Workflow Error

Hello All,

I am working on 2 level resource request approval Workflow, when i request for resource from user application, Start of workflow fails and i was able to see resource request status as : Pending Approval: Pending Approval Retry in user application.

I couldn't find any start status of workflow in the logs, When i looked at logs of Roles and resource driver i am able to see the below error.

DirXML Log Event -------------------
Driver: \IDV\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Unable to start Approval Workflow
Workflow DN: cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Note: This error is coming only for this workflow, for the rest it was not showing any error and all the trusted root certificates are placed correctly.

Can someone suggest me how to fix this issue.


Regards,
Eswar.
Parents
  • On 8/9/2017 5:44 AM, ed00491298 wrote:
    >
    > Hello All,
    >
    > I am working on 2 level resource request approval Workflow, when i
    > request for resource from user application, Start of workflow fails and
    > i was able to see resource request status as : Pending Approval: Pending
    > Approval Retry in user application.
    >
    > I couldn't find any start status of workflow in the logs, When i looked
    > at logs of Roles and resource driver i am able to see the below error.
    >
    > DirXML Log Event -------------------
    > Driver: \IDV\system\driverset1\Role and Resource Service Driver
    > Channel: Subscriber
    > Status: Error
    > Message: Unable to start Approval Workflow
    > Workflow DN:
    > cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
    > Reason: java.lang.RuntimeException:
    > javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path building failed:
    > sun.security.provider.certpath.SunCertPathBuilderException: unable to
    > find valid certification path to requested target.
    >
    > Note: This error is coming only for this workflow, for the rest it was
    > not showing any error and all the trusted root certificates are placed
    > correctly.


    The IDM Server running this driver (Please do this fix on all your idm
    servers just in case as well) has a JVM in:
    /opt/novell/eDirectory/lib64/nds-modules/jvm

    and its cacerts file, in the lib/security directory, is missing the
    public key of the CA that signed the SSL cert of the UA server.

    I.e. Go to your UA in say Firefox,, click on the lock, ask to see the
    security details and the cert, see the certification chain and export
    the parent certificates to your SSL cert.

    Then import those into the engine servers cacerts file.

    A command like this would work, once you have the cert files exported
    via your browser (and copied to the IDM server).

    /opt/novell/eDirectory/lib64/nds-modules/jvm/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jvm/lib/security/cacerts
    -storepass changeit -trustcacerts -import -alias UA-Parent-CA -file
    /path/to/cert/file

    Then restart the eDir on the IDM server. (IT MIGHT work without a
    restart, so try it but then if not, restart IDM).

    If there is an intermediate cert (I.e. Couple of certs above your UA
    cert) make sure to import that as well. (Change the -alias name for the
    second one).

    If you are using OSP you need the OSP signing CA's public key as well.
    (You could look at this cert you need as the Tomcat certs signing CA, it
    is the same thing as the UA cert, if running in Tomcat).


Reply
  • On 8/9/2017 5:44 AM, ed00491298 wrote:
    >
    > Hello All,
    >
    > I am working on 2 level resource request approval Workflow, when i
    > request for resource from user application, Start of workflow fails and
    > i was able to see resource request status as : Pending Approval: Pending
    > Approval Retry in user application.
    >
    > I couldn't find any start status of workflow in the logs, When i looked
    > at logs of Roles and resource driver i am able to see the below error.
    >
    > DirXML Log Event -------------------
    > Driver: \IDV\system\driverset1\Role and Resource Service Driver
    > Channel: Subscriber
    > Status: Error
    > Message: Unable to start Approval Workflow
    > Workflow DN:
    > cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
    > Reason: java.lang.RuntimeException:
    > javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path building failed:
    > sun.security.provider.certpath.SunCertPathBuilderException: unable to
    > find valid certification path to requested target.
    >
    > Note: This error is coming only for this workflow, for the rest it was
    > not showing any error and all the trusted root certificates are placed
    > correctly.


    The IDM Server running this driver (Please do this fix on all your idm
    servers just in case as well) has a JVM in:
    /opt/novell/eDirectory/lib64/nds-modules/jvm

    and its cacerts file, in the lib/security directory, is missing the
    public key of the CA that signed the SSL cert of the UA server.

    I.e. Go to your UA in say Firefox,, click on the lock, ask to see the
    security details and the cert, see the certification chain and export
    the parent certificates to your SSL cert.

    Then import those into the engine servers cacerts file.

    A command like this would work, once you have the cert files exported
    via your browser (and copied to the IDM server).

    /opt/novell/eDirectory/lib64/nds-modules/jvm/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jvm/lib/security/cacerts
    -storepass changeit -trustcacerts -import -alias UA-Parent-CA -file
    /path/to/cert/file

    Then restart the eDir on the IDM server. (IT MIGHT work without a
    restart, so try it but then if not, restart IDM).

    If there is an intermediate cert (I.e. Couple of certs above your UA
    cert) make sure to import that as well. (Change the -alias name for the
    second one).

    If you are using OSP you need the OSP signing CA's public key as well.
    (You could look at this cert you need as the Tomcat certs signing CA, it
    is the same thing as the UA cert, if running in Tomcat).


Children
  • Hi geoff,

    Thank you for the reply.

    Checked and found the required certificates were missing in the Keystore

    Import the required certificates and restarted the edirectory, it started working without any errors.


    Br,
    Eswar.
  • On 8/10/2017 7:46 AM, ed00491298 wrote:
    >
    > Hi geoff,
    >
    > Thank you for the reply.
    >
    > Checked and found the required certificates were missing in the
    > Keystore
    >
    > Import the required certificates and restarted the edirectory, it
    > started working without any errors.


    For fun, did you try before you restarted eDir?

    We know that JAR's if loaded, will not be updated (reloaded) without an
    eDir restart.

    OSP caches all the certs in memory (Or at least reads them initially,
    see the OSP.log in level ALL).

    What is unclear to me is if the engine re-reads cacerts each time, or
    caches it in memory and needs a restart of eDir.
  • On 8/10/17 9:23 AM, Geoffrey Carman wrote:
    > On 8/10/2017 7:46 AM, ed00491298 wrote:
    >>
    >> Hi geoff,
    >>
    >> Thank you for the reply.
    >>
    >> Checked and found the required certificates were missing in the
    >> Keystore
    >>
    >> Import the required certificates and restarted the edirectory, it
    >> started working without any errors.

    >
    > For fun, did you try before you restarted eDir?
    >
    > We know that JAR's if loaded, will not be updated (reloaded) without an
    > eDir restart.
    >
    > OSP caches all the certs in memory (Or at least reads them initially,
    > see the OSP.log in level ALL).
    >
    > What is unclear to me is if the engine re-reads cacerts each time, or
    > caches it in memory and needs a restart of eDir.

    Greetings Geoffrey,
    Please keep in mind that the SOAP endpoints in the User Application
    are not "protected" by OSP. The actions from IDM that call to the User
    App (start workflow, add role/resource, remove role/resource) are all
    calling to the SOAP endpoints. So, looking at OSP in these cases will
    not be of any benefit.



    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

  • >>> Checked and found the required certificates were missing in the
    >>> Keystore
    >>>
    >>> Import the required certificates and restarted the edirectory, it
    >>> started working without any errors.

    >>
    >> For fun, did you try before you restarted eDir?
    >>
    >> We know that JAR's if loaded, will not be updated (reloaded) without an
    >> eDir restart.
    >>
    >> OSP caches all the certs in memory (Or at least reads them initially,
    >> see the OSP.log in level ALL).
    >>
    >> What is unclear to me is if the engine re-reads cacerts each time, or
    >> caches it in memory and needs a restart of eDir.



    > Please keep in mind that the SOAP endpoints in the User Application
    > are not "protected" by OSP. The actions from IDM that call to the User
    > App (start workflow, add role/resource, remove role/resource) are all
    > calling to the SOAP endpoints. So, looking at OSP in these cases will
    > not be of any benefit.


    Fair point. I was diverging to a different thought, which was a question
    of whether the Engine re-loads cacerts when needed, or caches it.
    Contrasting that with OSP which you case see loads it all at run time.
    (Cannot tell if it is cached or just loaded, and if it is reloaded on
    need).


  • On 8/10/2017 10:26 AM, Geoffrey Carman wrote:
    >
    >>>> Checked and found the required certificates were missing in the
    >>>> Keystore
    >>>>
    >>>> Import the required certificates and restarted the edirectory, it
    >>>> started working without any errors.
    >>>
    >>> For fun, did you try before you restarted eDir?
    >>>
    >>> We know that JAR's if loaded, will not be updated (reloaded) without an
    >>> eDir restart.
    >>>
    >>> OSP caches all the certs in memory (Or at least reads them initially,
    >>> see the OSP.log in level ALL).
    >>>
    >>> What is unclear to me is if the engine re-reads cacerts each time, or
    >>> caches it in memory and needs a restart of eDir.

    >
    >
    >> Please keep in mind that the SOAP endpoints in the User
    >> Application are not "protected" by OSP. The actions from IDM that
    >> call to the User App (start workflow, add role/resource, remove
    >> role/resource) are all calling to the SOAP endpoints. So, looking at
    >> OSP in these cases will not be of any benefit.

    >
    > Fair point. I was diverging to a different thought, which was a question
    > of whether the Engine re-loads cacerts when needed, or caches it.
    > Contrasting that with OSP which you case see loads it all at run time.
    > (Cannot tell if it is cached or just loaded, and if it is reloaded on
    > need).
    >
    >


    From past experience the IDM JVM inside ndsd memory space is loaded
    when you first load IDM and stays loaded, at that point it reads and
    caches cacerts. Every time I've updated the JVM's certs I had to restart
    ndsd.
  • >>
    >> Fair point. I was diverging to a different thought, which was a
    >> question of whether the Engine re-loads cacerts when needed, or caches
    >> it. Contrasting that with OSP which you case see loads it all at run
    >> time. (Cannot tell if it is cached or just loaded, and if it is
    >> reloaded on need).
    >>
    >>

    >
    > From past experience the IDM JVM inside ndsd memory space is loaded
    > when you first load IDM and stays loaded, at that point it reads and
    > caches cacerts. Every time I've updated the JVM's certs I had to restart
    > ndsd.


    Thanks, I was wondering, good to have it confirmed either way. I could
    see it looking it up each time a check was needed. Or else caching it.