EKantyshev Frequent Contributor.
Frequent Contributor.
786 views

Authentication error [UA 4.7.2]

Hello!

After updating UA from 4.7 to 4.7.2 I can't login to the UA portal. I get the following error after entering the login/password and press the 'Next' button on the login page:



In catalina.out I see a bunch of 'An error occurred while attempting to authenticate.' errors:



I assume this may be related to some certificate issue, but I did nothing with certificates during the update. And it works fine before the update.

What can be the reason for this error? What should I check and do to fix it?
Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Authentication error [UA 4.7.2]

On 2/22/2019 7:24 AM, EKantyshev wrote:
>
> Hello!
>
> After updating UA from 4.7 to 4.7.2 I can't login to the UA portal. I
> get the following error after entering the login/password and press the
> 'Next' button on the login page:
>
> [image: https://c.radikal.ru/c13/1902/fa/23a4a771a15e.png]
>
> In catalina.out I see a bunch of 'An error occurred while attempting to
> authenticate.' errors:
>
> [image: https://d.radikal.ru/d33/1902/9d/f2934101e873.png]
>
> I assume this may be related to some certificate issue, but I did
> nothing with certificates during the update. And it works fine before
> the update.
>
> What can be the reason for this error? What should I check and do to fix
> it?


Once quick thing to consider, in JVM 1.8 at some rev (which IDG35 and
IDM 472 move to I believe) the Subject name of the Cert must match the
DNS name of the URL used in Identity Apps.

Check your private key (for Tomcat front end) subject name.
CN=myid.acme.com if your IA are at https://myid.acme.com

I think you can get away with Subject Alternate Names. And you can turn
this validation off, I have the Java opt somewhere if you need it.
(Better to fix the cert really).

0 Likes
EKantyshev Frequent Contributor.
Frequent Contributor.

Re: Authentication error [UA 4.7.2]

Hi Geoffrey!

I've created a new keystore file at my .../tomcat/conf directory. During creation for first and last name I specified the fully qualified name of the server (lets say myid.acme.com). Afer that, I generated a certificate request and issued a new self-signed certificate using iManager. Import this new cert to the keystore I've created earlier with the alias "uaportal". I see this certificate with following parameters:
Alias name: uaportal
Entry type: PrivateKeyEntry
Owner: CN=myid.acme.com
Issuer: O=MY_TREE, OU=OrganizationalCA
....

Also I imported this cert to the "/ opt/ netiq/ common/ jre/ lib/ security/ cacerts" (without spaces of course)

After that I exported CA certificate and import it to my keystore with -trustcacerts key.
I see CA cert with following parameters:
Alias name: trustedcert
Entry type: trustedCertEntry
Owner: O=MY_TREE, OU=OrganizationalCA
Issuer: O=MY_TREE, OU=OrganizationalCA
....

At the end I ran configupdate.sh, went to the Authentication tab and under Authentication Server parameters specified my new keystore and password for it. Restarted netiq-tomcat and netiq-activemq.

So, I open my browser, clear cache, enter https://myid.acme.com:8543/idmdash and get the same result as abowe - Error. And in browser I see that https://myid.acme.com uses my new certificate with CN=myid.acme.com
The problem is still here - any ideas?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Authentication error [UA 4.7.2]

On 2/25/2019 6:44 AM, EKantyshev wrote:
>
> Hi Geoffrey!
>
> I've created a new keystore file at my .../tomcat/conf directory. During
> creation for first and last name I specified the fully qualified name of
> the server (lets say myid.acme.com). Afer that, I generated a
> certificate request and issued a new self-signed certificate using
> iManager. Import this new cert to the keystore I've created earlier with
> the alias "uaportal". I see this certificate with following parameters:
> Alias name: uaportal
> Entry type: PrivateKeyEntry
> Owner: CN=myid.acme.com
> Issuer: O=MY_TREE, OU=OrganizationalCA
> ....
>
> Also I imported this cert to the
> /opt/netiq/common/jre/lib/security/cacerts
>
> After that I exported CA certificate and import it to my keystore with
> -trustcacerts key.
> I see CA cert with following parameters:
> Alias name: trustedcert
> Entry type: trustedCertEntry
> Owner: O=MY_TREE, OU=OrganizationalCA
> Issuer: O=MY_TREE, OU=OrganizationalCA
> ....
>
> At the end I ran configupdate.sh, went to the Authentication tab and
> under Authentication Server parameters specified my new keystore and
> password for it. Restarted netiq-tomcat and netiq-activemq.
>
> So, I open my browser, clear cache, enter
> https://myid.acme.com:8543/idmdash and get the same result as abowe -
> Error. And in browser I see that https://myid.acme.com uses my new
> certificate with CN=myid.acme.com
> The problem is still here - any ideas?


Ok, great work on provinig this is NOT the issue. And thank you for the
detailed write up for the next person who runs into it.

So before we move off this issue, there are two keystores in use. Tomcat
and OSP. Tomcat's is specified in the server.xml and OSP's in the
ism-conifguration.properties (which is managed via the GUI
Configupdate.sh).

Make sure all three (osp, tomcat, cacerts) trust each other. That is,
for any private key (osp/tomcat) they public key should be trusted in
the other two keystores.

What cert (private key) is OSP using? Make sure the same is true. Now
the OSP one is MOSTLY used when you SAML federate it, but still.

0 Likes
EKantyshev Frequent Contributor.
Frequent Contributor.

Re: Authentication error [UA 4.7.2]

It was only one cert in my osp.jks keystore. IP address of my IDV server was specified as Issuer and Owner there. I don't know when this cert was generated (I assume it was generated automatically during Identity Application installation).

So, what I did now:

I have:
- cert.der - CA certificate I export from iManager
- IDMcertrequest.der - UA portal certificate issued by CA

0. Stopping netiq-tomcat and netiq-activemq:
systemctl stop netiq-tomcat
systemctl stor netiq-activemq

1. Create new osp.jks:
keytool -genkey -keyalg RSA -keysize 2048 -keystore osp.jks -storepass PASS -keypass PASS -alias osp -validity 1800 -dname "cn=UA_HOST.acme.com"

2. Export public key from osp.jks:
keytool -keystore osp.jks -storepass PASS -export -alias osp -file osp.pub

3. Import osp.pub to cacerts and tomcat.ks keystores:
keytool -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -storepass PASS -import -alias osp -file osp.pub -trustcacerts
keytool -keystore /opt/netiq / common/jre/lib/security/cacerts -storepass PASS -import -alias osp -file osp.pub -trustcacerts

4. Export public key from tomcat.ks:
keytool -keystore tomcat.ks -storepass PASS -export -alias uaportal -file uaportal.pub

5. Import uaportal.pub to cacerts and osp.jks keystores:
keytool -keystore /opt/netiq / common/jre/lib/security/cacerts -storepass PASS -import -alias uaportal -file uaportal.pub -trustcacerts
keytool -keystore /opt/netiq/idm/apps/osp/osp.jks -storepass PASS -import -alias uaportal -file uaportal.pub -trustcacerts

6. Export cert.der to cacerts, osp.jks and tomcat.ks:
keytool -import -trustcacerts -alias trustedcert -keystore /opt/netiq / common/jre/lib/security/cacerts -file cert.der
keytool -import -trustcacerts -alias trustedcert -keystore /opt/netiq/idm/apps/osp/osp.jks -file cert.der
keytool -import -trustcacerts -alias trustedcert -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -file cert.der

7. Run cunfigupdate.sh and specify Authentication Keys:
Keystore file: /opt/netiq/idm/apps/osp/osp.jks
Keystore type: JKS
Keystore password: PASS
Pub/Priv key pair alias osp
Pub/Priv key pair password: PASS

8. Start netiq-tomcat and netiq-activemq:
systemctl start netiq-tomcat
systemctl start netiq-activemq

9. Open the browser, clear cache, enter URL https://myid.acme.com:8543/idmdash

And get the same error...

What's wrong? Maybe I did something wrong with osp.jks when created it? Let's say, is it correct to use the host dn as cn or I must use the URL for my UA portal?

P.S. "/opt/netiq / common/jre/lib/security/cacerts" - without spaces. Idk why but if I remove spaces here in this chat - I'll get this: /opt/netiq/common/jre/lib/security/cacerts
0 Likes
EKantyshev Frequent Contributor.
Frequent Contributor.

Re: Authentication error [UA 4.7.2]

Hi Geoffrey.

It's seemed I've found what's the issue in my case. As it is described here (https://forums.novell.com/showthread.php/511116-Unable-to-log-onto-UserApp-after-updating-to-4-7-2?p=2495047#post2495047) I have different URLs for OSP in my ism.configuration.properties file and the ones that are present at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration.

In ism.configuration.properties file I have:
com.netiq.idm.osp.url.host = [url]https://myid.acme.com[/url]:8543

But at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration I see the following:
{
"issuer":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2",
"authorization_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/auth",
"token_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/token",
"userinfo_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/userinfo",
"jwks_uri":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/jwks",
"revocation_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/revoke",
"introspection_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/introspect",
.....

And I want my ism.configuration.properties be like: com.netiq.idm.osp.url.host = [url]https://myid.acme.com[/url]:8543 and at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration I want to see:

{
"issuer":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2",
"authorization_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/auth",
"token_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/token",
"userinfo_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/userinfo",
"jwks_uri":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/jwks",
"revocation_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/revoke",
"introspection_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/introspect",
.....

Because the certificate I have for UA portal is issued for myid.acme.com and not for UA_HOST.acme.com

Tell me please when these "issuer", "authorization_endpoint", etc. tokens are generated? Is it possible to change it?
0 Likes
AGroome Absent Member.
Absent Member.

Re: Authentication error [UA 4.7.2]

EKantyshev;2496336 wrote:
Hi Geoffrey.

It's seemed I've found what's the issue in my case. As it is described here (https://forums.novell.com/showthread.php/511116-Unable-to-log-onto-UserApp-after-updating-to-4-7-2?p=2495047#post2495047) I have different URLs for OSP in my ism.configuration.properties file and the ones that are present at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration.

In ism.configuration.properties file I have:
com.netiq.idm.osp.url.host = [url]https://myid.acme.com[/url]:8543

But at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration I see the following:
{
"issuer":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2",
"authorization_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/auth",
"token_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/token",
"userinfo_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/userinfo",
"jwks_uri":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/jwks",
"revocation_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/revoke",
"introspection_endpoint":"https://UA_HOST.acme.com:8543/osp/a/idm/auth/oauth2/introspect",
.....

And I want my ism.configuration.properties be like: com.netiq.idm.osp.url.host = [url]https://myid.acme.com[/url]:8543 and at https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration I want to see:

{
"issuer":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2",
"authorization_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/auth",
"token_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/token",
"userinfo_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/userinfo",
"jwks_uri":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/jwks",
"revocation_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/revoke",
"introspection_endpoint":"https://myid.acme.com:8543/osp/a/idm/auth/oauth2/introspect",
.....

Because the certificate I have for UA portal is issued for myid.acme.com and not for UA_HOST.acme.com

Tell me please when these "issuer", "authorization_endpoint", etc. tokens are generated? Is it possible to change it?




One of our 4.7.2 UserApplication servers is having the same problem as above.
After changing all the required keystores and ism-configuration.properties values, the open-id configuration still shows the UA_HOST instead of the new domain listed for the certificate.
We have multiple UAs in multiple environments where this process worked fine (and the open-id configuration updated appropriately), however this single node has not.

Does anyone know where the open-id configuration gets the server information from?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Authentication error [UA 4.7.2]

On 5/8/2019 9:44 PM, AGroome wrote:
>
> EKantyshev;2496336 Wrote:
>> Hi Geoffrey.
>>
>> It's seemed I've found what's the issue in my case. As it is described
>> here
>> (https://forums.novell.com/showthread.php/511116-Unable-to-log-onto-UserApp-after-updating-to-4-7-2?p=2495047#post2495047)
>> I have different URLs for OSP in my ism.configuration.properties file
>> and the ones that are present at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration.
>>
>> In ism.configuration.properties file I have:
>> com.netiq.idm.osp.url.host = https://*myid.acme.com*:8543
>>
>> But at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration
>> I see the following:
>> {
>> "issuer":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2",
>>
>> "authorization_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/auth",
>>
>> "token_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/token",
>>
>> "userinfo_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/userinfo",
>>
>> "jwks_uri":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/jwks",
>>
>> "revocation_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/revoke",
>>
>> "introspection_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/introspect",
>> .....
>>
>> And I want my ism.configuration.properties be like:
>> com.netiq.idm.osp.url.host = https://*myid.acme.com*:8543 and at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration
>> I want to see:
>>
>> {
>> "issuer":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2",
>>
>> "authorization_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/auth",
>>
>> "token_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/token",
>>
>> "userinfo_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/userinfo",
>> "jwks_uri":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/jwks",
>>
>> "revocation_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/revoke",
>>
>> "introspection_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/introspect",
>> .....
>>
>> Because the certificate I have for UA portal is issued for myid.acme.com
>> and not for UA_HOST.acme.com
>>
>> Tell me please when these "issuer", "authorization_endpoint", etc.
>> tokens are generated? Is it possible to change it?

>
>
>
> One of our 4.7.2 UserApplication servers is having the same problem as
> above.
> After changing all the required keystores and
> ism-configuration.properties values, the open-id configuration still
> shows the UA_HOST instead of the new domain listed for the certificate.
> We have multiple UAs in multiple environments where this process worked
> fine (and the open-id configuration updated appropriately), however this
> single node has not.
>
> Does anyone know where the open-id configuration gets the server
> information from?


It is supposed to get it from the config file. However sometimes it
seems like it gets it wrong. There is an override parameter in OSP 6.3.x

com.netiq.idm.osp.tenant.http-interfaces = myid.acme.com


0 Likes
AGroome Absent Member.
Absent Member.

Re: Authentication error [UA 4.7.2]

geoffc;2499450 wrote:
On 5/8/2019 9:44 PM, AGroome wrote:
>
> EKantyshev;2496336 Wrote:
>> Hi Geoffrey.
>>
>> It's seemed I've found what's the issue in my case. As it is described
>> here
>> (https://forums.novell.com/showthread.php/511116-Unable-to-log-onto-UserApp-after-updating-to-4-7-2?p=2495047#post2495047)
>> I have different URLs for OSP in my ism.configuration.properties file
>> and the ones that are present at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration.
>>
>> In ism.configuration.properties file I have:
>> com.netiq.idm.osp.url.host = https://*myid.acme.com*:8543
>>
>> But at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration
>> I see the following:
>> {
>> "issuer":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2",
>>
>> "authorization_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/auth",
>>
>> "token_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/token",
>>
>> "userinfo_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/userinfo",
>>
>> "jwks_uri":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/jwks",
>>
>> "revocation_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/revoke",
>>
>> "introspection_endpoint":"https://*UA_HOST.acme.com*:8543/osp/a/idm/auth/oauth2/introspect",
>> .....
>>
>> And I want my ism.configuration.properties be like:
>> com.netiq.idm.osp.url.host = https://*myid.acme.com*:8543 and at
>> https://myid.acme.com:8543/osp/a/idm/auth/oauth2/.well-known/openid-configuration
>> I want to see:
>>
>> {
>> "issuer":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2",
>>
>> "authorization_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/auth",
>>
>> "token_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/token",
>>
>> "userinfo_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/userinfo",
>> "jwks_uri":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/jwks",
>>
>> "revocation_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/revoke",
>>
>> "introspection_endpoint":"https://*myid.acme.com*:8543/osp/a/idm/auth/oauth2/introspect",
>> .....
>>
>> Because the certificate I have for UA portal is issued for myid.acme.com
>> and not for UA_HOST.acme.com
>>
>> Tell me please when these "issuer", "authorization_endpoint", etc.
>> tokens are generated? Is it possible to change it?

>
>
>
> One of our 4.7.2 UserApplication servers is having the same problem as
> above.
> After changing all the required keystores and
> ism-configuration.properties values, the open-id configuration still
> shows the UA_HOST instead of the new domain listed for the certificate.
> We have multiple UAs in multiple environments where this process worked
> fine (and the open-id configuration updated appropriately), however this
> single node has not.
>
> Does anyone know where the open-id configuration gets the server
> information from?


It is supposed to get it from the config file. However sometimes it
seems like it gets it wrong. There is an override parameter in OSP 6.3.x

com.netiq.idm.osp.tenant.http-interfaces = myid.acme.com



Thanks Geoff, that was indeed missing in the ism-config for that node.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Authentication error [UA 4.7.2]

>>> Does anyone know where the open-id configuration gets the server
>>> information from?

>>
>> It is supposed to get it from the config file. However sometimes it
>> seems like it gets it wrong. There is an override parameter in OSP
>> 6.3.x
>>
>> com.netiq.idm.osp.tenant.http-interfaces = myid.acme.com

>
>
> Thanks Geoff, that was indeed missing in the ism-config for that node.


Supposedly next OSP release will provide this for everyone. There are
tons of settings not exposed that OSP supports. This came up in the
Identity Governance forum, which also uses OSP and is pushing OSP
feature development forward.

0 Likes
pieperen Absent Member.
Absent Member.

Re: Authentication error [UA 4.7.2]

We encountered the same error.

Our solution was adding the option: -Dcom.sun.security.enableCRLDP=true to CATALINA_OPTS in the setenv.sh
Could you try this, hopefully it helps in your environment too.

Kind regards

Peter van Ieperen
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.