Unable to register the WAM UI for Siteminder R12 on RHEL5.

Document ID : KB000051340
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

The default install of Red Hat Enterprise Linux 5 enabled the iptables firewall, this restricts traffic on ports 44441-44443, and will cause problems with registration of the WAM UI with Siteminder R12, and Siteminder R6 this will become noticable when trying to register webagents with the policy server.

As a temporary fix disabling the iptables service:

 
     /etc/init.d/iptables stop
 
will enable registration to proceed as normal.

Solution

The default install of Red Hat Enterprise Linux 5 enabled the iptables firewall, this restricts traffic on ports 44441-44443.

In a default Siteminder R12 install this will first cause a problem when trying to register the WAMUI with the policy server:

The entry in the WAM UI log is not very informative :
09:42:34,619 INFO [UIAgent] Bootstrap UIAgent is shutdown 
09:42:34,636 ERROR [EventExecuteStateException] Execution of event: CreateUIConnectionEvent failed. Exception encountered: Agent API failure 
09:42:34,637 ERROR [IMSEventController] Error during event execution [60dd2228-64dc45e0-00ff22ed-69cf726c] CreateUIConnectionEvent 
09:42:34,809 WARN [eventlistener] EvtIMTaskEvent:d3dc62a4-bb78d9ed-4d80ad90-acf805d is invalid. 
09:42:35,826 DEBUG [UIComponentTag] Entered encodeBegin for client-Id: headContents 
 

And there are no entries in the policy server log.

A quick test using telnet to try and access the policy server via:

$telnet policyserver 44443 
 

will timeout without making a connection, indicating there is a problem with establishing the connection.

There are a number of other issues that can occur during registration, but in this case it was the iptables firewalling that was disabling connections on the standard siteminder ports 44441-44443.

Disabling the iptables service temporarily on the policy server:

/etc/init.d/iptables stop

will then enable registration of the WAM UI to proceed.

But as indicated, there are other reasons that your WAM UI registration may not succeed, for instance there is a timeout period for the registration credentials, so if this does not fix your problem you should look for other reasons the network connection cannot be made.

For a more permanent solution you will need to disable the iptables service for the normal running levels of Linux which can be done as follows:

$chkconfig --levels 345 iptables off
 

or you can navigate the RedHat Gui firewall configuration tool to allow connections to the policy server on the ports 44441-44443.

Note: If iptables is enabled in a Siteminder R6 Policy Server that will also causes problems, but for R6 the first problem encountered will be when trying to do a trusted host registration from the webagent to the policy server.