Description
The default install of Red Hat Enterprise Linux 5 enabled the iptables firewall, this restricts traffic on ports 44441-44443, and will cause problems with registration of the WAM UI with Siteminder R12, and Siteminder R6 this will become noticable when trying to register webagents with the policy server.
As a temporary fix disabling the iptables service:
/etc/init.d/iptables stopwill enable registration to proceed as normal.
Solution
The default install of Red Hat Enterprise Linux 5 enabled the iptables firewall, this restricts traffic on ports 44441-44443.
In a default Siteminder R12 install this will first cause a problem when trying to register the WAMUI with the policy server:
The entry in the WAM UI log is not very informative : 09:42:34,619 INFO [UIAgent] Bootstrap UIAgent is shutdown 09:42:34,636 ERROR [EventExecuteStateException] Execution of event: CreateUIConnectionEvent failed. Exception encountered: Agent API failure 09:42:34,637 ERROR [IMSEventController] Error during event execution [60dd2228-64dc45e0-00ff22ed-69cf726c] CreateUIConnectionEvent 09:42:34,809 WARN [eventlistener] EvtIMTaskEvent:d3dc62a4-bb78d9ed-4d80ad90-acf805d is invalid. 09:42:35,826 DEBUG [UIComponentTag] Entered encodeBegin for client-Id: headContents
And there are no entries in the policy server log.
A quick test using telnet to try and access the policy server via:
$telnet policyserver 44443
will timeout without making a connection, indicating there is a problem with establishing the connection.
There are a number of other issues that can occur during registration, but in this case it was the iptables firewalling that was disabling connections on the standard siteminder ports 44441-44443.
Disabling the iptables service temporarily on the policy server:
/etc/init.d/iptables stop
will then enable registration of the WAM UI to proceed.
But as indicated, there are other reasons that your WAM UI registration may not succeed, for instance there is a timeout period for the registration credentials, so if this does not fix your problem you should look for other reasons the network connection cannot be made.
For a more permanent solution you will need to disable the iptables service for the normal running levels of Linux which can be done as follows:
$chkconfig --levels 345 iptables off
or you can navigate the RedHat Gui firewall configuration tool to allow connections to the policy server on the ports 44441-44443.
Note: If iptables is enabled in a Siteminder R6 Policy Server that will also causes problems, but for R6 the first problem encountered will be when trying to do a trusted host registration from the webagent to the policy server.