TLS/SSL New install - client_id is null

Howdy, 

I've just completed a new install.  I used dependency versions that match what's in the helper scripts.  I generated my own self-signed certificate for tomcat, and placed it in the appropriate spot and enabled a connector (non AJP, I'm using NIO).  I installed OSP, and I can hit the login page over 8443 successfully.  I've got a hosts file and hostname all set.  I'm friends with DNS.

I installed IG, no issues reported.  I looked at configupdate and configutil, as a matter of habit.

When I attempt to login, I get an OSP error page that it doesn't identify my application. 

Error: The requested service may have been disabled or not configured properly. Please contact your system administrator. (The requested OAuth2 application was not recognized.) 

When I look at the URL I notice that the client_id is equal to null, and I know that doesn't fly for Oauth.

I've compared this setup to another system with 8080, and I can't find what I might be missing from a config standpoint.

It certainly looks like I've got the client id for ig (and all other services) set in configupdate and in configutil.   I've exported my configutil config and looked at that too, and don't see any key's with values missing (although without a value, why would be they be there?)

Any thoughts on why my IG instance refuses to call itself by its one true name - client_id=ig?

--Jim

Tags:

  • 0  

    Do you have a clientID defined in ism-configuration.properties for OSP?  The client is defined at both ends of the connection.  OSP's is ism-config, and IGA's is configutil.  Can you find the matching config for client of ig in the export of configutil?

    Perhaps posting both would be of value.

  • 0   in reply to   

    In 4.2 I think ism-configuration is split now between ism-configuration.properties and global.properties?   In my global properties I've got a com.netiq.iac.ig-web.clientID = ig, and in my configutil I have the same ig client id set in the Oath SSO Client page.  This same config is exposed in the configutil export for the same property name.

    With all that in place, when I make a login request, the URL is still missing the client_id value??

    Hrm, I might put the client id property in the ism-config to see if that just makes it work.

    --JIm

  • 0   in reply to   

    Adding that com.netiq.iac.ig-web.clientID = ig property in the ism-config didn't change the URL over to OSP coming from IG.  Disappointed

  • 0   in reply to   

    It has been a while.  But i read through the install scripts, and what it did was make some changes to the global.properties file (the installer) which then imported it into the DB via configutil. 

    So the global.properties was 'usually' going into the DB.

    But it is more than just the one line.  There are 4 or 5 related attributes usually grouped around it.  Here is an example with DTP from an older IGA install.

    com.netiq.iac.dtp_server.clientID = iac-dtp
    com.netiq.iac.dtp_server.clientPass._attr_obscurity = ENCRYPT
    com.netiq.iac.dtp_server.clientPass = p4IXy4ApOzJoy43sCg==:nxIt++wbImVrPLml2vw==:02MQUm01wAV4oPw==
    com.netiq.iac.dtp_server.response-types = client_credentials

    So you get the ID, the password format, the password, and then the response time.  (I broke the password severely i pasting it).

  • 0   in reply to   

    I'm pretty sure ig is the first one used when logging in, because in a working non-ssl environment, its the first client_id passed in.

    In my non-tls (working) and tls (non-working) environments I have 3 attributes:

    com.netiq.iac.ig-web.response-types=code
    com.netiq.iac.ig-web.redirect.url=testig.example.com:8443/oauth.html
    com.netiq.iac.ig-web.clientID=ig

  • 0   in reply to   
    But i read through the install scripts, and what it did was make some changes to the global.properties file (the installer) which then imported it into the DB via configutil. 

    That's sneaky, but a good bit of trivia.

  • 0   in reply to   

    Hello,
    You could have found the same information in the documentation without looking at the installer.  We outline this in different ares like:

    Section 5.10 Creating the Schema for Each Database

    and

    Section 12.2 Manually Generating the Database Schema after the Installation

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0   in reply to   

    Alas, My TLS tomcat still won't pass in a client_ID when I'm logging in.   Any other thoughts?   The config* tools look good, the database properties appear to be there.  I'm not sure where else config could live.

  • Verified Answer

    +1   in reply to   

    Well, I tried using a private browser for some reason this AM, and sure enough, it logged right in!   I cleared cache on the non-private window, and then it let me in as well.