Troubleshooting
Problem
The use of the keyword 'tivoli' as the value of the type attribute for entry elements in custom AAA style sheets can cause unexpected behaviour during AAA processing.
Symptom
After upgrading to DataPower appliance release 5.0.0, any AAA processing that uses custom style sheets might fail due to the use of the 'tivoli' keyword for Tivoli Access Manager credential processing.
Cause
The keyword 'tivoli' is used by the DataPower appliance AAA code related to the Tivoli Access Manager credential during AAA processing. The use of the 'tivoli' keyword as the value of the 'type' attribute in custom AAA style sheets conflicts with standard AAA processing. Any custom AAA style sheet should use the value 'custom' for the 'type' attribute.
Environment
AAA policies that contain custom processing style sheets, particularly during the Authentication and credential mapping phases.
Diagnosing The Problem
The DataPower appliance system logs might show the following errors:
Mapped-Credentials format is special. One or more 'entry' child elements are
expected.
tivoli authorization failed with credential 'SPECIAL-FORMAT-NOT-PRINTED' for
resource '/resource'
Resolving The Problem
Inspect any custom AAA style sheets for 'entry' elements that have 'type' attributes with values other than 'custom'. For example, if a custom AAA style sheet outputs the following XML entry node:
<entry type="tivoli">
- <entry type="custom">
resemble:
- <mapped-credentials>
<entry type="custom">
</mapped-credentials>
Was this topic helpful?
Document Information
More support for:
WebSphere DataPower Integration Appliance XI52
Software version:
5.0.0, 6.0.0, 6.0.1, 7.0.0
Operating system(s):
Firmware
Document number:
488909
Modified date:
15 June 2018
UID
swg21633392