Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-618

Agent for multi-process servers fails if OpenAM is running in SSL mode with NSPR error -8023

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Agents-3.0.1, Agents-3.0.2
    • Agents-3.1.0-Xpress
    • web agents
    • OpenAM running in SSL mode, Apache22 Agent 3.0.2
    • Rank:
      1|hzn73j:
    • Sprint 3

    Description

      If Agent needs to talk 'ssl' to OpenAM, Agent will fail with

      "BaseService::doRequest() NSPR failure while sending to XXX, error = -8023"

      This is due to NSS changed the way it crypto tokens should be initialized.

      From NSS documentation:
      "It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. "

      Workaround:
      ===========

      Export variable 'NSS_STRICT_NOFORK' with value 'DISABLED' before starting the server.

      Example for Apache http server:

      put the following in apachectl script

      NSS_STRICT_NOFORK=DISABLED
      export NSS_STRICT_NOFORK

      Either the way the agent initializes NSS has to be changed or ,as NSS 3.12.9 has again changed the behaviour, bundle this version instead.

      Attachments

        Issue Links

          Activity

            People

              mareks Mareks Malnacs
              bthalmayr Bernhard Thalmayr
              Votes:
              3 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: