failed

This is a general error indicating that the web agent attempted to handle a cross DNS domain single sign-on request, but the request failed. See the context-sensitive error messages in the cams-webagent.log file and the Cams Policy Server "trace" log file for details on why CDSSO failed. Common causes include a configuration error in the Cams Policy Server CDSSO authenticaiton valve and an expired cams_sso_context caused by network latency or a too short expiration period of the context.

5501

Authentication service not available

Cross DNS Domain Single Sign-On failed because the authentication service needed to handle the CDSSO request was not available. This is most likely caused by misconfiguration of the camsclient component within the cams-webagent.conf file.

5502

Invalid HTTP request method for CDSSO

Cross DNS Domain Single Sign-On failed because the request did not use the HTTP "GET" method. HTTP requests for Cams CDSSO must be made using the "GET" method: not "POST", "PUT", "HEAD", nor any other HTTP method for this agent.

5503 Query parameter cams_login_config is invalid

A CDSSO authentication request failed because the required cams_login_config parameter is missing, empty or invalid.

5504

The cams_session_id query parameter is missing or empty.

A cross DNS domain single sign-on request failed because the cams_session_id query parameter was missing or empty.

5505

The cams_session_id query parameter is invalid

A cross DNS domain single sign-on request failed because the cams_session_id query parameter contained a malformed value. See the context-sensitive message for more information.

5506

The cams_sso_context query parameter is invalid

A cross DNS domain single sign-on request failed because the cams_sso_context was missing, empty, or malformed. See the context-sensitive message for more information.

5507

Non-Secure CDSSO attempt when secure session cookie required

A cross DNS domain single sign-on (CDSSO) request was received via a non-secure (non-SSL) connection. The CDSSO attempt was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

  • SSL support on web servers where Cams CDSSO cookie provider requests are handled (/cams/sso)
  • a CamsCDSSOAuthValve configuration (in your cams-security-domain.xml file) that uses only "https" cookieProviderUrls.
5600

Automatic Enterprise Sign-On (AESO) failed

This is a general error indicating that the web agent attempted to handle an automatic enterprise sign-on request, but the request failed. See the context-sensitive error messages in the cams-webagent.log file and the Cams Policy Server "trace" log file for details on why AESO failed.

In most cases, this message indicates that native web server authentication succeeded (e.g. HTTP Basic, Kerberos, or other authentication method) and the Cams web agent received a recognized AESO request (e.g. to URI /cams/aeso), but there was a problem when assembling the corresponding Cams authentication request or in handling the authentication request on the Cams Policy Server. A common problem on the Cams Policy Server is misconfiguration of the "aeso" login-config-entry and/or a LoginModule used for handling AESO requests. See the Cams Policy Server "trace" log for the security domain in which AESO is configured.

5601

Authentication service not available

Automatic Enterprise Sign-On failed because the authentication service needed to handle the AESO request was not available. This is most likely caused by misconfiguration of the camsclient component within the cams-webagent.conf file.

5602

Invalid HTTP request method for AESO

Cams Automatic Enterprise Sign-On failed because the request did not use the HTTP "GET" method. HTTP requests for Cams AESO must be made using the "GET" method: not "POST", "PUT", "HEAD", nor any other HTTP method for this agent.

5603

The cams_security_domain query parameter is missing or empty

A Cams AESO request was received, but the cams_security_domain query parameter was either missing or empty (a zero length string). The Cams web agent must received the cams_security_domain query parameter for a valid Cams security domain in order to request authentication with that security domain.

5604 Query parameter cams_login_config is invalid

A Cams AESO request was received, but it did not contain a valid cams_login_config query parameter, which is required to select the rules in cams-webagent.conf for assembling the associated authentication request.

5605

Query parameter cams_original_url is missing

A Cams AESO request was received, but it did not contain a valid cams_original_url query parameter, which is needed to redirect the user to a URL after successful login.

5606

No callback values configured for the requested security domain

The cams-webagent.conf file does not contains Cams AESO configuration properties for the specified cams_security_domain. For example, if cams_security_domain=mydomain and cams_login_config=aeso, then cams-webagent.conf should contain configuration properties like:

cams.aeso.callback.names.system=username,agent_secret
cams.aeso.callback.value.system.username={http_request:REMOTE_USER}
cams.aeso.callback.value.system.agent_secret=foobar

NOTE: your values may differ depending on authentication method, agent environment, Cams login config, and/or security domain. See the Cams AESO documentation for more information.

5607

Obligation not supported

The Cams web agent handled an AESO request, but was sent an authentication obligation that is not supported. Check the release notes to verify the obligation support level for this Cams web agent.

5608

Non-Secure AESO attempt when secure session cookie required

A Cams automatic enterprise sign-on (AESO) request was received via a non-secure (non-SSL) connection. AESO was aborted and HTTP status 500 was returned rather than risking return of a secure Cams session cookie over the non-secure connection.

If secure Cams session cookies are desired (cams.cookie.secure=true), then make sure your environment includes:

  • SSL support on web servers where Cams AESO requests are handled (/cams/aeso)
  • a secure "camsLoginUrl" (in your security domain login-config.xml file) for the login-config-entry that references the Cams AESO action. For example: <login-parameter name="camsLoginUrl" value="https://www.mydomain.com/cams/aeso"/>

Table 1 - Cams web agent error codes

Back | Next | Contents