Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.2
Situation
Administrator browsing Access Gateway (AG) configuration in iManager and goes back to check the server status without making any changes, to discover that the AG requests an update to the configuration. Clicking the update link causes the update to fail.
To uncover the steps that triggered, the same steps as before were done and the issue was duplicated. The steps followed to reproduce the issue were as follows:
1. Go to Path based proxy service
2. click on advanced option ( dont make any change)
3. click cancel
4. click ok to reach the AG cluster
5. You can see the AG in update state ( not expected behavior)
6. If you try to update server it gives xml validation error.
The same happens when you do the above steps for Domain Based proxy service, but only difference is update works well.
Comparing the difference between working and current config with an LDAP browser
Current -> ou=CurrentConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Working-> ou=WorkingConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
where C36DD99DD9BDB7BD is the device ID for the AG and will be different on each platform, we can see that config is updated at 2 places ( without any change). If we remove those changes in working and then try to update, update works successfully.
To uncover the steps that triggered, the same steps as before were done and the issue was duplicated. The steps followed to reproduce the issue were as follows:
1. Go to Path based proxy service
2. click on advanced option ( dont make any change)
3. click cancel
4. click ok to reach the AG cluster
5. You can see the AG in update state ( not expected behavior)
6. If you try to update server it gives xml validation error.
The same happens when you do the above steps for Domain Based proxy service, but only difference is update works well.
Comparing the difference between working and current config with an LDAP browser
Current -> ou=CurrentConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Working-> ou=WorkingConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
where C36DD99DD9BDB7BD is the device ID for the AG and will be different on each platform, we can see that config is updated at 2 places ( without any change). If we remove those changes in working and then try to update, update works successfully.
Resolution
Apply NAM 4.3.2.
We had added two new attributes to the proxy service element - DisableSessionAssurance and EnableWebSocket. In an upgraded setup, the already existing proxy services don't have these attributes. So when we go to the proxy service page for the 1st time, even though if we have not made any change, these attributes get added to the proxy service element and sets the cluster to update state.
We now add these attributes to the existing proxy services with the default values during upgrade stage too.
We had added two new attributes to the proxy service element - DisableSessionAssurance and EnableWebSocket. In an upgraded setup, the already existing proxy services don't have these attributes. So when we go to the proxy service page for the 1st time, even though if we have not made any change, these attributes get added to the proxy service element and sets the cluster to update state.
We now add these attributes to the existing proxy services with the default values during upgrade stage too.