Workflow Error

Hello All,

I am working on 2 level resource request approval Workflow, when i request for resource from user application, Start of workflow fails and i was able to see resource request status as : Pending Approval: Pending Approval Retry in user application.

I couldn't find any start status of workflow in the logs, When i looked at logs of Roles and resource driver i am able to see the below error.

DirXML Log Event -------------------
Driver: \IDV\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Unable to start Approval Workflow
Workflow DN: cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Note: This error is coming only for this workflow, for the rest it was not showing any error and all the trusted root certificates are placed correctly.

Can someone suggest me how to fix this issue.


Regards,
Eswar.
Parents
  • ed00491298;2463783 wrote:


    DirXML Log Event -------------------
    Driver: \IDV\system\driverset1\Role and Resource Service Driver
    Channel: Subscriber
    Status: Error
    Message: Unable to start Approval Workflow
    Workflow DN: cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
    Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

    Note: This error is coming only for this workflow, for the rest it was not showing any error and all the trusted root certificates are placed correctly.


    Dear Eswar,

    Did we recently imported https/ssl certificate for Identity Applications, or upgraded to https from http? Kindly ensure those application/server certificates are in place (keystore to check #/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts).

    Also kindly refer another forum thread which had similar issue and got it working #https://forums.novell.com/showthread.php/504485-Unable-to-start-Approval-Workflow-SSLHandshakeException?p=2461767#post2461767
  • Hi Siva,

    Thank you for the quick response.

    All the application/server certificates are in place and other workflows are working as expected and there are no errors.

    Why it shows the error only for the workflow which i am working on.

    If any of the certificates are missing it should show the same error for remaining workflows as well but didn't.

    Br,
    Eswar.
  • ed00491298;2463803 wrote:


    All the application/server certificates are in place and other workflows are working as expected and there are no errors.

    Why it shows the error only for the workflow which i am working on.

    If any of the certificates are missing it should show the same error for remaining workflows as well but didn't.


    Dear Eswar,

    Strange, from your error trace could infer there is 'SSLHandshakeException', so have suggested to double-check your server/apps SSL certificates from keystore path.

    Curious to know, does suspected workflow contains any approvers (which is diff from other workflows)?
  • Hi,

    It doesn't have any special approvers, it has user's manager as first approver and hard coded user email id as 2nd approver.

    can that approvers be the reason?
  • Dear Eswar,

    In my view, yes. as part of Workflow would trigger request to Approver(user's manager here).

    1) Does it work, if you've imported right certificates in keystore path.

    2) Hope this would work if you manually remove first and second approvers here(just for double-check).

    3) How about other working workflows in our environment(doesn't contain any approvers.
  • On 8/9/2017 9:04 AM, ed00491298 wrote:
    >
    > Hi Siva,
    >
    > Thank you for the quick response.
    >
    > All the application/server certificates are in place and other workflows
    > are working as expected and there are no errors.
    >
    > Why it shows the error only for the workflow which i am working on.
    >
    > If any of the certificates are missing it should show the same error for
    > remaining workflows as well but didn't.


    If that is the case, could you please show trace of the
    Do-Start-Workflow call for a working example and a not working example.
    (I would ask that you obfuscate the URL but in fact, that is what I want
    to see, is the URL, so if you do change it, please do it as a search and
    replace to acme.com so that it shows any difference in URL).

  • Hi Siva,

    Thank you for the Response.

    I went and double checked the Certificates in the Keystore and found the required certificates were missing.

    Import the required certificates and restarted the edirectory, it started working without any errors.

    Thank you so much :)

    Br,
    Eswar.
  • ed00491298;2463885 wrote:

    Thank you for the Response.

    I went and double checked the Certificates in the Keystore and found the required certificates were missing.

    Import the required certificates and restarted the edirectory, it started working without any errors.



    Glad and Thank you Eswar for your double-confirmation on this. I hope, this information could be added/updated in our Documentation section - we'd take care of the same for other customers.[Had sent note to my appropriate team on this request]
  • On 8/10/2017 7:44 AM, ed00491298 wrote:
    >
    > Hi Siva,
    >
    > Thank you for the Response.
    >
    > I went and double checked the Certificates in the Keystore and found the
    > required certificates were missing.
    >
    > Import the required certificates and restarted the edirectory, it
    > started working without any errors.


    Which is interesting that the other Start Workflow calls worked...
    Perhaps those were hitting the http interface instead? (That is why I
    was asking for trace of a working and failing example to see).

  • On 8/10/2017 8:04 AM, SPSivasubramanian wrote:
    >
    > ed00491298;2463885 Wrote:
    >>
    >> Thank you for the Response.
    >>
    >> I went and double checked the Certificates in the Keystore and found the
    >> required certificates were missing.
    >>
    >> Import the required certificates and restarted the edirectory, it
    >> started working without any errors.
    >>
    >>

    >
    > Glad and Thank you Eswar for your double-confirmation on this. I hope,
    > this information could be added/updated in our Documentation section -
    > we'd take care of the same for other customers.[Had sent note to my
    > appropriate team on this request]


    Honestly, I think the docs need a troubleshooting OSP, UA sectionn that
    starts with listing the certs needed, sample keytool commands to
    export/import them and just be very clear on that. Right now it is
    there, but not consolidated in one place that is obvious what to do, once.

    Also remember, (I embarassingly forgot once, my defense was I was
    troubleshooting on the phone with a coworker while I bicyled home from
    work) to mention if using SAML, the OSP keystore also needs the NAM/IDP
    cert.
Reply
  • On 8/10/2017 8:04 AM, SPSivasubramanian wrote:
    >
    > ed00491298;2463885 Wrote:
    >>
    >> Thank you for the Response.
    >>
    >> I went and double checked the Certificates in the Keystore and found the
    >> required certificates were missing.
    >>
    >> Import the required certificates and restarted the edirectory, it
    >> started working without any errors.
    >>
    >>

    >
    > Glad and Thank you Eswar for your double-confirmation on this. I hope,
    > this information could be added/updated in our Documentation section -
    > we'd take care of the same for other customers.[Had sent note to my
    > appropriate team on this request]


    Honestly, I think the docs need a troubleshooting OSP, UA sectionn that
    starts with listing the certs needed, sample keytool commands to
    export/import them and just be very clear on that. Right now it is
    there, but not consolidated in one place that is obvious what to do, once.

    Also remember, (I embarassingly forgot once, my defense was I was
    troubleshooting on the phone with a coworker while I bicyled home from
    work) to mention if using SAML, the OSP keystore also needs the NAM/IDP
    cert.
Children
  • geoffc;2463894 wrote:
    On 8/10/2017 8:04 AM, SPSivasubramanian wrote:
    >
    > ed00491298;2463885 Wrote:
    >>
    >> Thank you for the Response.
    >>
    >> I went and double checked the Certificates in the Keystore and found the
    >> required certificates were missing.
    >>
    >> Import the required certificates and restarted the edirectory, it
    >> started working without any errors.
    >>
    >>

    >
    > Glad and Thank you Eswar for your double-confirmation on this. I hope,
    > this information could be added/updated in our Documentation section -
    > we'd take care of the same for other customers.[Had sent note to my
    > appropriate team on this request]


    Honestly, I think the docs need a troubleshooting OSP, UA sectionn that
    starts with listing the certs needed, sample keytool commands to
    export/import them and just be very clear on that. Right now it is
    there, but not consolidated in one place that is obvious what to do, once.

    Also remember, (I embarassingly forgot once, my defense was I was
    troubleshooting on the phone with a coworker while I bicyled home from
    work) to mention if using SAML, the OSP keystore also needs the NAM/IDP
    cert.


    Dear Geoffrey,

    Thanks much once again. We are listening to your valuable suggestions online and Offline; in the same way we are going to incorporate the comments in good form.
  • On 8/10/17 9:22 AM, Geoffrey Carman wrote:
    > On 8/10/2017 8:04 AM, SPSivasubramanian wrote:
    >>
    >> ed00491298;2463885 Wrote:
    >>>
    >>> Thank you for the Response.
    >>>
    >>> I went and double checked the Certificates in the Keystore and found the
    >>> required certificates were missing.
    >>>
    >>> Import the required certificates and restarted the edirectory, it
    >>> started working without any errors.
    >>>
    >>>

    >>
    >> Glad and Thank you Eswar for your double-confirmation on this. I hope,
    >> this information could be added/updated in our Documentation section -
    >> we'd take care of the same for other customers.[Had sent note to my
    >> appropriate team on this request]

    >
    > Honestly, I think the docs need a troubleshooting OSP, UA sectionn that
    > starts with listing the certs needed, sample keytool commands to
    > export/import them and just be very clear on that. Right now it is
    > there, but not consolidated in one place that is obvious what to do, once.
    >
    > Also remember, (I embarassingly forgot once, my defense was I was
    > troubleshooting on the phone with a coworker while I bicyled home from
    > work) to mention if using SAML, the OSP keystore also needs the NAM/IDP
    > cert.

    Greetings Geoffrey,
    The SOAP endpoints of the User Application are not "protected" by
    OSP.

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

  • > The SOAP endpoints of the User Application are not "protected" by
    > OSP.


    Is that another way of saying you use Basic Auth to connect to SOAP? I
    had noticed. So in this very specific case, were the issue was Engine
    calling Do Start Workflow, and getting a cert error, it is just the
    Tomcat server cert not trusted.

    In the more general case, once we discuss docs, it is worth calling out
    ALL the certs that potentially can be in play.

    But a good point, thanks.