In the course of installing a policy agent last week, I ran into the following error: “Access denied as Agent profile not found in Access Manager”. Although the agent profile name and password were correct, it was unable to authenticate itself to ForgeRock’s OpenAM. I’ll recap it for you and give you the solution I found. By the way, I am using OpenAM 9.5.4 and policy agent 3.0.5.
Who stole my policy agent?
Here’s a bit of background to start with. Realms in ForgeRock’s OpenAM are used to divide user populations logically and apply similar authentication mechanisms, but they can also be used to divide policies –either to limit the number of policies evaluated for a request or simply for organization’s sake, and even policy agent profiles.
If you have many policy agents, you may find it convenient to assign the policy agents to the same realm as the related policies they will use. While not offering a difference in functionality, it does present a mechanism for separating sets of profiles.
When you install a policy agent, you will first make a profile in OpenAM, assigning a profile name and password, and then you actually install the agent (detailed guides can be found here). If you want to use a realm other than root (/), be advised that there is not an option for this in the installation process. You can continue without this step, but you will have to make a correction before starting the agent.
Warning? There's your first clue...
After the install is completed, the agent directory (usually Agent_XYZ, where XYZ is a 3 digit number) contains a directory (config) with some configuration files. One of these, OpenSSOAgentBootstrap.properties, will contain a property called com.sun.identity.agents.config.organization.name, which will by default be set to /, signifying the top realm. If you change it to the path to the realm of your policy agent profile, you will enable the policy agent to identify itself correctly to the OpenAM server.
Here is an example with a realm name of "secretagents"
Once the property is set correctly, you can start up the web server and experience the glory of a policy agent in working order. Otherwise, you will experience the error shown at the top. If you decide to organize your policy agent profiles by realm, hopefully this will help you out so you’re not stuck wondering whether you typed the name and password correctly.
What is ForgeRock OpenAM?
ForgeRock's OpenIDM Open Source Identity Management
OpenDJ- Cost Effective Directory Solution
View more entries