Marcus Tornberg Honored Contributor.
Honored Contributor.
938 views

Error when authenticating to IDM OSP from IDGov

Hi all.

I am trying to use OSP in IDM to authenticate to Identity Governance.

First off, some versions:
IDM 4.7.1
OSP 6.2.2
ID Gov: 3.0.1

The setup is that both Identity Applications (with OSP) is behind one load balancer (idmapps.domain.com), and IDGov is behind another load balancer (idgov.domain.com). There are two nodes behind each load balancer (2 Identity Application/OSP servers and 2 Identity Governance servers).

To try and simplify my troubleshooting I am currently only running Tomcat on one server for each of those nodes (one Identity Applications/OSP server and one Identity Governance server).

I have tried to configure this according to the documentation, but this customer does not allow X11 forwarding, so I am stuck with console mode on each tool on the servers, and that makes things harder to understand as the documentation is written based on GUI. 😞
https://www.netiq.com/documentation/identity-governance-30/user-guide/data/b1djgg2z.html

When I browse to ID Gov, I get the login page and if I enter invalid credentials I get an error message as expected (Login failed, please try again). When I enter valid credentials I get the error message "An error occurred while attempting to contact the authentication service."

The Identity governance config can be found here:
https://paste.opensuse.org/view//27764905

OSP config for Identity Governance can be found here:
https://paste.opensuse.org/view//81211621

OSP log from startup until faliure can be found here (trying to login with "mytestuser"):
https://justpaste.it/5ac50 (susePaste gave up!)

I cannot find any error message in the OSP log file or in any other log file either, so right now I am stuck.

Please help me.

Best Regards
Marcus
0 Likes
14 Replies
Micro Focus Expert
Micro Focus Expert

Re: Error when authenticating to IDM OSP from IDGov

On 1/31/19 10:44 AM, marcus jonsson wrote:
>
> Hi all.
>
> I am trying to use OSP in IDM to authenticate to Identity Governance.
>
> First off, some versions:
> IDM 4.7.1
> OSP 6.2.2
> ID Gov: 3.0.1
>
> The setup is that both Identity Applications (with OSP) is behind one
> load balancer (idmapps.domain.com), and IDGov is behind another load
> balancer (idgov.domain.com). There are two nodes behind each load
> balancer (2 Identity Application/OSP servers and 2 Identity Governance
> servers).
>
> To try and simplify my troubleshooting I am currently only running
> Tomcat on one server for each of those nodes (one Identity
> Applications/OSP server and one Identity Governance server).
>
> I have tried to configure this according to the documentation, but this
> customer does not allow X11 forwarding, so I am stuck with console mode
> on each tool on the servers, and that makes things harder to understand
> as the documentation is written based on GUI. 😞
> https://www.netiq.com/documentation/identity-governance-30/user-guide/data/b1djgg2z.html
>
> When I browse to ID Gov, I get the login page and if I enter invalid
> credentials I get an error message as expected (Login failed, please try
> again). When I enter valid credentials I get the error message "An error
> occurred while attempting to contact the authentication service."
>
> The Identity governance config can be found here:
> https://paste.opensuse.org/view//27764905
>
> OSP config for Identity Governance can be found here:
> https://paste.opensuse.org/view//81211621
>
> OSP log from startup until faliure can be found here (trying to login
> with "mytestuser"):
> https://justpaste.it/5ac50 (susePaste gave up!)
>
> I cannot find any error message in the OSP log file or in any other log
> file either, so right now I am stuck.
>
> Please help me.
>
> Best Regards
> Marcus
>
>

Greetings,
For the error
"An error occurred while attempting to contact the authentication service"

This normally happens because the call back from osp to idgov can not
happen.

A typical reason for this is when using https, is because the OSP
server's certificate chain is not in the ID Gov's environment.


The other reason(s) why this can fail with the above error:

a) Incorrect sso client IDs and secrets
b) Incorrect URL value (case matters)

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Error when authenticating to IDM OSP from IDGov

Hi Steven.

I have first off verified clientID and reset client passwords, this does not make any change.

I have also verified clientURL settings and the are case sensitive matching.

About the certificates, are you refering to the certificate chain used by each tomcat instance for web access (https)? Also, what keystore should they be placed in?

I have imported the certificate chain (CA and intermediate CA) to cacerts for the tomcat JRE on both OSP and IDGov. (of course stopping services first and then restarting).

The Identity Manager documentation on this states that one should use a wildcard certificate, we are not. Is this a requirement or a recommendation?

One thing that might cause issues is that the URL of IDGov is specified in the endpoint certificate SAN. Can this be my issue?

So far I still have the same issue. Is there more logging that can be set to help identify the cause?

Thank you!

Best regards
Marcus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when authenticating to IDM OSP from IDGov

On 2/1/19 5:36 AM, marcus jonsson wrote:
>
> Hi Steven.
>
> I have first off verified clientID and reset client passwords, this does
> not make any change.
>
> I have also verified clientURL settings and the are case sensitive
> matching.
>
> About the certificates, are you refering to the certificate chain used
> by each tomcat instance for web access (https)? Also, what keystore
> should they be placed in?
>
> I have imported the certificate chain (CA and intermediate CA) to
> cacerts for the tomcat JRE on both OSP and IDGov. (of course stopping
> services first and then restarting).
>
> The Identity Manager documentation on this states that one should use a
> wildcard certificate, we are not. Is this a requirement or a
> recommendation?
>
> One thing that might cause issues is that the URL of IDGov is specified
> in the endpoint certificate SAN. Can this be my issue?
>
> So far I still have the same issue. Is there more logging that can be
> set to help identify the cause?
>
> Thank you!
>
> Best regards
> Marcus
>
>

Greetings,

1) OSP does not "open" https communication so the OSP set-up does not
need to the certificates for a remote ID Gov, or ID Reporting. So, you

*Identity Apps can be a different story*

2) A stand alone ID Gov server will need the certificate chain of:
a) The tomcat server it is deployed on
b) The tomcat server that OSP is deployed on


3) A Stand alone ID Reporting server (set-up for ID Gov) will need the
certificate chain of:
a) The tomcat server it is deployed on
b) The tomcat server that OSP is deployed on
c) The tomcat server that ID Gov is deployed on


Now, if you are using wild card certs for all three (3) set-ups then you
only need to install the certificate chain locally.

Since you are using ID Gov 3.0.x, you would install the certificate
chain(s) into the cacerts file of the jre that the Tomcat server is using.

If you had ID Gov 3.5 then you would add them to the
apps-truststore.pkcs12 that was created. In this set-up you either
allow the installer to add the certificates or utilize configupdate to
do it.



When I am tracking down these kinds of issue I utilize the following in
the java_opts section in the setenv of the tomcat servers:

-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
-Djava.security.debug=access:stack

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error when authenticating to IDM OSP from IDGov

On 2/1/2019 9:02 AM, Steven Williams wrote:
> When I am tracking down these kinds of issue I utilize the following in
> the java_opts section in the setenv of the tomcat servers:
>
> -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
> -Djava.security.debug=access:stack


Any examples of what it shows when you enable thse?

This seems super duper handy for this issue if it does what I think.


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when authenticating to IDM OSP from IDGov

On 2/1/19 2:58 PM, Geoffrey Carman wrote:
> On 2/1/2019 9:02 AM, Steven Williams wrote:
>> When I am tracking down these kinds of issue I utilize the following
>> in the java_opts section in the setenv of the tomcat servers:
>>
>> -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
>> -Djava.security.debug=access:stack

>
> Any examples of what it shows when you enable thse?
>
> This seems super duper handy for this issue if it does what I think.
>
>

Greetings,
These are not ID Gov, OSP, or ID Apps specific. They are from java.
Been using this for a while.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error when authenticating to IDM OSP from IDGov

On 2/1/2019 4:14 PM, Steven Williams wrote:
> On 2/1/19 2:58 PM, Geoffrey Carman wrote:
>> On 2/1/2019 9:02 AM, Steven Williams wrote:
>>> When I am tracking down these kinds of issue I utilize the following
>>> in the java_opts section in the setenv of the tomcat servers:
>>>
>>> -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
>>> -Djava.security.debug=access:stack

>>
>> Any examples of what it shows when you enable thse?
>>
>> This seems super duper handy for this issue if it does what I think.
>>
>>

> Greetings,
>    These are not ID Gov, OSP, or ID Apps specific.  They are from java.
>  Been using this for a while.


Understood. Still super duper useful in general. Sort of thing would
be really nice as a cool solution. 🙂 For all the products using Java
and SSL/TLS. Need to try this and gather some sample error messages.


0 Likes
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Error when authenticating to IDM OSP from IDGov

stevewdj;2494680 wrote:
On 2/1/19 5:36 AM, marcus jonsson wrote:
Greetings,

1) OSP does not "open" https communication so the OSP set-up does not
need to the certificates for a remote ID Gov, or ID Reporting. So, you

*Identity Apps can be a different story*

2) A stand alone ID Gov server will need the certificate chain of:
a) The tomcat server it is deployed on
b) The tomcat server that OSP is deployed on


3) A Stand alone ID Reporting server (set-up for ID Gov) will need the
certificate chain of:
a) The tomcat server it is deployed on
b) The tomcat server that OSP is deployed on
c) The tomcat server that ID Gov is deployed on


Now, if you are using wild card certs for all three (3) set-ups then you
only need to install the certificate chain locally.

Since you are using ID Gov 3.0.x, you would install the certificate
chain(s) into the cacerts file of the jre that the Tomcat server is using.

If you had ID Gov 3.5 then you would add them to the
apps-truststore.pkcs12 that was created. In this set-up you either
allow the installer to add the certificates or utilize configupdate to
do it.



When I am tracking down these kinds of issue I utilize the following in
the java_opts section in the setenv of the tomcat servers:

-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
-Djava.security.debug=access:stack

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus


Hi Steven.

Thank you, enabling those two parameters in JRE produced errors at least.

However I am not able to resolve them 😞

I have reverted to certificates signed by the IDM eDirectory CA to exclude issues with SAN. So certificates are signed by the eDirectory CA at this point.

During startup I can see the following in catalina.out:

init truststore
adding as trusted cert:
Subject: O=TEST-TREE, OU=Organizational CA
Issuer: O=TEST-TREE, OU=Organizational CA
Algorithm: RSA; Serial number: 0x6620a93c6c6cad92e1a7cd34acca9c848db7daf0
Valid from Mon Sep 11 13:34:51 CEST 2017 until Sat Sep 11 13:34:51 CEST 2027

adding as trusted cert:
Subject: CN=osp.domain.com, O=TEST-TREE
Issuer: O=TEST-TREE, OU=Organizational CA
Algorithm: RSA; Serial number: 0x44444230f1299f51f9a75498cd409f1aef565c77
Valid from Mon Feb 04 10:55:00 CET 2019 until Thu Feb 04 10:55:00 CET 2021


So I guess that the certificates are loaded into the JRE as trusted certificates.

Still, when I try to login, I get:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Prior to the error I can see:

chain [0] = [
[
Version: V3
Subject: CN=osp.domain.com, O=TEST-TREE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
modulus: 28931440711791426960186945183933703030083544373012043717663707282245438380106318968129390274864457576159326699656230157645247436703596175655461691243311674691322379902782630214054639016312468712560553796721394421918492479503341785107378163054596309092127669357596471153715028857160496204343738854707673756711690537136532907608904913173832938080791015340784109886768807485860080312503793200034172965962612033187010747666150047197720926037653686174551758958819703297653490916413192618484498153795410955712686462505268565170434473746425949546228046181258775261831089697432370098752887689691350620743276535719805456816611
public exponent: 65537
Validity: [From: Mon Feb 04 10:55:00 CET 2019,
To: Thu Feb 04 10:55:00 CET 2021]
Issuer: O=TEST-TREE, OU=Organizational CA
SerialNumber: [ 44444230 f1299f51 f9a75498 cd409f1a ef565c77]

....

chain [1] = [
[
Version: V3
Subject: O=TEST-TREE, OU=Organizational CA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
modulus: 27230065823419730926235075357408532416366560705812463149706900330638072409334334369087421562827268785081373603738327408411513079469300736055299163612583290521961568265941643705706774302667213869648489887068612436893477533472859295113746108193709556959950981127483580012029366895118480127113461792951341236919016599902605018084319123700834340179699936643661060815188960787662613694513281040898913582962363527919655443127491575351866539724744512006545848962076678429153504286664484703593859642537330534166672855791132325698174868070205275523969938398010211017932974122438181050818925751957202467303321581159218252808151
public exponent: 65537
Validity: [From: Mon Sep 11 13:34:51 CEST 2017,
To: Sat Sep 11 13:34:51 CEST 2027]
Issuer: O=TEST-TREE, OU=Organizational CA
SerialNumber: [ 6620a93c 6c6cad92 e1a7cd34 acca9c84 8db7daf0]


I have verified the dns names and serial numbers, and they add to the once added as trusted certs.

Full log from catalina.out is here:
https://paste.opensuse.org/view/raw/7419756

Best regards
Marcus
0 Likes
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Error when authenticating to IDM OSP from IDGov

In addition, I also verified connections using SSLPoke, and that works fine in all ways (OSP -> IDGov and IDGov -> OSP)
https://github.com/MichalHecko/SSLPoke

Best regards
Marcus
0 Likes
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Error when authenticating to IDM OSP from IDGov

marcus_jonsson;2494766 wrote:
In addition, I also verified connections using SSLPoke, and that works fine in all ways (OSP -> IDGov and IDGov -> OSP)
https://github.com/MichalHecko/SSLPoke

Best regards
Marcus


Hi.

Issue resolved. Added CA and intermediate CA to the osp.jks keystore.

Seems that tomcat/jre does not use cacerts in this process?

Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error when authenticating to IDM OSP from IDGov

On 2/5/2019 5:24 AM, marcus jonsson wrote:
>
> marcus_jonsson;2494766 Wrote:
>> In addition, I also verified connections using SSLPoke, and that works
>> fine in all ways (OSP -> IDGov and IDGov -> OSP)
>> https://github.com/MichalHecko/SSLPoke
>>
>> Best regards
>> Marcus

>
> Hi.
>
> Issue resolved. Added CA and intermediate CA to the osp.jks keystore.
>
> Seems that tomcat/jre does not use cacerts in this process?


My experience is that you should add them as well to the tomcat keystore
(or wherever your Tomcat gets its private key from) and if you are using
NAM for SSO via SAML you should add the SAML signing keys as well.

Easier to just load em all up.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when authenticating to IDM OSP from IDGov

On 2/5/19 11:50 AM, Geoffrey Carman wrote:
> On 2/5/2019 5:24 AM, marcus jonsson wrote:
>>
>> marcus_jonsson;2494766 Wrote:
>>> In addition, I also verified connections using SSLPoke, and that works
>>> fine in all ways (OSP -> IDGov and IDGov -> OSP)
>>> https://github.com/MichalHecko/SSLPoke
>>>
>>> Best regards
>>> Marcus

>>
>> Hi.
>>
>> Issue resolved. Added CA and intermediate CA to the osp.jks keystore.
>>
>> Seems that tomcat/jre does not use cacerts in this process?

>
> My experience is that you should add them as well to the tomcat keystore
> (or wherever your Tomcat gets its private key from) and if you are using
> NAM for SSO via SAML you should add the SAML signing keys as well.
>
> Easier to just load em all up.
>

Greetings,
It is not normally needed to add them to the extra
truststore/keystore. I have demonstrated with 3.5 (and earlier versions)
that is is not necessary and where to add them.

For example, I have

server #1 (osp) which has a cert signed by eDir. Here OSP is using the
default certificate that was created during the install for OSP to do
its work. So there are 2 truststore (osp.jks and the truststore for Tomat)
server #2 (ID Gov) which has a different cert signed by eDir
server #3 (ID Reporting) which has yet a different cert signed by eDir

In the above for 3.0.x the updates went into the cacerts file, for 3.5
they went into the apps-truststore.pkcs12

server #2 was updated with the signed cert from server #1, and it's own.
server #3 was updated with the signed cert from server #1, server #2,
and it's own.



* Note for 3.5 both the installers and configupdate have been enhanced
to make getting the right certificate into the right truststore easier *

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.