Topic
4 replies Latest Post - ‏2014-06-11T02:51:31Z by nickdunlop
nickdunlop
nickdunlop
3 Posts
ACCEPTED ANSWER

Pinned topic AAAPolicy config problem upgrading from v4 to v5

‏2014-06-09T02:26:12Z |

Hi

We have encountered an issue while upgrading the firmware of our XI52 from 4.0.2.3 to 5.0.0.13.

The upgrade itself appears to have been successful and our deployed applications seem to be functioning correctly.

The issue is with deploying our apps.

An export zip file from the development environment is imported to the new application domain then a SOMA call is executed to apply a modify-config XML document to the new domain to overwrite the relevant bits of config with new environment specific values.

The SOMA call is failing with the standard Datapower "Internal Error (from client)" message being returned.

Some trial and error of attempting to apply the config in parts showed that it is the AAA Policy in particular that is breaking (all other config applies ok when tested in isolation). If I enable internal logging I see the following in the default domain log:

 

xmlfirewall (xml-mgmt): Execution of '' aborted: https://datapower1-xmldr:443/service/mgmt/current: cvc-particle 3.1: in element {http://www.datapower.com/schemas/management}modify-config of type {http://www.datapower.com/schemas/management}AnyModifyElement, found <AAAPolicy> (in namespace http://www.datapower.com/schemas/management), but next item should be any of [AAAPolicy, Domain, LDAPSearchParameters, ProcessingMetadata, RADIUSSettings, RBMSettings, SAMLAttributes, SOAPHeaderDisposition, TAM, TFIMEndpoint, XACMLPDP, AccessControlList, AppSecurityPolicy, CompactFlash, CompileOptionsPolicy, ConfigDeploymentPolicy, ConformancePolicy, CertMonitor, CRLFetch, CryptoCertificate, CryptoFWCred, CryptoIdentCred, CryptoKerberosKDC, CryptoKerberosKeytab, CryptoKey, CryptoProfile, CryptoSSKey, CryptoValCred, OAuthSupportedClient, OAuthSupportedClientGroup, SSHClientProfile, SSLProxyProfile, ErrorReportSettings, SystemSettings, TimeSettings, SchemaExceptionMap, DocumentCryptoMap, XPathRoutingMap, LogTarget, FormsLoginPolicy, FTPQuoteCommands, MultiProtocolGateway,

 

The log message is truncated in the log. But essentially, it appears to be telling us that it found a AAAPolicy element where it was expecting a AAAPolicy element - not very helpful.

We noticed that in the move from v4 to v5 the AAAPolicy schema expanded but I believe we have captured all the new tags in our XML file. For some reason AAAPolicy needs everything specified whether you use it or not (other objects - e.g. MPGW -  are happy with just the values that have changed).

I'm wondering if this relates to the namespaces somehow? or the endpoint I'm posting to?

 

I've attached my modify-config XML (with some values changed to protect the innocent) to this post.

I'm posting it to https://mydatapower:port/service/mgmt/current

 

Can anyone shed some light on what I might be doing wrong here?

Thanks

Nick

 

Attachments

Updated on 2014-06-09T21:30:04Z at 2014-06-09T21:30:04Z by nickdunlop
  • HermannSW
    HermannSW
    4320 Posts
    ACCEPTED ANSWER

    Re: AAAPolicy config problem upgrading from v4 to v5

    ‏2014-06-09T07:28:21Z  in response to nickdunlop

    Your posting is broken.

    Please attach a demonstration SOMA file showing the effect here.


    Hermann.

    • nickdunlop
      nickdunlop
      3 Posts
      ACCEPTED ANSWER

      Re: AAAPolicy config problem upgrading from v4 to v5

      ‏2014-06-09T21:28:52Z  in response to HermannSW

      Thanks Hermann

      Fixed the post. Had to attach the file rather than include it in the text.

      • HermannSW
        HermannSW
        4320 Posts
        ACCEPTED ANSWER

        Re: AAAPolicy config problem upgrading from v4 to v5

        ‏2014-06-10T07:49:42Z  in response to nickdunlop

        Hi Nick,

        I doubt that the script worked on 4.0.2.3.

        Attached service export does a validate action (Body) of payload against store:///xml-mgmt.ops.xsd.
        It reports the same error on 4.0.2.15 as on 4.0.2.3 after downgrading the box:

        $ curl --data-binary @my-aaa-modify-config.xml http://dp-wsc.boeblingen.de.ibm.com:5011; echo
        <?xml version="1.0" encoding="UTF-8"?>
        <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault><faultcode>env:Client</faultcode><faultstring>SOAP envelope/body validation error. (from client)</faultstring></env:Fault></env:Body></env:Envelope>
        $
        

         

        The error you reported in your initial posting is pretty clear:

        "found <AAAPolicy> (in namespace http://www.datapower.com/schemas/management),"

        says that <AAAPolicy> is in DataPower management namespace.
        This is because you did set default namespace to it.


        "but next item should be any of [AAAPolicy, ..."

        says that it expects <AAAPolicy> in no namespace.


        After correcting the namespaces some other errors are left, you need to fix one after the other.


        Hermann <myBlog/> <myTweets/> | <GraphvizFiddle/> | <xqib/> | <myCE/> <myFrameless/>

        Attachments

        • nickdunlop
          nickdunlop
          3 Posts
          ACCEPTED ANSWER

          Re: AAAPolicy config problem upgrading from v4 to v5

          ‏2014-06-11T02:51:31Z  in response to HermannSW

          Thanks for your help Hermann. I've got it working now.

           

          Main problem was a missing xmlns="" to null out the prior default namespace declaration.