error occurred while to contact the authentication service

Hi

I just implemented IDM 4.5 with OSP on tomcat and User application Websphere. It was working fine untill i moved OSP from 8080 to 8443(ssl) port .
Now when i am accessing the my user application url it is redirected to OSP login page , but after entering credentials it s give me the below error
An error occurred while attempting to contact the authentication service.

I know it is some certificate import issue , but cant figure where i need to make the changes

Waiting for some suggestions

Thanks,
cap
  • On 11/7/2016 8:56 AM, CAPVCC SUPPORT wrote:
    >
    > Hi
    >
    > I just implemented IDM 4.5 with OSP on tomcat and User application
    > Websphere. It was working fine untill i moved OSP from 8080 to 8443(ssl)
    > port .
    > Now when i am accessing the my user application url it is redirected to
    > OSP login page , but after entering credentials it s give me the below
    > error
    > An error occurred while attempting to contact the authentication
    > service.
    >
    > I know it is some certificate import issue , but cant figure where i
    > need to make the changes


    OSP is super finicky. Try reading my articles on teh topic, since you
    have likely hit one of the issues I describe:

    https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-1

    https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-2

    https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-3

    I.e. osp keystore needs eDir, Tomcat public keys, and OSP private key of
    course. Tomcat keystore needs same set. cacerts needs OSP And Tomcat
    public keys, or trusted roots that signed them.

  • Hi

    I have gone through the below link
    https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/

    Imported and exported many certificates ,now more confused . Can you please explain the certificate part in little more details

    Thanks for your support

    Thanks,
    CAP
  • On 11/7/2016 10:26 AM, CAPVCC SUPPORT wrote:
    >
    > Hi
    >
    > I have gone through the below link
    > https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
    >
    > Imported and exported many certificates ,now more confused . Can you
    > please explain the certificate part in little more details


    Certificates have two parts. Private key and public key.

    Private key is what Tomcat loads so it can offer SSL services to
    incoming requests.

    However, the web client coming in, should TRUST the signer of that
    certificate.

    So go to any commercial web page that uses HTTPS. Click on the lock
    icon (every browser is a bit different) and get to the cert info. Look
    at the certication chain/Heirarchy.

    You will see that the signers are listed.

    Your browser ships with the 'well known' signers public key, built in
    their keystore to trust. Used to cost $18 million with Firefox to get
    added.

    If not, your browser says untrusted certificate or somesuch error.

    OSP, UA, can be considered both web clients, making web requests to
    Tomcat and each other back and forth.

    Thus, their (OSP, Tomcat, UA) keystores must trust the certs. How do
    you trust a cert?
    1) Trust the cert itsefl (import the certs public key to a keystore with
    -trustcacerts switch).
    2) Trust the signer of the cert. (Import the signers public key same way).
    3) If there is an intermediate CA, trust that as well. Import that as well.

    So, OSP must trust Tomcat, and UA. So whoever signed the Tomcat cert (or
    maybe you were WebSphere, whatever, the SSL cert webshpere is using is
    what matters) needs to be trusted by the Java instance OSP and UA are
    using. So osp keystore needs to import those public keys.

    eDir's cert is needed for LDAP operations in OSP.

    cacerts needs to have all the same trusted Certs as well, since that is
    what UA uses.

    In WebSphere, you have yet another possible keystore you can point at,
    so do that and make sure it has all these certs in them,


  • Still the issue not fixed
    i have update all the certs in respective keystores , but i cant import the osp certificate .
    Could you please provide some suggestions on how to import the osp certificate. I can only see the osp.jks(keystore) file , cant find any certificate

    Thanks,
    CAP
  • On 11/7/2016 3:16 PM, CAPVCC SUPPORT wrote:
    >
    > Still the issue not fixed
    > i have update all the certs in respective keystores , but i cant import
    > the osp certificate .
    > Could you please provide some suggestions on how to import the osp
    > certificate. I can only see the osp.jks(keystore) file , cant find any
    > certificate


    So the problem here is that the keystore has the private key, which
    actually MUST remain secret, else we get into potential issues. (The
    problem is, if you sent me the file, I could send you back a working
    keystore in 1 minute... But I won't accept the file, due to the security
    issue).

    So lets see if I can write this free hand from memory.

    /opt/netiq/idm/apps/jre/bin/keytool -keystore
    /opt/netiq/idm/apps/tomcat/conf/osp.jks -storepass PASSWORD -list -v | less

    Use that command to be sure you have the right path and password. I will
    assume you aliased the cert as osp

    So...
    /opt/netiq/idm/apps/jre/bin/keytool -keystore
    /opt/netiq/idm/apps/tomcat/conf/osp.jks -storepass PASSWORD -export
    -alias osp -file /tmp/osp.pub

    Now you need this one in cacerts. But which cacerts? If eDir and UA
    are on the same box, I would add it to both to be safe. But in theory
    should the same JRE I am getting keytool from.

    /opt/netiq/idm/apps/jre/bin/keytool -keystore
    /opt/netiq/idm/apps/jre/lib/security/cacerts -storepass default -import
    -alias osp-pub -file /tmp/osp.pub -trustcacerts

    (Yes the password on cacerts is always default, it is a 'default', go
    figure).

    To be safe, if eDir were the I would do something like:

    /opt/netiq/idm/apps/jre/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts
    -storepass default -import -alias osp-pub -file /tmp/osp.pub -trustcacerts

    (I think that is pretty close to being correct).








  • performed the above steps , but still getting the same error
  • Hi ,

    It works now

    Thanks for help
    CAP
  • On 11/7/2016 5:26 PM, CAPVCC SUPPORT wrote:
    >
    > Hi ,
    >
    > It works now
    >
    > Thanks for help


    Any idea what change you might have made that could have fixed it? I.e.
    Always good to understandthe specific issue, instead of some magic fixed
    it. :)


  • i have two ua servers connected in cluster . I updated the same setting on the other server and copied the OSP.JKS
    also i changed the alias name osp-pub to osp in all key stores