IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

apiauthsvc error message when calling with stateid parameter

  • 1.  apiauthsvc error message when calling with stateid parameter

    Posted Mon February 24, 2020 12:52 PM
    Edited by Angela Klein Mon February 24, 2020 12:54 PM
    I will preface this in saying we have this working in an environment were there is 1 reverse proxy instance (DSC enabled) and 1 AAC instance.  We are on ISAM 9.0.7 Interim fp1

    In the environment we are working on now, we have 2 load balanced reverse proxies (with DSC enabled) and 2 AAC appliances (DSC is not enabled)

    We are going through the following flow:
    1.  Calling /mga/sps/apiauthsvc?PolicyID=urn:ibm:security:authentication:asf:password to get a StateID
    2.  Calling /mga/sps/apiauthsvc?StatID=<stateID from step 1>

    Step 2 returns us an error:  
    FBTUPD120E An internal configuration error occurred. Contact the System Administrator or try again later.

    I have compared the configurations in both environments and I'm not finding a difference.  I also tried to enable DSC on the AAC Advanced Configurations since we have 2 load balanced AAC instances, but that didn't work either.

    I have tracing enabled, but I'm not seeing the call get to the AAC instance.

    Does anyone have any thoughts on what I could check? 


    ------------------------------
    Angela Klein
    ------------------------------


  • 2.  RE: apiauthsvc error message when calling with stateid parameter

    Posted Tue February 25, 2020 02:57 AM
    Edited by Philipp Klueter Tue February 25, 2020 02:57 AM

    Hi Angela, 

    I assume that your 2nd link is just a copy and paste error and you use StateID instead of StatID. 

    Since you are using apiauthsvc, I assume you are using a REST client which might not support cookies. There is an advanced configuration parameter authsvc.stateMgmt.cookieless which removes the cookie dependency. Maybe this is differently set between you environments. Though I'm unsure if cookie issues would lead to your error. 

    Just a note: There is another advanced config parameter sps.authService.policyKickoffMethod which can be set to path (or both) which would allow to call a policy using  /mga/sps/apiauthsvc/policy/password instead of using the long query parameter. In my view this is a much cleaner way of calling the policies, so maybe something you want to check out. 

    Regards 

    Philipp



    ------------------------------
    Philipp Klueter
    IT Specialist for Access Management (ISAM)
    IBM Deutschland GmbH
    ------------------------------



Related Content