I am trying to change the minimum required password length in openam, I am trying to use ssoadm to change the sunIdRepoAttributeValidator attribute as stated on this page sunIdRepoAttributeValidator https://backstage.forgerock.com/knowledge/kb/article/a45087000
However, it sends me the following error:
Logging configuration class “com.sun.identity.log.s1is.LogConfigReader” failed
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
I have already tried to configure com.iplanet.am.naming.map.site.to.server with my high availability scheme but it still doesn’t work, does anyone know what I can do?
That failure is generally an issue with trying to get a SSO Token.
There’s a KB that covers many of the reasons why this can occur.
https://backstage.forgerock.com/knowledge/kb/article/a47263800
Are you able to run a simple ssoadm command like or is this what your testing with?
/ssoadm list-servers --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org --password-file ./pwd.txt
You could enable ssoadm debug and review if there’s more to the error but this error can be vague and may require looking at AM’s logs as well. I would want to know more about the exact command you are trying first to understand if your specifying amadmin correctly.
2 Likes
This appears when you run it:
Logging configuration class “com.sun.identity.log.s1is.LogConfigReader” failed
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
That’s the point friend, I already tried everything on the internet to fix that error and I can’t, that’s why I posted this here
What are you running though? What is the specific command?
What that KB outlines is the general issue is AMadmin or your login fails to login. So first how and what user are you trying to login as?
Additionally this can be due to when you login you need a Cookie, and proper cookie domain. I’ve also provided that you can get AM server debug to review, which would be the next step as you will need to see why the user fails to login.
I am running this:
/ssoadm list-servers --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org --password-file ./pwd.txt
But with my data, and I am entering the credentials of my amadmin
Thanks, have you enabled Message debug on AM and checked for failures for AMadmin logging in?
Have you checked also that AMadmin in your enviroment is in that OU? That is what is defaulty created, but if you made your directory with say Acme instead of forgerock, you need to change this. Again Looking at Message Debug for Amadmin will tell you more about what is happening.
What should be occurring is ssoadm tries to log you in to am, and that’s failing.
If you look at audit logs (/openam/var/audit) this should show you something like:
{"_id":“754a8e5e-6ddb-4447-9186-9da59d28295a-615528”,“timestamp”:“2022-09-23T17:05:47.649Z”,“eventName”:“AM-LOGIN-COMPLETED”,“transactionId”:“307e2765-c758-4dab-95f0-96d59c3172a1-0”,“trackingIds”:[“754a8e5e-6ddb-4447-9186-9da59d28295a-615443”],“userId”:“uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org”,“principal”:[“uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org”],“result”:“SUCCESSFUL”,“component”:“ssoadm”}
But you’ll see it fails. Then take the Transaction ID and search in your Message debug to see more why it fails. If you are not seeing that at all then there could be more of an issue with how you specify the server(Which should be just looking at your config directory/bootstrap and the site to server mapping)
Can you share what you put for com.iplanet.am.naming.map.site.to.server ?
Yes, I am changing the data to preserve anonymity but I am substituting my data with the real ones, this is what I put:
-D"com.iplanet.am.naming.map.site.to.server=http://my.ha.nginx:8001/openam=http://my.first.openam:8080/openam"
The path /openam/var/audit does not exist in my directory, I can’t find it.
This is the error I get when I put --debug:
Logging configuration class “com.sun.identity.log.s1is.LogConfigReader” failed
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
CommandManager.
com.sun.identity.cli.CLIException: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
at com.sun.identity.cli.LogWriter.log(LogWriter.java:156)
at com.sun.identity.cli.Authenticator.ldapLogin(Authenticator.java:167)
at com.sun.identity.cli.AuthenticatedCommand.ldapLogin(AuthenticatedCommand.java:106)
at com.sun.identity.cli.serverconfig.ListServers.handleRequest(ListServers.java:60)
at com.sun.identity.cli.SubCommand.execute(SubCommand.java:296)
at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:217)
at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:139)
at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:661)
at com.sun.identity.cli.CommandManager.(CommandManager.java:243)
at com.sun.identity.cli.CommandManager.main(CommandManager.java:174)
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:281)
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:76)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.cli.LogWriter.log(LogWriter.java:142)
… 9 more
com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Var is where audit logs are in AM7 for the other locations see:
https://backstage.forgerock.com/knowledge/kb/article/a10623594
Are you normally able to login using http and not HTTPS? If you are using secure cookies http will fail. Including can you login to the using the site hostname?
I would recommend, as before, debug this on the AM, ssoamd will just tell you “I can’t login”. You will need to look at audit and debug logs on AM to see:
- Does the request reach AM
- Does authentication fail and how does it fail?
- Is the amadmin username correct?
Hi @BlackNight,
Welcome to the community!
Unfortunately, the verbose error shown from ssoadm --debug output alone does not provide enough detail to identify the possible cause. As William mentioned, there are a few general issues that can cause this error message, as documented in the KB article.
The next step would be to enable AM in “Message” level debug mode and examine the logs entries that William has referenced. However, I see you cannot find the path to the logs. Depending upon what version you are running, you can find the Audit and Debug logs in the path where you installed AM. The following KB article might help as it provides the default log locations for all ForgeRock products versions:
https://backstage.forgerock.com/knowledge/kb/article/a10623594