Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10365

JEE Agent cannot create AgentProfile using Delegated Admin privilege

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • JEEAgents-3.5.1, 12.0.0, 13.5.0
    • 12.0.0-3
    • authentication, j2ee agents
    • OpenAM 13.5.0 and JEE351 with AMAGENT-104 patch
    • Rank:
      1|hzsqsf:
    • Sprint 119 - Express, Sprint 120 - Oliver

      Description

      With the JEEAgent 3.5.1 with AMAGENT-104 patch with agent profile creation by thee J2EE Agent does not work for AGENT_ADMINISTRATOR_NAME that is are user that is a delegated admin (but not amadmin) for CREATE_AGENT_PROFILE_NAME = true.

      The problem is that on 13.5.0 it is trying to authenticate using the AgentAdministrator using Application module and failing

      [01/11/2017 02:56:14:569 UTC] PasswordValidator : Is password valid ? true
      [01/11/2017 02:56:14:569 UTC] about to call <OPENAM>/openam/json/authenticate?authIndexType=module&authIndexValue=Application&noSession=true to validate username agent admin: agentAdmin
      [01/11/2017 02:56:14:601 UTC] Auth FAILED for agentAdmin: cannot create agent profile
      

      This worked on 13.0.0 (no secuirty patch) and fails on 13.5.0 to create the agent profie. The logs on OpenAM indicates that one fails to authentication using module=Application (event if the agentAdmin has full admin rights)

      Testcase
      Eithhr install JEE351 with AMAGENT-104 fix for the new /json/authenticate endpoint or check that one can authenticate to OpenAM directly to using /json/authenticate?authIndexType=module&authIndexValue=Application&noSession=true as agentAdmin. (If this can authenticate as agentAdmin with delegated Admin and also able to create j2eeagent using json, it is believe that the JEEAgent installer should pass the install)

      Cause

      • Module=Application does not work for normal users anymore on 13.5.0 and security patched 13.0.0. (even if the user is and delegated admin)

      Workaround

      • Create agent profile before hand. Say using JSON
        $ curl \
         --request POST \
         --header "Content-Type: application/json" \
         --header "iplanetDirectoryPro: AQIC5w...2NzEz*" \
         --data \
         '{
            "username":"myAgent",
            "com.sun.identity.agents.config.fqdn.default":
              ["www.example.com"],
            "com.sun.identity.agents.config.repository.location":
              ["centralized"],
            "agenttype":["J2EEAgent"],
            "serverurl":["https://openam.example.com:8443/openam/"],
            "agenturl":["http://www.example.com:80/agentapp"],
            "userpassword":["password"]
         }' \
         https://openam.example.com:8443/openam/json/agents/?_action=create
        
      • Or use amadmin as the AGENT_ADMINISTRATOR_NAME

        Attachments

          Issue Links

            Activity

              People

              tony.bamford Tony Bamford
              chee-weng.chea C-Weng C
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: