Highlighted
Honored Contributor.
Honored Contributor.
605 views

IG 3.6 login issues

Jump to solution

Hi,

We have installed IG 3.6 with out any errors. After launching the URL application is getting loggedin with out asking for any username and password. Below errors found in catalina. Please help.

[WARNING] 2019-12-30 18:34:20 com.netiq.iac.server.common.security.TlsProbeTask run - [IG-SERVER] Identity Governance server is not configured for Transport Layer Security (TLS)
[FINE] 2019-12-30 18:34:20 com.netiq.iac.common.config.IacConfigurationUtil getExceptionLogLevel - [IG-SERVER] Exception log level: DEBUG
[SEVERE] 2019-12-30 18:34:20 com.netiq.iac.server.common.security.TlsProbeTask run - [IG-SERVER] Unexpected error probing container TLS: connect timed out

Thanks

Sivaram T

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution

Greetings,
I have been told that you opened a Service Request with Support. At this point, all communications and assistance will be via the Support team and not in this thread.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

0 Likes
16 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: IG 3.6 login issues

Jump to solution

With OSP there are several common concerns.

1) Certificates - the signer of the private key (NOT the public key of the cert, the public key of the signer, the entire chain if more than one CA) for OSP, Tomcat, NAM, eDir need to be in the various keystores.  (Now to confuse  the issue, OSP is usually self signed, so this would be the public key of the cert itself as the exception).

2) The SSL certs you need to create for OSP, Tomcat, all need to have a Subject alternate Name of the DNS name of the URL people type into the bar.

3) The URL you type into the bar must exactly match the configured URL.  To the point that if you use 443, the tools make you configure IDG as https://myhost.com:443/ but your browser will rewrite that to without the :443 which will then not match and fail.

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution

Greetings,

"
We have installed IG 3.6 with out any errors. After launching the URL application is getting loggedin with out asking for any username and password
"

You can not get into ID Gov without logging in somewhere (NAM, OSP, ADFS, ..etc) unless you are set-up for Kerberos. So you above statement is not true.

1) Did you set-up for HTTPS during the install?

2) What is in the OSP logs?

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: IG 3.6 login issues

Jump to solution

yes we setup https.

I can see the below warnings in OSP log

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [324] thread=main
Time: 2019-12-31T00:32:56.836+0100
Log Data: AuthenticationService[OSP Configuration (id=auth)] configuration validation resulted in warnings:
Validation messages (9):
1) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=rptw,uri=https://ABCAPP1060.idmadprep.ABC.dk:8443/IDMRPT/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
2) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://ABCAPP1060.idmadprep.ABC.dk:8443/cx/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
3) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://ABCAPP1060.idmadprep.ABC.dk:8443/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
4) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[ABCAPP1060.idmadprep.ABC.dk:636]
The LDAP data store configured LDAP bind timeout value will be used.
5) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[ABCAPP1060.idmadprep.ABC.dk:636]
The LDAP data store configured read timeout value will be used.
6) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
The OSP system LDAP bind timeout value will be used.
7) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
The OSP system LDAP read timeout value will be used.
😎 Information: AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
No filename specified; assuming path specifies both path and filename.
9) Information: AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [337] thread=main
Time: 2019-12-31T00:32:57.429+0100
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

Preamble: [Tenant]
Priority Level: SEVERE
Java: internal.osp.framework.OSPTenant$ProbeTlsTask.run() [2673] thread=osp-common-thread-4
Time: 2019-12-31T00:32:57.928+0100
Log Data: Unexpected error probing container TLS: java.net.SocketTimeoutException: connect timed out
java.net.DualStackPlainSocketImpl: DualStackPlainSocketImpl.java: waitForConnect: -2

Thanks

Sivaram T

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: IG 3.6 login issues

Jump to solution
Hi Stev,
Can you please check above logs and let me know what is wrong. Login page is not asking for credentials but landing page appearing with a blue blank page with out any content.
Thanks
Siva ram T
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution
Greetings,
   
1) During the install did you really specify "ABCAPP1060.idmadprep.ABC.dk"  Specifically that the server is in Capitals 'ABCAPP1060' (or the value that you used)?  If yes then that will never work.  You have registered the URL with some capital letters that the browser will always change to lower case.  Per the OAuth spec there is to be an exact case match of the URL registered and that which is being utilized.  So:
 
ABCAPP1060.idmadprep.ABC.dk
will not equal
abcapp1060.idmadprep.abc.dk
 
 
 
2) During the OSP install, did you provide the correct connection information for the ID Gov's igops database?
 
3) During the OSP install, did you specify that that bootstrap admin would be coming from the filesystem or from the vault?
 
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect 
Micro Focus
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: IG 3.6 login issues

Jump to solution

Hi Steve,

Please find the below answers.

1) I got it  but now how to correct the same ? I have already updated the full DNS name of the server in ismconfiguration file.

2) Yes i provided correct database details.

3) Filesystem

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution

Greetings,

Part I.

1) Stop tomcat

2) You need to utilize both configupdate and configutil to correct every place there is URL to 'ABCAPP1060.idmadprep.ABC.dk' and change it to 'abcapp1060.idmadprep.abc.dk' save and close. I would suggest using configpdate 1st and then use configutil in GUI mode

3) Delete the localhost folder in the tomcat/work/Catalina directory

4) Delete all of the files and folders in the tomcat/temp directory

5) Move out all of the logs from the tomcat/logs directory

6) Start Tomcat


**updating the ism-configuration.properties manually can cause problems. This file should only be manually updated when specifically outlined.**


Part II.

Did you specify 'ABCAPP1060.idmadprep.ABC.dk' during the install of OSP as the value that OSP would be accessed as? If yes then there could be issues with the certificates that were created.


Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: IG 3.6 login issues

Jump to solution

Part 2) Yes i given in capital letters. How to regenerate the certificates or re-installing the only way ?

Another doubt i have mentioned 8444 port to OSP and 8443 for IG both are running in same server. Is this correct ?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution

Greetings,

1) It does not make since to have one (1) tomcat listening on port 8443 and 8444. If you specified the incorrect port number 8444, then you need to fix that as well in both configupdate and possibly in configutil. It all depends upon which Application you were installing that you specified the incorrect port number. That would need to be fixed and then follow the same steps I had outlined earlier for restarting.

2) As it pertains to the OSP certificates, we generate multiple certificates for OSP 6.3.6 when a part of ID Gov 3.6 or ID Reporting 6.6. Therefore, it is not as straight forward as it use to be to manually re-generate the necessary.

I would suggest fixing all of the URL redirects (lower case) and port numbers to being the correct values. Follow the steps I provided earlier related localhost folder, temp directory, and logs. Then test.

If it is not working, I would need to see full catalina.out, catalina.%date%.log, and osp logs as well as a HAR file. If you are at this point, then open a Service Request with Support so that this information can be provided (it should not be posted on the Public Community)

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: IG 3.6 login issues

Jump to solution

Hi Steve,

I have re-installed IG 3.6 again with DNS name in small case instead of Captial hostname and imported the organization certificates into cacerts, no errors founds in catalina date log. But still application is launching with out prompting for username an password with a blue title. Below is the OSP log.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [324] thread=main
Time: 2020-01-02T18:39:18.616+0100
Log Data: AuthenticationService[OSP Configuration (id=auth)] configuration validation resulted in warnings:
Validation messages (9):
1) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=rptw,uri=https://ig-prep.abc.com:8443/IDMRPT/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
2) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://ig-prep.abc.com:8443/cx/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
3) Warning: AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://ig-prep.abc.com:8443/oauth.html]
This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
4) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[abcAPP1060.idmadprep.abc.com:636]
The LDAP data store configured LDAP bind timeout value will be used.
5) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[abcAPP1060.idmadprep.abc.com:636]
The LDAP data store configured read timeout value will be used.
6) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
The OSP system LDAP bind timeout value will be used.
7) Information: AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
The OSP system LDAP read timeout value will be used.
😎 Information: AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
No filename specified; assuming path specifies both path and filename.
9) Information: AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [337] thread=main
Time: 2020-01-02T18:39:19.350+0100
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

Preamble: [Tenant]
Priority Level: WARNING
Java: internal.osp.framework.OSPTenant$ProbeTlsTask.run() [2659] thread=osp-common-thread-4
Time: 2020-01-02T18:39:35.101+0100
Elapsed time: 814.781 microseconds
Log Data: One or more weak TLS protocols are enabled:
Interface: ABCAPP1060.idmadprep.abc.com
Port: 8443
Protocol(s): TLSv1

Thanks

Siva ram T

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IG 3.6 login issues

Jump to solution

Greetings,
I have been told that you opened a Service Request with Support. At this point, all communications and assistance will be via the Support team and not in this thread.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.