Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7072

OpenAM keep sending notifications to WPA when notifications are disabled

    Details

      Description

      Considering a simple WPA deployment (one WS, one agent, one OpenAM instance, where the WS can be either apache or IIS)
      A. Disable notifications (sso and policies) using OpenAM console, i.e. with:

      Enable Notifications:
      Enabled
      The notifications help in maintaining agent's sso, policy and configuration caches. (property name: com.sun.identity.agents.config.notification.enable) 
      Hot-swap: No
      

      B. Restart, both OpenAM and the WPA (same issue with Httpd or IIS Agent)

      C. Run a typical load:
      1. Login
      2. Request a Resource
      3. Logout

      => We observe a unexpectedly high number of sockets in TIME_WAIT state.

      Looking for the messages sent by OpenAM to Agent (using ngrep) we see:

      T 172.16.204.193:56285 -> 172.16.203.169:80 [AP]
      POST /UpdateAgentCacheServlet?shortcircuit=false HTTP/1.1.
      Content-Type: text/xml;charset=UTF-8.
      Cache-Control: no-cache.
      Pragma: no-cache.
      User-Agent: Java/1.7.0_67.
      Host: iis.internal.forgerock.com.
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2.
      Connection: keep-alive.
      Content-Length: 2208.
      .
      
      
      T 172.16.204.193:56285 -> 172.16.203.169:80 [A]
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <NotificationSet vers="1.0" svcid="session" notid="187210">
      <Notification><![CDATA[<SessionNotification vers="1.0" notid="372685">
      <Session sid="AQIC5wM2LY4Sfcw5uTjcfECQRLjQlwgsjpCTXgbo1iCQZoI.*AAJTSQACMDEAAlNLABI4OTcwNjA3NTA4OTY3MzE2MTM.*" stype="user" cid="uid=user.207,ou=People,dc=com" cdomain="o=myrealm,ou=services,dc=com" maxtime="120" maxidle="30" maxcaching="3" timeidle="1801" timeleft="5399" state="destroyed">
      <Property name="CharSet" value="UTF-8"></Property>
      <Property name="UserId" value="user.207"></Property>
      <Property name="FullLoginURL" value="/openam/UI/Login?realm=%2Fmyrealm"></Property>
      <Property name="successURL" value="/openam/console"></Property>
      <Property name="cookieSupport" value="true"></Property>
      <Property name="AuthLevel" value="0"></Property>
      <Property name="SessionHandle" value="shandle:AQIC5wM2LY4Sfcyh4AMXuAY8jd6FEkOJsBy2tknHfoKkLLY.*AAJTSQACMDEAAlNLABE0NTc5NTk3MzAwNjA2MTIxMQ..*"></Property>
      <Property name="UserToken" value="user.207"></Property>
      <Property name="loginURL" value="/openam/UI/Login"></Property>
      <Property name="Principals" value="uid=user.207,ou=People,dc=com"></Property>
      <Property name="Service" value="ldapService"></Property>
      <Property name="sun.am.UniversalIdentifier" value="id=user.207,ou=user,o=myrealm,ou=services,dc=com"></Property>
      <Property name="amlbcookie" value="01"></Property>
      <Property name="Organization" value="o=my
      
      T 172.16.204.193:56285 -> 172.16.203.169:80 [AP]
      realm,ou=services,dc=com"></Property>
      <Property name="Locale" value="en_US"></Property>
      <Property name="HostName" value="172.16.204.193"></Property>
      <Property name="AuthType" value="LDAP"></Property>
      <Property name="Host" value="172.16.204.193"></Property>
      <Property name="UserProfile" value="Create"></Property>
      <Property name="clientType" value="genericHTML"></Property>
      <Property name="AMCtxId" value="56a3388de2082d0f01"></Property>
      <Property name="SessionTimedOut" value="1444140691"></Property>
      <Property name="authInstant" value="2015-10-06T13:41:31Z"></Property>
      <Property name="Principal" value="uid=user.207,ou=People,dc=com"></Property>
      </Session>
      <Type>5</Type>
      <Time>1444140692077</Time>
      </SessionNotification>]]></Notification>
      </NotificationSet>
      
      T 172.16.203.169:80 -> 172.16.204.193:56285 [AP]
      HTTP/1.1 302 Redirect.
      Content-Type: text/html; charset=UTF-8.
      Location: http://tomme.internal.forgerock.com:8082/openam/UI/Login?realm=/myrealm&goto=http%3A%2F%2Fiis.internal.forgerock.com%3A80%2FUpdateAgentCacheServlet%3Fshortcircuit%3Dfalse.
      Server: Microsoft-IIS/7.5.
      Date: Tue, 06 Oct 2015 14:11:14 GMT.
      Content-Length: 297.
      .
      <head><title>Document Moved</title></head>
      <body><h1>Object Moved</h1>This document may be found <a HREF="http://tomme.internal.forgerock.com:8082/openam/UI/Login?realm=/myrealm&amp;goto=http%3A%2F%2Fiis.internal.forgerock.com%3A80%2FUpdateAgentCacheServlet%3Fshortcircuit%3Dfalse">here</a></body>
      

      => It looks like OpenAM is still unexpectedly sending notifications to the WPA.
      Then, the agent does not take into account notification.url anymore and redirects to the OpenAM Login Page.

      That behaviour is obviously not clean and might significant impact on the overall performance.

        Attachments

          Activity

            People

            • Assignee:
              nick.james Nicholas James
              Reporter:
              sberthol Sebastien Bertholet [X] (Inactive)
              QA Assignee:
              Richard Hruza
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: