amAdmin Login New Setup Issues

I am setting up a new AM configuration (for validation / testing purposes) but when doing through the new server setup / completing everything, I cannot login as amAdmin post setup. I validated the connection to external directory (oracle) and the configuration / data is loaded, but still cannot login. I am getting the below error in the Session log on trying to login…

ERROR: Unable to persist session to data store, check documentation for CTS configuration to ensure reads and writes may occur, and all appropriate virtual attributes are enabled.
org.forgerock.am.cts.exceptions.CoreTokenException:
[CONTINUED]CTS: Unable to retrieve the etag from the token
[CONTINUED] at org.forgerock.openam.session.cts.SessionPersistenceStore.lambda$noEtagException$0(SessionPersistenceStore.java:122)
[CONTINUED] at java.base/java.util.Optional.orElseThrow(Optional.java:408)
[CONTINUED] at org.forgerock.openam.session.cts.SessionPersistenceStore.create(SessionPersistenceStore.java:118)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionPersistenceStore.store(CtsSessionPersistenceStore.java:52)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionStoreChain$ChainIterator.store(CtsSessionStoreChain.java:62)
[CONTINUED] at org.forgerock.openam.session.cts.DsameSessionInterceptorStep.store(DsameSessionInterceptorStep.java:56)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionStoreChain$ChainIterator.store(CtsSessionStoreChain.java:60)
[CONTINUED] at org.forgerock.openam.session.cts.InMemoryCtsSessionCacheStep.store(InMemoryCtsSessionCacheStep.java:129)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionStoreChain$ChainIterator.store(CtsSessionStoreChain.java:60)
[CONTINUED] at org.forgerock.openam.session.cts.AbstractCtsSessionStoreStep.store(AbstractCtsSessionStoreStep.java:27)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionStoreChain$ChainIterator.store(CtsSessionStoreChain.java:60)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionStoreChain.store(CtsSessionStoreChain.java:36)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionAccessManager.persistCtsSession(CtsSessionAccessManager.java:152)
[CONTINUED] at org.forgerock.openam.session.cts.CtsSessionBuilder.build(CtsSessionBuilder.java:118)
[CONTINUED] at com.iplanet.dpro.session.monitoring.MonitoredBuilder.build(MonitoredBuilder.java:99)
[CONTINUED] at org.forgerock.openam.session.listeners.SessionListeningBuilder.build(SessionListeningBuilder.java:98)
[CONTINUED] at com.sun.identity.authentication.service.LoginState.produceSessionFromState(LoginState.java:1147)
[CONTINUED] at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:608)
[CONTINUED] at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:591)
[CONTINUED] at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:108)
[CONTINUED] at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:169)
[CONTINUED] at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:540)
[CONTINUED] at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:266)
[CONTINUED] at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:157)
[CONTINUED] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[CONTINUED] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[CONTINUED] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[CONTINUED] at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[CONTINUED] at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:81)
[CONTINUED] at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:77)

Funny part is, I can see the session tokens being added to the directory for this traffic so know is working at least, but still cannot login post initial connfiguration.

Nick

Greetings,

I require a little more information in order to successfully assist you.
Is this the only error you receive? Can you gice me an indication of your installed environment?
Thanks.

hello

This is a new AM install on tomcat 9.0.65 on RHEL 8. I can get the configuration to complete with the external DS (Oracle DS) then get this error trying to login as amAdmin.

Thanks
Nick

I will need a little more ( technical and architectural ) information than that.
Are you aware of “Directory server requirements :: AM 7.2.0”?

Yes, I did do the directory server setup / prep for the schema changes. I tried to use the embedded DS as a test but when trying to use that, I get a permission denied error on the trust store for the ssl certificate for the custom trust store I added.

what version of AM are you using? The error “Unable to retrieve the etag from the token” is because either the etag attribute is disabled in your DS or your user does not have proper ACI’s to access the attribute. The etag check has been added since AM 7.1 and should not be disabled.

Are you using a real/FQIHN for the AM server? Just checking as its somewhat common for testing to try to use localhost which isn’t going to work with cookies.

Also that error above it should have a tranasction id, When troubleshooting it may help to find in the Audit logs, the login failure, then take that transactionid to search the logs.

This helps you ensure the error is the cause of the failure.

Also if you can’t login, you can set message level debug on the container with these steps.

This may give you more details on what led to the failure, over just the error level.

For your truststore issue see this area on how to configure that. Again this could also be due to Hostnames, as hostname validation is enabled for security.

https://backstage.forgerock.com/docs/am/7.2/install-guide/prepare-trust-store.html