IG 4.2 install error for OSP

Fresh install of IG4.2 (SLES 15 SP4, tomcat, zulu jdk and activemq on the exact versions as required in the documentation).

I did the base install with the help scripts, did the TLS/SSL configuration for tomcat. It is running with no errors on 8443 port, I can see the Hello World message.

I run the osp-install-linux.bin for OSP installation, it runs fine, same password for all keystores. The script ends with Installation: Successful. 520 Successes 0 Warnings 0 NonFatalErrors 0 FatalErrors.

I then stop start the tomcat service, cleaning the temp files.

I then see a SEVERE OSP error in osp log file: Unable to obtain properties from bootstrap configuration, Unable to decrypt data because no keys have been supplied.

When I try to run configutil.sh for OSP I see all configuration blank.

Any thoughts?

  • 0  

    Greetings,

      
    1) Did you install Identity Governance?

    2) During the OSP install, there was new question regarding Encryption.  What did you select?

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    1) No.

    2) I selected the first option: create a new encryption keystore file.

  • 0   in reply to 

    Greetings,

    1) To confirm, this was a new install on a clean system? Meaning, that there was no prior version of OSP, Identity Governance, Identity Reporting, Workflow Service or Identity Apps installed here.

    2) If yes to #1, during the OSP did you what did you select when asked where the following would be installed
    2.a) Identity Governance
    2.b) Identity Reporting
    2.c) Workflow Service

    The possible answers for each are: Local, Remote (where you need to provide additional information), or Will not be installed.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Right.

    1) fresh and clean install, there were no producs installed before, only the SLES 15 SP4.

    2) the answer was local to all the options

  • 0   in reply to 

    Greetings,

    1) I ran a test as you outlined and could not reproduce.  OSP started as expected.

    2) The error you are receiving is normally seen when:
    a) One creates a new Encryption key during the OSP install, it encrypted values using this new key.
    b) One creates a new Encryption key during the IG install, it replaced the one created by OSP. As a result, all the items that were encrypted by the OSP installer can no longer by decrypted because the key no longer exists.

    Since you only installed OSP then aspects to check
    A) Do the files encrypt-keys.pkcs12 and ism-sensitive.properties exist in your tomcat/conf directory

    B) If yes,
    B.1) Does the timestamp of the files match the OSP install or were they modified
    B.2) Do you have a Virus scanner running that would pick-up the tomcat/conf directory, it could cause problems
    B.3) What user/account did you start Tomcat with? What user/account has read access to the files?
    B.4) Did you modify the setenv.sh file in the tomcat/bin directory? If yes, what modifications were performed?
    B.5) Any other filesystem or permission changes were performed on this server after the OSP install completed?

    C) If the files do not exist then that is your issue.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • Verified Answer

    +1  

    I did a clean install last week with no issues, and I think I selected similar choices as you.

    My install was on a RHEL 8 box, and I DID make sure selinux was disabled.   I'd suggest looking at your keystores manually to confirm that they have keys in them.  Either the installer failed to populate them (which doesn't sound likely, the installer is good at throwing errors when keystore steps fail) or possibly tomcat can't read the keystores due to permissions or selinux.  My bet is on tomcat config or selinux preventing it.

    --Jim

  • 0

    Just to let you all know, I'm not sure how or why but it seems SELINUX was the issue. I tried again in a fresh RHEL 8.8. install and got the exact same error. I set SELINUX to permissive and things went fine.

  • 0   in reply to 

    Well done, thanks for the followup.

  • 0

    hmm... same error but for /workflow-api

    [SCHWERWIEGEND] 2024-01-31 14:41:02.117 [com.netiq.iac.workflow.jee.IacWorkflowServerInitListener] Error initializing logging
    java.lang.IllegalStateException: Unable to decrypt data because no keys have been supplied.
            at com.netiq.ism.obfuscate.CryptoUtils.decrypt(CryptoUtils.java:437)
            at com.netiq.ism.obfuscate.CryptoUtils.decipher(CryptoUtils.java:403)
            at com.netiq.ism.config.impl.ConfigurationImpl.decode(ConfigurationImpl.java:835)
            at com.netiq.ism.config.impl.ConfigurationImpl.getString(ConfigurationImpl.java:417)
            at com.netiq.iac.common.logging.ArcLoggingConfigurator.getConfigString(ArcLoggingConfigurator.java:283)
            at com.netiq.iac.common.logging.ArcLoggingConfigurator.getLoggingConfigProperties(ArcLoggingConfigurator.java:237)
            at com.netiq.iac.common.logging.ArcLoggingConfigurator.getLogConfigFile(ArcLoggingConfigurator.java:184)
            at com.netiq.iac.common.logging.ArcLoggingConfigurator.initLogging(ArcLoggingConfigurator.java:105)
            at com.netiq.iac.common.j2ee.IacBaseInitListener.contextInitialized(IacBaseInitListener.java:66)
            at com.netiq.iac.workflow.jee.IacWorkflowServerInitListener.contextInitialized(IacWorkflowServerInitListener.java:55)
            at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4462)
            at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4914)
            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
            at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:683)
            at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:658)
            at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:661)
            at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1025)
            at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1919)
            at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
            at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
            at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
            at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
            at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:826)
            at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:476)
            at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1619)
            at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
            at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:114)
            at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
            at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:345)
            at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:893)
            at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:794)
            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)

    Still investigating if selinux could be an issue.

  • 0   in reply to 

    Hello,
       Please start a new thread.  This thread was about OSP and has been resolved.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity