Highlighted
Respected Contributor.
Respected Contributor.
173 views

IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution

Hi all,


I am trying to integrate Identity Governance (IGA) with Identity Manager Applications (IDM & RBPM). I opted to install a new IGA setup to use HTTPS, even though I had a functional IGA operating on HTTP, but attempts to integrate it with RBPM (4.8.1 on https)  were futile.
IGA version: 3.6.1
IDM version: 4.8.1
IGA OS: SLES 15 SP1
IDM OS : SLES 12 SP3

I installed the DB (Postgres-11.8), OSP and IGA on same machine. IDM on separate machine, RBPM on separate machine, all within same network

The installation of Postgres, Tomcat and Azul were successful based on instructions from the IGA-3.6/3.6.1 Linux-Helper-Script-Readme.txt and Installing-PostgreSQL.txt

One of the OSP installation logs shows success with 657 success, and 0 warnings, while a second log shows some error (please see attached log files).

The IGA installation was successful.
The FIRST problem I am facing is when I try to run the configupdate.sh utility, after making any changes, it presents a nagging error popup with message:
com.netiq.internal.installer.idm.ldap.UserNotifierBase log
SEVERE: [CFG] Unable to connect to the following servers:

192.168.75.131:8443  (or FQDN:8443)
This indicates that either a URI is misconfigured or that the server hosting the URI is not running.

Correct the problem and re-run the configuration utility.

Tweaking the ism-configuration.properties file has not helped the situation (file attached)
Also tweaked the tomcat/conf/server.xml file.

I noticed some similarities in the issue experienced in @https://community.microfocus.com/t5/IGA-User-Discussions/IG-3-0-start-error/td-p/2255270 
I have implemented the suggestions of @stevewdj  and  @geoffc .  see ndstrace.log also attached.
I have also checked the IDM ldap aspect in line with  @https://support.microfocus.com/kb/doc.php?id=7013279


The cert from IDM has been added to the tomcat/conf/apps-trustore.pkcs12; osp.pkcs12; osp-truststore.pkcs12, as well as jre/security/cacerts.
Also created a cert-request in IGA, and did the relevant steps involved in using a self-signed CA, with IDM and imported back in IGA-keystore.

I started with the FQDN approach (as required by MF documentation), and also tried using the IP address, yet no luck.
attempt to launch (IP-address or th FQDN:8443) on a browser suggest the page cannot be found. BUT
using http://IP:8080 or http://FQDN:8080 shows IG at the top of browser, but no content.

Any clues, pointers or ideas on what I am missing, or how to go about this issue would be greatly appreciated.

0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution

Lots of little questions.

1) First off in the server.xml I do not see an active connector for SSL?

The one that looks likely is XML commented out.   So not active.  Am I missing something?

2) Also you wrote: "cert from IDM has been added to the tomcat/conf/apps-trustore.pkcs12; osp.pkcs12; osp-truststore.pkcs12, as well as jre/security/cacerts."

Did you mean public or private key? Should be public key.

3) Also any signing certs, intermediates, CA's etc in the chain of ANY of the certs need to be there.

4) Try F12 in your browser, sometimes the error is shown there but not on screen.

5) I see this in your OSP trace. (edit the tomcat\bin\setenv.sh and there is a OSP log level variable in 3.61 and set it higher. I say ALL, Steve gets annoyed at me, but for troubleshooting I am not certain there is a better option.  Turn it back when working.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [324] thread=main
Time: 2020-06-21T18:51:25.789+0300
Log Data: AuthenticationService[OSP Configuration (id=auth)] configuration validation resulted in warnings:
Validation messages (8):
   1) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://labig36demo.xxxx.fi:8443/cx/oauth.html]
         This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
   2) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://labig36demo.xxxx.xx:8443/oauth.html]
         This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
   3) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[192.168.75.114:636]
         The LDAP data store configured LDAP bind timeout value will be used.
   4) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[192.168.75.114:636]
         The LDAP data store configured read timeout value will be used.
   5) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
         The OSP system LDAP bind timeout value will be used.
   6) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
         The OSP system LDAP read timeout value will be used.
   7) Information: AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
         No filename specified; assuming path specifies both path and filename.
   😎 Information: AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
         No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [337] thread=main
Time: 2020-06-21T18:51:26.107+0300
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

Preamble: [Tenant]
Priority Level: SEVERE
Java: internal.osp.framework.OSPTenant$ProbeTlsTask.run() [2673] thread=osp-common-thread-1
Time: 2020-06-21T18:51:26.279+0300
Log Data: Unexpected error probing container TLS: java.net.ConnectException: Connection refused (Connection refused)
      java.net.PlainSocketImpl: PlainSocketImpl.java: socketConnect: -2

 

So Java is failing to make a LDAP (S?) connection, More logging might offer more hints.

5) Ports are open from here to there?

View solution in original post

Tags (1)
0 Likes
4 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Re: IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution

Hi.

Is Tomcat even listening on 8443? Assuming Linux, try with "ps -tulpn | grep 8443".

Any firewall on the server that needs to be opened?

Trying basic stuff here, but if you are unable to connect using the web browser, I would suggest checking the above pointers first. I think a certificate issue with non trusted CA/Intermediate CA would still load the page in a web browser even if it appears without content (as on 8080)

Best regards

Marcus

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution

Lots of little questions.

1) First off in the server.xml I do not see an active connector for SSL?

The one that looks likely is XML commented out.   So not active.  Am I missing something?

2) Also you wrote: "cert from IDM has been added to the tomcat/conf/apps-trustore.pkcs12; osp.pkcs12; osp-truststore.pkcs12, as well as jre/security/cacerts."

Did you mean public or private key? Should be public key.

3) Also any signing certs, intermediates, CA's etc in the chain of ANY of the certs need to be there.

4) Try F12 in your browser, sometimes the error is shown there but not on screen.

5) I see this in your OSP trace. (edit the tomcat\bin\setenv.sh and there is a OSP log level variable in 3.61 and set it higher. I say ALL, Steve gets annoyed at me, but for troubleshooting I am not certain there is a better option.  Turn it back when working.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [324] thread=main
Time: 2020-06-21T18:51:25.789+0300
Log Data: AuthenticationService[OSP Configuration (id=auth)] configuration validation resulted in warnings:
Validation messages (8):
   1) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://labig36demo.xxxx.fi:8443/cx/oauth.html]
         This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
   2) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://labig36demo.xxxx.xx:8443/oauth.html]
         This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
   3) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[192.168.75.114:636]
         The LDAP data store configured LDAP bind timeout value will be used.
   4) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[192.168.75.114:636]
         The LDAP data store configured read timeout value will be used.
   5) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
         The OSP system LDAP bind timeout value will be used.
   6) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
         The OSP system LDAP read timeout value will be used.
   7) Information: AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
         No filename specified; assuming path specifies both path and filename.
   😎 Information: AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
         No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [337] thread=main
Time: 2020-06-21T18:51:26.107+0300
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

Preamble: [Tenant]
Priority Level: SEVERE
Java: internal.osp.framework.OSPTenant$ProbeTlsTask.run() [2673] thread=osp-common-thread-1
Time: 2020-06-21T18:51:26.279+0300
Log Data: Unexpected error probing container TLS: java.net.ConnectException: Connection refused (Connection refused)
      java.net.PlainSocketImpl: PlainSocketImpl.java: socketConnect: -2

 

So Java is failing to make a LDAP (S?) connection, More logging might offer more hints.

5) Ports are open from here to there?

View solution in original post

Tags (1)
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution
Hi,
Thanks @Marcus, @geoffc, @stevewdj for your observations and recommendations.
I ensured no firewall restriction, made peace with java, and Tomcat, sorted the SSL (HTTPS) connector aspect of Tomcat.
Re-created & replaced the keystore (PKCS) in /conf, created request, and re-imported relevant public key (@geoffc). OSP trace restored back to "WARN" :).

The setup is now functional, and integration with IDM and RBPM is OK.
Identities have been collected, and all seems OK.

Thanks a million @Marcus, @geoffc, @stevewdj for your time & support.
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IGA-3.6 Installation, Config utility, using TLS, URI is misconfigured

Jump to solution

Greetings,

1) Per the OAuth and OpenID Connect spec one can only utilize one (1) protocol [http or https] and IP address is not to be utilized. Only full DNS.

2) From the logs and installation, I can see that you did not actually configure Tomcat for HTTPS. Tomcat is still at the default of using HTTP on port 8080.


19-Jun-2020 19:12:33.694 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]


The ID Gov install will not configure Tomcat for HTTPS. One must do the necessary either before the install of ID Gov or after. If you have configured Tomcat for HTTPS and have it running when you launch the ID Gov install, and outline the use of HTTPS during the installation process just before the Summary screen (GUI or Console mode of install) you will be prompted to accept the certificates and the installer will add them to the correct store. After you accept the certs, then you stop Tomcat so that install will complete successfully.

If you are setting up HTTPS post install, then launching configupdate with Tomcat running update the necessary and after pressing OK to save & close one will be prompted to accept the certificates. It will be necessary to restart Tomcat after this to have it work correctly.

3) From the server log that was provided, I only see that OSP is being deployed on this Tomcat server. I was under the impression from your write-up that OSP and ID Gov were installed on the same Tomcat server. Is that correct?

4) The errors in the OSP log are because of #2 above. During the install, you outlined that Tomcat would be utilizing HTTPS and port 8443. However, that is not the current situation. Tomcat is utilizing HTTP and port 8080.

 

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.