Known issues and solutions

Use the solutions to troubleshoot issues that we might encounter.

The known issues are:

• Fix for the Sweet32 Birthday vulnerability does not disable DES ciphers
• Enable Compatibility View in Internet Explorer 9 returns the Browser not Supported message
• Help page content does not display
• On Windows operating systems, we cannot use basic authentication for WebSEAL from IBM Security Verify Access for Web
• Database rolls back with an error when you attempt to remove a large quantity of records from a DB2 runtime database
• A cluster configuration update fails to deploy and generates a timeout error message
• Database Maintenance panel returns a retrieval error
• Cannot export and import a template page file in the same session
• Kerberos Configuration is reset to the default values on the appliance

Fix for the Sweet32 Birthday vulnerability does not disable DES ciphers

To address the vulnerabilities exploited by theSWEET32 Birthday attack (CVE-2016-2183), Verify Access GSKIT implemented a limit on the amount of data which can be downloaded from a single connection (32GB). The support for the DES ciphers is NOT affected. This means that if we have a scan tool which only checks to see if these ciphers are enabled, you could end up with a false positive for this issue.

To disable the ciphers, we can Disable the DES ciphers as per: http://www-01.ibm.com/support/docview.wss?uid=swg21698249

After the 32GB limit is reached, the connection will be broken and an error will be logged such as:

2017-05-05-12:10:01.647+10:00I----- 0x38AD5425 webseald ERROR wiv 
socket WsSslListener.cpp 1867 0x7f88fc161700 -- DPWIV1061E
Could not write to socket (445)

445 is GSK_ERROR_BYTECOUNT_EXHAUSTED

If requests/applications are negatively effected by the GSK_ERROR_BYTECOUNT_EXHAUSTED (445) error, the best solution would be to disable the Sweet32 ciphers either in the application logging the error (recommended if possible in the environment) or if this is not possible then disabling them in the other application sharing this connection.

For example if WebSEAL is logging the error: http://www-01.ibm.com/support/docview.wss?uid=swg21698249

Enable Compatibility View in Internet Explorer 9 returns the Browser not Supported message

The ISAM appliance does not support the browser operating in this mode. The following message is displayed in the local management interface:

Browser not Supported. The ISAM appliance does 
not support this browser.

The following browsers are currently supported:

- Internet Explorer 9 or later
- Firefox 17.0 or later
- Google Chrome 27.0 or later

Solution:

The appliance does not support Internet Explorer if the Compatibility View is turned on. Ensure the Compatibility View in Internet Explorer is turned off. The Compatibility View option is under the Tools menu in the Internet Explorer browser.

Help page content does not display

When you click the Help link from the appliance user interface while using Microsoft Internet Explorer version 9.0 or later, the topic content might not display.

Solution:

Ensure the Compatibility View in Internet Explorer is turned on. The Compatibility View option is under the Tools menu in the Internet Explorer browser. The Help System supports compatibility mode.

On Windows operating systems, we cannot use basic authentication for WebSEAL from IBM Security Verify Access for Web

WebSEAL does not start properly if your configuration meets all of these conditions:

• Windows operating system

• WebSEAL from IBM Security Verify Access for Web 7.0.0.1
• Basic authentication configured in the WebSEAL configuration file with basic-auth-user and basic-auth-passwd entries in the [rtss-cluster:cluster1] stanza

Solution:

To work around this issue, configure certificate authentication for WebSEAL. See the WebSEAL administration information in the Knowledge Center.

If we are using the isamcfg tool to configure WebSEAL, be sure to select certificate authentication for the authentication method response.

Database rolls back with an error when you attempt to remove a large quantity of records from a DB2 runtime database

When you try to delete many device fingerprints or user session data records from an external DB2 runtime database, the following error might occur:

Error occurred. The database was rolled back to the previous version. 
The transaction log for the database is full. SQLCODE=-964, SQLSTATE=57011

Solution:

Increase the log capacity by completing the following actions:

• Increase the number of primary and secondary transaction log files.

• Increase the size of each transaction log.

For information about the available transaction log configuration parameters, see the DB2 documentation.

A cluster configuration update fails to deploy and generates a timeout error message

An update to the cluster configuration, such as the External Reference Entity IP address or First Port value, might fail to deploy in the allotted time. The following error message is printed in the event log:

WGASY0007E The pending changes failed to deploy within the allotted time.

Solution:

Increase the wga.cmd.timeout value. In the local management interface, select System > System Settings > Advanced Tuning Parameters. Add a parameter called wga.cmd.timeout and set the timeout value in seconds. Default is 300 seconds.

Database Maintenance panel returns a retrieval error

The following error message returns in the Database Maintenance panel after the location of the runtime database is changed:

System Error FBTRBA091E The retrieval failed because the resource cannot be found.

This error message returns after the location of the runtime database is changed from Local to the cluster to Remote to the cluster under the Database tab in the Cluster Configuration panel. Solution: Complete the following steps to restart the local management interface:

1. Use an ssh session to access the local management interface.
2. Log in as the administrator.

3. Type lmi, and press Enter.

4. Type restart, and press Enter.

5. Type exit, and press Enter.

Cannot export and import a template page file in the same session

If you export a template page file and immediately try to import a file, no action occurs, and the file is not imported.

Solution: After you export a file, refresh the browser before you try to import a file.

Kerberos Configuration is reset to the default values on the appliance

After saving and deploying the Kerberos Configuration settings, we might find the values of these Kerberos settings are reset to the defaults. For example default_realm is set back to tbd.

In a clustered Security Verify Access environment, when configuring the Kerberos settings on a node appliance, the values you modified are set back to the default values. Or, the settings are overwritten by the values set on the primary master of the cluster. This happens after some time.

Specifically, propagation of the values happens once one of the following conditions is met:

• The Replicate with Cluster option is toggled on from the local management interface runtime component panel. And, the settings are changed on the master.
• Sufficient time has elapsed since the last propagation (approximately 15 minutes).

The resetting of these values is evident on the Defaults, Realms, Domains, and CA Paths tabs, but not on the Keyfiles tab.

In general, when we choose to replicate the runtime environment with the cluster, these values are synchronized from the primary master. Therefore, if you change these values on a node other than the primary master, they are overwritten with the values from the primary master during the next synchronization operation.

Solution: When your configuration is set to replicate the runtime environment with the cluster, always update the Kerberos Configuration settings on the primary master of the cluster, instead of on a node. We must also import the keytab file on each node that is using the Kerberos Configuration settings.

Parent topic: Troubleshoot on the appliance