mjg2xw
New Member.
601 views

The global configuration for your server was not found...

Hi

Running a new installation of IG 3.5 on Windows Server 2016, MSSQL

Login/OSP integration to IDM 4.7.1 AE. All the auth/OSP in IDM UserApp/Portal/Reporting is working fine = SSO

Governance OSP is configured to use the OSP in the IDM

Then trying to login to Governance, I get this error.

The global configuration for your server was not found. Check to make sure your ism-configuration.properties file is available


Our internal DNS domian prefix is "intern.ucl.dk", but we use the DNS Prefix "ucl.dk" for all the WWW. The certificate for the brugerportal.ucl.dk is a Star certificate = *.ucl.dk

Catalina log....

[SEVERE] 2019-04-24 17:40:36 com.netiq.iac.client.filter.RESTPathFilter doFilter - Identity Governance is not configured correctly: internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid issuer. Expected: 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual: 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.

Best regards
Michael
0 Likes
14 Replies
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/24/19 11:54 AM, mJg2XW wrote:
>
> Hi
>
> Running a new installation of IG 3.5 on Windows Server 2016, MSSQL
>
> Login/OSP integration to IDM 4.7.1 AE. All the auth/OSP in IDM
> UserApp/Portal/Reporting is working fine = SSO
>
> Governance OSP is configured to use the OSP in the IDM
>
> Then trying to login to Governance, I get this error.
>
> -The global configuration for your server was not found. Check to make
> sure your ism-configuration.properties file is available-
>
>
> Our internal DNS domian prefix is "intern.ucl.dk", but we use the DNS
> Prefix "ucl.dk" for all the WWW. The certificate for the
> brugerportal.ucl.dk is a Star certificate = *.ucl.dk
>
> Catalina log....
>
> [SEVERE] 2019-04-24 17:40:36 com.netiq.iac.client.filter.RESTPathFilter
> doFilter - Identity Governance is not configured correctly:
> internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid
> issuer. Expected:
> 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual:
> 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.
>
> Best regards
> Michael
>
>

Greetings,

1) The error about
"
The global configuration for your server was not found. Check to make
sure your ism-configuration.properties file is available
"
- Could be because the redirect URLs are not correct in the OSP server
as compared to ID Gov's value
- Could be the SSO secrets are not matching between the two
- The certificate chains for the server(s) are not installed in the
necessary locations for the WAR to WAR communications


2) Please be aware that per the OAuth spec server URLs are compared on
exact case. So you will have an issue with the value of
"IDM47Userapp.intern.ucl.dk"

Because if you put that in a browser it will lower case everything port
the port in a URL. Which means it will be:

idm47userapp.intern.ucl.dk

Since "idm47userapp.intern.ucl.dk" will not equal
"IDM47Userapp.intern.ucl.dk"

That will cause a problem.


3) You also have to review what dns names are return from the IP of your
server. As part of OpenID Connect there is an additional lookup and
other dns names may come back from the IP lookup and could cause some
issues.






--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

Hi

All the URL is setup with "brugerportal.ucl.dk", have check the IDM AE and the Governance twice:). Gone thru all the "...properties" file that I can find on the two serveres.

The internal DNS / prefix is = intern.ucl.dk. If I do a nslookup on brugerportal.ucl.dk I get back the ip address 10.0.0.35, if I do a nslookup on 10.0.0.35 i get back idm47userapp.intern.ucl.dk

Best regards
Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/24/19 12:44 PM, mJg2XW wrote:
>
> Hi
>
> All the URL is setup with "brugerportal.ucl.dk", have check the IDM AE
> and the Governance twice:). Gone thru all the "...properties" file that
> I can find on the two serveres.
>
> The internal DNS / prefix is = intern.ucl.dk. If I do a nslookup on
> *brugerportal.ucl.dk* I get back the ip address *10.0.0.35*, if I do a
> nslookup on *10.0.0.35* i get back *idm47userapp.intern.ucl.dk*
>
> Best regards
> Michael
>
>

Greetings,

1) What is the results for the 7 URLs at the top of the page when you go to:

%host%:%port%/osp/a/idm/auth/oauth2/.well-known/openid-configuration


2) What is the exact version of OSP that you are using? Since you
outlined you have IDM 4.7.1 and that is where OSP is, did you install
the OSP 6.3.1 patch on this IDM server?

Please check the version of the WAR and the osp-conf jar.




*Note: OSP 6.3.1 is the min required version of OSP for ID Gov 3.5.x.
Any earlier version of OSP will not work.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

Hi

Ahhhhhhhhhhhhh:)

I have totally mist the OSP version part..

1.) Output..
issuer "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2"
authorization_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
token_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
userinfo_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/userinfo"
jwks_uri "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/jwks"
revocation_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/revoke"
introspection_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/introspect"

2.) OSP Version
The OSP verion on the IDM 4.7.1 is 6.2.2

Question. Can i just install the OSP 6.3.1 patch on the IDM 4.7.1 or do I need to upgrade IDM to version 4.7.2?

Best regards
Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/25/19 3:14 AM, mJg2XW wrote:
>
> Hi
>
> Ahhhhhhhhhhhhh:)
>
> I have totally mist the OSP version part..
>
> 1.) Output..
> issuer "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2"
> authorization_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
> token_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
> userinfo_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/userinfo"
> jwks_uri "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/jwks"
> revocation_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/revoke"
> introspection_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/introspect"
>
> 2.) OSP Version
> The OSP verion on the IDM 4.7.1 is 6.2.2
>
> Question. Can i just install the OSP 6.3.1 patch on the IDM 4.7.1 or do
> I need to upgrade IDM to version 4.7.2?
>
> Best regards
> Michael
>
>

Greetings,
You can install just the OSP 6.3.1 patch that was released for IDM
4.7.1. You should look to upgrade to 4.7.2 as soon as you can.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

Hi

The OSP on IDM 4.7.1 is now updated to version 6.3.1

Unfortunately the problem is still the same:(

Catalina log from the IG server

[SEVERE] 2019-04-25 18:21:10 com.netiq.iac.client.filter.RESTPathFilter doFilter - Identity Governance is not configured correctly: internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid issuer. Expected: 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual: 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.





The output from the comman "%host%:%port%/osp/a/idm/auth/oauth2/.well-known/openid-configuration"...


issuer "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2"
authorization_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
token_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
userinfo_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/userinfo"
jwks_uri "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/jwks"
revocation_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/revoke"
introspection_endpoint "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/introspect"

WEB UI for the Governance

The global configuration for your server was not found. Check to make sure your ism-configuration.properties file is available.
X
Best regards
Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/25/19 12:34 PM, mJg2XW wrote:
>
> Hi
>
> The OSP on IDM 4.7.1 is now updated to version 6.3.1
>
> Unfortunately the problem is still the same:(
>
> *Catalina log from the IG server*
>
> [SEVERE] 2019-04-25 18:21:10 com.netiq.iac.client.filter.RESTPathFilter
> doFilter - Identity Governance is not configured correctly:
> internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid
> issuer. Expected:
> 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual:
> 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.
>
>
>
>
> *
> The output from the comman
> "%host%:%port%/osp/a/idm/auth/oauth2/.well-known/openid-configuration"...*
>
> issuer "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2"
> authorization_endpoint
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
> token_endpoint
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/grant"
> userinfo_endpoint
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/userinfo"
> jwks_uri
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/jwks"
> revocation_endpoint
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/revoke"
> introspection_endpoint
> "https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2/introspect"
>
> *WEB UI for the Governance*
>
> The global configuration for your server was not found. Check to make
> sure your ism-configuration.properties file is available.
> X
> Best regards
> Michael
>
>

Greetings,
What is the value in the ism-configuration.properties file (vi
configupdate) on the ID Gov server for the redirects? Similar what are
the values seen in configutil? What is the values seen in the
ism-configuration.properties file on the OSP server?

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

Hi

All entry/URL in the "ism-configuration.properties" files or the Config GUI are all brugerportal.ucl.dk or governance.ucl.dk. There is no reference to the URL=IDM47Userapp.intern.ucl.dk anywhere.

The "IDM47Userapp.intern.ucl.dk" is the internal AD DNS name/Domain EQ ip adresse 10.0.0.35. If i do a nslookup 10.0.0.35 it will give me back IDM47Userapp.intern.ucl.dk.

Do the (OSP)/Governance do some reverse IP lookup??

IDM47Userapp.intern.ucl.dk and brugerportal.ucl.dk is the same thing, the same Windows Server and the same ip adr: 10.0.0.35

Best regards
Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 2019-04-25 19:44, mJg2XW wrote:
> Do the (OSP)/Governance do some reverse IP lookup??


Yes. You can explicitly set origin to be used by adding

com.netiq.idm.osp.tenant.http-interfaces = ${com.netiq.idm.osp.url.host}

to the ism-configuration.properties

--
Norbert
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

HI

The problem is still the same..:(

[SEVERE] 2019-04-26 08:41:07 com.netiq.iac.client.filter.RESTPathFilter doFilter - Identity Governance is not configured correctly: internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid issuer. Expected: 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual: 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.

I have done the "com.netiq.idm.osp.tenant.http-interfaces = brugerportal.ucl.dk" in the "ism-configuration.property" on the Governance Server, it this correct???

Best regards
Michael
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 2019-04-26 08:54, mJg2XW wrote:
>
> HI
>
> The problem is still the same..:(
>
> [SEVERE] 2019-04-26 08:41:07 com.netiq.iac.client.filter.RESTPathFilter
> doFilter - Identity Governance is not configured correctly:
> internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid
> issuer. Expected:
> 'https://brugerportal.ucl.dk:8443/osp/a/idm/auth/oauth2; actual:
> 'https://IDM47Userapp.intern.ucl.dk:8443/osp/a/idm/auth/oauth2'.
>
> I have done the "com.netiq.idm.osp.tenant.http-interfaces =
> brugerportal.ucl.dk" in the "ism-configuration.property" on the
> Governance Server, it this correct???


It should be the full origin, ie. if you don't have defined the property
com.netiq.idm.osp.url.host you should set it as:
com.netiq.idm.osp.tenant.http-interfaces = https://brugerportal.ucl.dk:8443


--
Norbert
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/25/19 1:44 PM, mJg2XW wrote:
>
> Hi
>
> All entry/URL in the "ism-configuration.properties" files or the Config
> GUI are all brugerportal.ucl.dk or governance.ucl.dk. There is no
> reference to the URL=IDM47Userapp.intern.ucl.dk anywhere.
>
> The "IDM47Userapp.intern.ucl.dk" is the internal AD DNS name/Domain EQ
> ip adresse 10.0.0.35. If i do a nslookup 10.0.0.35 it will give me back
> IDM47Userapp.intern.ucl.dk.
>
> Do the (OSP)/Governance do some reverse IP lookup??
>
> IDM47Userapp.intern.ucl.dk and brugerportal.ucl.dk is the same thing,
> the same Windows Server and the same ip adr: 10.0.0.35
>
> Best regards
> Michael
>
>

Greetings,
Yes, it is apart of the work done with the OAuth and OpenID Connect.
One can adjust so that the look-up will return the "correct" values or
you can update the ism-configuration.property files with

com.netiq.idm.osp.tenant.http-interfaces = %The-value-for-OSP%

In your case it should be:

com.netiq.idm.osp.tenant.http-interfaces = brugerportal.ucl.dk

based upon your posts. Once updated, a restart of the tomcat servers is
required.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: The global configuration for your server was not found...

On 4/25/19 8:40 PM, Steven Williams wrote:
> On 4/25/19 1:44 PM, mJg2XW wrote:
>>
>> Hi
>>
>> All entry/URL in the "ism-configuration.properties" files or the Config
>> GUI are all brugerportal.ucl.dk or governance.ucl.dk. There is no
>> reference to the URL=IDM47Userapp.intern.ucl.dk anywhere.
>>
>> The "IDM47Userapp.intern.ucl.dk" is the internal AD DNS name/Domain EQ
>> ip adresse 10.0.0.35. If i do a nslookup 10.0.0.35 it will give me back
>> IDM47Userapp.intern.ucl.dk.
>>
>> Do the (OSP)/Governance do some reverse IP lookup??
>>
>> IDM47Userapp.intern.ucl.dk and brugerportal.ucl.dk is the same thing,
>> the same Windows Server and the same ip adr: 10.0.0.35
>>
>> Best regards
>> Michael
>>
>>

> Greetings,
>    Yes, it is apart of the work done with the OAuth and OpenID Connect.
>  One can adjust so that the look-up will return the "correct" values or
> you can update the ism-configuration.property files with
>
> com.netiq.idm.osp.tenant.http-interfaces = %The-value-for-OSP%
>
> In your case it should be:
>
> com.netiq.idm.osp.tenant.http-interfaces = brugerportal.ucl.dk
>
> based upon your posts.  Once updated, a restart of the tomcat servers is
> required.
>
>
>

Greetings,
Please be advised that in the next full release of ID Gov we will
provide a configuration setting for this kind of situation.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
mjg2xw
New Member.

Re: The global configuration for your server was not found..

Hi

A update/solution:)

When we/I updated the "ism-configuration.property" on the OSP Server, and not on the Governance Server, then it works

Added to the .property file...
com.netiq.idm.osp.tenant.http-interfaces = brugerportal.ucl.dk

Thanks to all for the help
Michael
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.