NetIQ Identity Governance unable to login

Hi,

Today suddenly im facing issue where im unable to login with any users, with IGadmin or LDAP users unable to login. it just refreshes the IG login page.

Below is the OSP log where it unable to find any user when i login, previously is working fine but im not sure why today suddenly unable login.

  • 0  

    Hi,

    is the OSP server on the same server as IG application? Certificates are all valid?

    If you have a look in the browser dev tools, do you see something usefull? Sometimes the catalina.<date>.log file of the IG could also be useful

    Are the OSP and IG server time in synced? (Linux Command: date) -> If the time of the two server are not in synced it could cause an issue with the OSP tokens

    BR

    Tobias

  • 0   in reply to   

    As Tobias suggests check the certs to be sure that:

    1) they have not expired.

    2) they include the Subject Alrternate Name (SAN) for the server in use and any load balancer/DNS aliases.

    - Tomcat cert:  Should be able to see it as the page that load the OSP login.  Check in browser.  Private key is in /opt/netiq/idm/apps/tomcat/conf/tomcat.ks usually.

    - OSP Cert:  Usually in the osp,jks file in the /opt/netiq/idm/apps/osp directory.  Check contents of keystore that none have expired.

    - eDir cert that OSP points against for LDAP. This is in eDirectory. Use iManager to see which cert is in use.  (Look at LDAP Server object for server running eDir, then get Cert name, then look at NetIQ Certificate Server/Server Certs.

  • 0 in reply to   

    Hi TobiasR

    Yes OSP is installed together with IG server.

    OSP log doesnt really show anything.


    yes the time is sync because they are installed together in 1 server

  • 0 in reply to   

    Hi Geoffrey, 

    1. Inside my osp-truststore.pkcs12 dont have any cert, as this truststore is created together when i build the IG. it prompt me to create a cert and trust store.

    2. Under my OSP folder only have 2 pcks12 file.

    3. After i checked on the osp.pkcs12, the cert is actually still valid inside.

    4. From browser im unable to see any certicate.

    5. I cant even login as local text file igadmin, it will also loop me at the login page.

  • 0 in reply to 

    Under tomcat/config/ , i didnt find tomcat.ks, but i found app-truststore.pkcs12, and inside the pkcs12 file cert is expired and i dont see anywhere using it

  • 0 in reply to 

    1 more things to add on, im using http 8080 port, when i login with wrong password it able to show error with wrong password, but when i log in with correct password it just keep looping me at login page, even local bootstrap admin got the same issue.