Issue with SSO configuration on SRC9.40

Hello Expert,

We have installated HPSM 9.40 and SRC 9.40. I am trying to configure SSO for SRC and have done below setup for the same. After completing all the below steps i am receiving error in catalina,out as "org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Has anyone face the same issue ? Or have i missed any steps for enabling SSO ?

1). Generated below files using openssl and keytool

cacerts

smKeystore.jks

srcKeystore.jks

clientcerts.keystore

certificateAuthorityCert.pem

certificateAuthorityKey.pem

smCert.pem

smCSR.pem

srcCert.pem

srcCSR.pem

 

2). Copied below files to Service Manager/RUN folder

smKeystore.jks

cacerts

clientcerts.keystore

 

3). Copied below files to SRC installed folder

Cacerts

srcKeystore.jks

 

4). Updated applicationContext.properties file for SRC as below

sm.protocol=https

Port: 13443

Hostname : <fully qualified domain name>

 

src.trustStore=C:\\.......\\_TSO\\cacerts

src.trustStorePassword=changeit

src.keyStore=C……..\\_TSO\\srcKeystore.jks

src.keyStorePassword=changeit

 

src.security.mode=tso

src.security.SSOenabled=true

 

5). Updated the property tomcatAuthentication to false in Server.xml

 

<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />

 Regards

 

 

 

Tags:

  • It is failing at the SSL Handshake. In the sm.ini file - in addition to the parameters you've already specified - what about sslConnector, ssl, ssl_reqClientAuth and trustedsignon set at? Those should look like below:

    sslConnector:1
    ssl:1
    ssl_reqClientAuth:2
    trustedsignon:1 

    However, since it's failing at the handshake we should turn off the TSO part and see if you can login with just SSL active. If SSL fails then the problem could be with the generated certificates. To disable TSO, but leave SSL active you need to:

    For Service Manager
    A. In the sm.ini set trustedsignon to 0
    B. Add this tracing parameter to sm.ini: debughttp:1

    For SRC
    A. In the applicationContext.properties set src.security.mode=default and src.security.SSOenabled=false

    Stop and restart both SRC and SM, clear the logs for both and see if you can login. If you can look in the sm.log for SSL Connection Accepted. If so then you know SSL is actually working and you can work on the TSO portion knowing the problem is somewhere around there. If it fails then SSL errors will continue.

  • Hi Brett,

     

    Thanks for your response.

     

    I do not have trustedsignon parameter on SM.ini but I have mentioned it in SM.CFG file with all the required parameters for SSL.

    Attached are my SM.ini and SM.cfg files for your reference.

    I tried with the option you suggested to disable TSO and test only with SSL. I am still receiving the same error. That means issue is with SSL.

    Should I regenerate all the certificates ? or am I missing any steps for configuring SSL ?

    Regards,

    Avinash

     

     

     

     

    sm.zip

  • Do the following to the line you're using in the sm,cfg

    1. Set trustedsignon:0
    2. Add these to the line -JVMOption0:-Djavax.net.debug=ssl and debughttp:1
    3. The line should now look like this:

    sm -httpPort:13090 -httpsPort:13443 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debugnode:1 -debughttp:1 -JVMOption0:-Djavax.net.debug=ssl -log:../logs/mSRCwebservicedebug.log

    4. Stop Service Manager
    5. Clear out all sm logs
    6. Start Service Manager
    7. Attempt to login via SRC
    8. If it fails attach the sm.log, the mSRCwebservicedebug.log and the sm_<PID>stdouterr.log (there may be more than one so send in all of those sm_<PID>stdouterr.log files)

  • Hi Brett,

     

    I made the changes to SM.CFG as you suggested, also did below changes to SRC parameters in ApplicationContext.properties.

    src.security.mode=default

    src.security.SSOenabled=false

    There is no inofrmation recorded to mSRCwebservice.log because SRC is not starting. Also there are many sm_pid_stdouterr.logs but none of them is having data.

    There are some informtion recorded to logs at Tomcat folder. I am attaching here both Tomcat and SM logs.

    Regards,

     

    Logs.zip
  • Do we need to make any changes to ...\src-9.40\WEB-INF\classes\lwssofmconf..properties file ?

  • If you have lwsso configured then disable it. We only want to test SSL when a user logs into SRC.