43.1 Modifying a Configuration That References a Removed Object

One scenario that causes XML validation errors occurs when a configuration references an object that has been removed. For example, a custom authentication contract was created and assigned to a protected resource. The contract was manually deleted from the Identity Server configuration, but the Access Gateway protected resource still references it, even though it is not displayed in the user interface. After you identify the missing link, you can use the Access Manager interface to work around the problem.

Troubleshooting Steps

  1. Search the /opt/novell/devman/share/logs/app_sc.0.log file on the Administration Console server for #200904025: Error - XML VALIDATION FAILED.

    After you find the entry, work backwards to identify the start of the Java exception. Locate the problem strings or entry from the configuration, such as the following string authprocedure_NEIL___Name_Password___Form found in the following entry:

    871(D)Wed May 23 15:45:06 BST
    2007(L)webui.sc(T)26(C)com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher(M)A(E)org.jdom.input.JDOMParseException: Error on
    line 1120: cvc-id.1: There is no ID/IDREF binding for IDREF 'authprocedure_NEIL___Name_Password___Form'.
    at org.jdom.input.SAXBuilder.build(SAXBuilder.java:468)
    at org.jdom.input.SAXBuilder.build(SAXBuilder.java:770)
    at com.volera.vcdn.platform.util.XmlUtil.validateXML(y:3304)
    at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.A(y:793)
    at com.volera.vcdn.webui.sc.dispatcher.ConfigWorkDispatcher.do_deviceCon
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :799)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ssConnection(Http11Protocol.java:705)
    at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :577)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:534)
    (Msg)<amLogEntry> 2007-05-23T15:45:06Z ERROR DeviceManager: AM#200904025: Error
  2. On the Linux Access Gateway, change to the /var/novell/cfgdb/vcdn directory and open the config.xml file. Search for the problem string and the corresponding protected resource.

    The example below shows that the problem string is tied to the ProtectedResourceID_svhttp_mylag_iMon_root resource. This maps to the HTTP reverse proxy called mylag, the service called iMon and the protected resource called root.

    ----- snippet from problem area of config.xml ------
    <ProtectedResource Name="root" Enable="1" Description="" LastModified="116973455
    5995" LastModifiedBy="cn=admin,o=novell" UserInterfaceID="ProtectedResourceID_sv
    http_mylag_iMon_root" ProtectedResourceID="ProtectedResourceID_svhttp_mylag_iMon
            <URLPathList LastModified="4294967295" LastModifiedBy="String">
                    <URLPath URLPath="/*" UserInterfaceID="/*"/>
            <PolicyEnforcementList LastModified="1168947602067" schemaVersion="1.34"
     LastModifiedBy="cn=admin,o=novell" RuleCombiningAlgorithm="DenyOverridesWithPri
                    <PolicyRef ElementRefType="ExternalWithIDRef" ExternalDocRef="ou=xpemlPEP,ou=mastercdn,ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc" UserInterfaceID="PolicyID_xpemlPEP_AGFormFill_1168947167634" ExternalElementRef="PolicyID_xpemlPEP_AGFormFill_1168947167634"/>
            <AuthenticationProcedureRef AuthProcedureIDRef="authprocedure_NEIL___Name_Password___Form"/>
    ----- end of snippet from problem area of config.xml ------

    Looking at the AuthenticationProcedureRef variable, which points to the contract assigned to the protected resource, you can see that the authprocedure_NEIL___Name_Password___Form contract is assigned to it.

    However, when you look at the Linux Access Gateway configuration in the Administration Console, you can see that the assigned contract is [None], which is not the contract shown in the example. Changing it to another contract name, then applying the change, then setting the contract back to [None] clears the problem entry. This gets the setup going again with no XML validation errors.

    In this example, these was a custom contract assigned to the protected resource. This custom contract had been removed from the Identity Server’s list of contracts, and the cleanup was never done properly on the Linux Access Gateway.