IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  ISAM Error: HPDIA0114E Could not acquire a client credential.

    Posted Sun October 06, 2019 04:24 PM
    ​Respected fellows,

    We have ISAM 9.0.7 configured with two ADs as Federated Directories for authentication. The users are imported into ISAM using user principal name which is unique amongst the ADs. Basic user support is disabled so that only imported users are allowed to authenticate.

    We are facing an authentication issue in this setup. When an AD user attempts to login after a long gap, webseal throws the following error:

    HPDIA0114E Could not acquire a client credential.

    However, on the retry, the user is logged in successfully. This does not happen for the local user but only for AD user.

    What could be the problem as it is not all the time that it happens, only when there is no authentication attempt on the webseal for a little longer. The issue does not occur in subsequent authentication requests.

    Hope to hear,

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: ISAM Error: HPDIA0114E Could not acquire a client credential.

    Posted Mon October 07, 2019 01:57 AM
    Hi Jahanzaib,

    This behavior sounds to me as if the TCP connection to the AD timed out on a firewall. So ISAM still tries to use the old connection which is discarded on the firewall. After this request timed out ISAM will open a new connection and so subsequent requests work. Check your firewall logs and decrease the TCP keepalive intervall on ISAM via advanced tuning parameters. You can set sysctl parameters via advanced tuning parameters.
    Try playing around with the following parameters:
    sysctl.net.ipv4.tcp_keepalive_time
    sysctl.net.ipv4.tcp_keepalive_probes
    sysctl.net.ipv4.tcp_keepalive_intvl

    Best regards,

    ------------------------------
    Laurent LA Asselborn
    ------------------------------



  • 3.  RE: ISAM Error: HPDIA0114E Could not acquire a client credential.

    Posted Tue October 08, 2019 10:48 AM
    Try changing on your policy server ldap.conf connection-inactivity.
    You may have to play a bit with the timing but this should fix your problem. I would not recommend using advanced tuning unless its directed by support via case. 

    # The following parameter specifies the connection inactivity time, in seconds,
    # after which an unused connection to the LDAP server will be taken down.
    # A value of zero (0) indicates that inactivity will not be tracked
    # and the connection will remain established (permanent).
    # The default is zero (0) meaning connections are permanent.
    connection-inactivity = 20

    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IBM
    (330) 314-5946
    ------------------------------



  • 4.  RE: ISAM Error: HPDIA0114E Could not acquire a client credential.

    Posted Wed October 09, 2019 04:03 AM
    ​Hi Laurent and Robert,

    Thank you for the help.

    As suggested by Robert, I changed the policy server ldap.conf connection-inactivity parameter and it solved the problem.

    Thank you.

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------



  • 5.  RE: ISAM Error: HPDIA0114E Could not acquire a client credential.

    Posted Wed October 09, 2019 07:34 AM
    GREAT!! You are welcome!

    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IBM
    (330) 314-5946
    ------------------------------