IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  SAML federation gives error unable to get a good connection to the database

    Posted Wed November 14, 2018 10:27 AM
    Edited by Sander Meyfroot Wed November 14, 2018 10:28 AM
    Hello,
    I have this problem with my federation. 
    We Have installed a SAML IDP on our ISAM 9.0.5F1 appliance and we configured a partner to do SAML authentication. We also configured the reverse proxy to use the IDP federation. This is our first IDP on this appliance
    It is just a basic SP initiated saml flow, I have done it many times. But in this case there is something going wrong: 
    When accessing the SP, the SP redirects to the IDP to authenticate (normal behaviour).
    Directly after authentication an error is displayed :
     
    An error has occurred
/sps/saml20IDPxxxx/saml20/login 
2018-11-14T14:54:36Z 

Error details
An error occurred fulfulling the current request to /sps/saml20IDPxxxx/saml20/login. 
This error was caused by an internal/unexpected error on the invoked protocol module leading to the exception displayed below. 
Please validate configuration of the executing protocol and environment. 
This is not a problem with the SPS. 

Stack trace
com.tivoli.am.fim.sps.exception.DelegateRuntimeExceptionWrapperException: +Cannot get a good connection from the database.
                com.tivoli.am.fim.sps.exception.FMProcessingException: com.tivoli.am.fim.sps.exception.DelegateRuntimeExceptionWrapperException: +Cannot get a good connection from the database.
	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:308)
	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(FederationManager.java:154)
	at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:129)
	at com.tivoli.am.fim.fedmgr2.servlet.SPSCommandDispatcher.invoke(SPSCommandDispatcher.java:390)
	at com.tivoli.am.fim.war.runtime.liberty.LibertyRuntimeServlet.doGet(LibertyRuntimeServlet.java:56)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1290)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:778)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:475)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:148)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:79)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:1021)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1143)
	at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:956)
	at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:280)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:967)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:359)
	at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:318)
	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:471)
	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:405)
	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:285)
	at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:256)
	at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1043)
	at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:709)
	at com.ibm.ws.channel.ssl.internal.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:397)
	at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:967)
	at com.ibm.ws.channel.ssl.internal.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:88)
	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
	at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929)
	at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.lang.Thread.run(Thread.java:811)
Caused by: com.tivoli.am.fim.sps.exception.DelegateRuntimeExceptionWrapperException: +Cannot get a good connection from the database.
	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:307)
	... 35 more
Caused by: java.lang.RuntimeException: Cannot get a good connection from the database.
	at com.tivoli.am.fim.utils.sql.DataSourceWithRetry.getConnection(DataSourceWithRetry.java:166)
	at com.tivoli.am.fim.distributed.jdbc.JDBCDAOFactory.getTransaction(JDBCDAOFactory.java:76)
	at com.tivoli.am.fim.distributed.jdbc.JDBCDBHelper.<init>(JDBCDBHelper.java:64)
	at com.tivoli.am.fim.distributed.jdbc.JDBCDistributedMap.put(JDBCDistributedMap.java:241)
	at com.tivoli.am.fim.fedmgr2.session.DistributedSession.setAttribute(DistributedSession.java:81)
	at com.tivoli.am.fim.saml20.session.SAML20SessionManager.createUsernameSessionIndex(SAML20SessionManager.java:528)
	at com.tivoli.am.fim.saml20.protocol.actions.slo.callback.SAML20SignOutInfoCallback.setSignOutInfo(SAML20SignOutInfoCallback.java:71)
	at com.tivoli.am.fim.fedmgr2.callback.webseal.WebSealPocSignOutCallback.getSignOutInfo(WebSealPocSignOutCallback.java:863)
	at com.tivoli.am.fim.fedmgr2.authservice.GenericPocSignOut.callTheSingOutInfoCallbacks(GenericPocSignOut.java:160)
	at com.tivoli.am.fim.fedmgr2.authservice.GenericPocSignOut.getSignOutInfo(GenericPocSignOut.java:143)
	at com.tivoli.am.fim.saml20.protocol.context.SAML20UserLoginContextImpl.getSignOutInfo(SAML20UserLoginContextImpl.java:948)
	at com.tivoli.am.fim.saml20.protocol.delegate.SAML20HTTPDelegateProtocol.processRequest(SAML20HTTPDelegateProtocol.java:122)
	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doInitialRequestOnDelegate(FederationManager.java:424)
	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:264)
	... 35 more
Caused by: java.sql.SQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections. DSRA0010E: SQL State = 08001, Error Code = 0
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:207)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
	at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
	at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
	at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:21)
	at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:31)
	at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
	at org.postgresql.Driver.makeConnection(Driver.java:393)
	at org.postgresql.Driver.connect(Driver.java:267)
	at java.sql.DriverManager.getConnection(DriverManager.java:675)
	at java.sql.DriverManager.getConnection(DriverManager.java:258)
	at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:95)
	at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:78)
	at org.postgresql.ds.jdbc23.AbstractJdbc23ConnectionPoolDataSource.getPooledConnection(AbstractJdbc23ConnectionPoolDataSource.java:58)
	at com.ibm.ws.rsadapter.impl.DatabaseHelper$1.run(DatabaseHelper.java:953)
	at java.security.AccessController.doPrivileged(AccessController.java:696)
	at com.ibm.ws.rsadapter.impl.DatabaseHelper.getPooledConnection(DatabaseHelper.java:962)
	at com.ibm.ws.rsadapter.impl.WSManagedConnectionFactoryImpl.getConnection(WSManagedConnectionFactoryImpl.java:794)
	at com.ibm.ws.rsadapter.impl.WSManagedConnectionFactoryImpl.createManagedConnection(WSManagedConnectionFactoryImpl.java:650)
	at com.ibm.ejs.j2c.FreePool.createManagedConnectionWithMCWrapper(FreePool.java:1356)
	at com.ibm.ejs.j2c.FreePool.createOrWaitForConnection(FreePool.java:1230)
	at com.ibm.ejs.j2c.PoolManager.reserve(PoolManager.java:1440)
	at com.ibm.ejs.j2c.ConnectionManager.allocateMCWrapper(ConnectionManager.java:600)
	at com.ibm.ejs.j2c.ConnectionManager.allocateConnection(ConnectionManager.java:312)
	at com.ibm.ws.rsadapter.jdbc.WSJdbcDataSource.getConnection(WSJdbcDataSource.java:186)
	at com.ibm.ws.rsadapter.jdbc.WSJdbcDataSource.getConnection(WSJdbcDataSource.java:159)
	at com.tivoli.am.fim.utils.sql.DataSourceWithRetry.getConnection(DataSourceWithRetry.java:124)
	... 48 more
Caused by: java.net.ConnectException: Connection refused (Connection refused)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:380)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:236)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:218)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403)
	at java.net.Socket.connect(Socket.java:666)
	at java.net.Socket.connect(Socket.java:606)
	at org.postgresql.core.PGStream.<init>(PGStream.java:60)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:101)
	... 74 more


    I added tracing in my mapping rule to build the SAML response but it seems that the mapping rule is never processed. Any idea on what is going wrong here?
    Thank you!
    best regards,

    Sander meyfroot



    ------------------------------
    Sander Meyfroot
    ------------------------------


  • 2.  RE: SAML federation gives error unable to get a good connection to the database

    Posted Wed November 14, 2018 09:57 PM
    Hi Sander,

    From the logs it looks like there were issues connecting to the database.

    Please raise a support ticket, and provide the appliance "Support Files" so that we can investigate further, you can follow the link below to generate "Support File".
    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.5/com.ibm.isam.doc/admin/task/alps_managing_support_files.html

    You can  restart the appliance , which is likely to fix the above issue.

    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 3.  RE: SAML federation gives error unable to get a good connection to the database

    Posted Thu November 15, 2018 02:26 AM
    Hi Sander,

    Set the advanced config parameter "runtime.dbLoggingEnabled" to true and see if this helps to understand what's going on. I guess the logging will appear in the trace.log - not sure though: might be a separate file too.

    Kind regards,

    Peter

    ------------------------------
    Peter Volckaert
    Sales Engineer
    IBM Security
    ------------------------------

    Original Message


  • 4.  RE: SAML federation gives error unable to get a good connection to the database

    Posted Mon November 19, 2018 03:36 AM
    Hello,

    It seems that rebooting the appliance that contains the federation component solves the issue. 
    I hope this is not a temporary fix. 

    Thank you for all help
    best regards,

    Sander Meyfroot

    ------------------------------
    Sander Meyfroot
    ------------------------------

    Original Message


Related Content