sjoerdk Frequent Contributor.
Frequent Contributor.
4466 views

IDM 4.5.2 Identity Applications suddenly broken


I'm having problems with the 4.5.2 Identity Applications. I've added a
post to this thread but decided to create a different post due to the
fact that i have a newer version.
http://tinyurl.com/prf9ps4

Last week I installed and patched a new environment. It's on the latest
eDir version (8.8.8 patch 6) with latest IDM and Identity Application
patches (4.5.2). The whole install went fine and I left the environment
in a working state. Today i tried to access the Identity Applications
and it failed:

1. go to IPaddress/landing
2. Log in with uaadmin account
3. landing page only displays a blue line at the top and an empty white
page
4. /IDMProv fails as well. After a minute of trying to load the page it
fails with the following error on screen (browser)


Code:
--------------------

Identity Manager authentication is not correctly configured or Identity Manager to eDirectory SAML communication is not functioning correctly. Please contact an administrator to correct the problem.

--------------------


catalina.out displays the following error:

Code:
--------------------

2015-12-16 14:16:37,949 [http-bio-8080-exec-4] INFO com.novell.pwdmgt.util.PasswordHelper- [RBPM] [Login_Failure] cn=uaadmin,o=Company failed to log in.
2015-12-16 14:16:37,951 [http-bio-8080-exec-4] ERROR com.novell.common.auth.JAASManager- [RBPM] Login failed for user: cn=uaadmin,o=Company

--------------------


/RRA also displays this error after a minute or so. When browsing to
http://server:8080/osp/a/idm/auth/app?sid=2 the One SSO platform does
display a logged in uaadmin user so it really seems like a SAML
problem.

Strange thing is that I am the only one with logins to the environment.
Nothing has changed in the past few days in configuration of eDirectory
or Tomcat/Identity Applications.

I've tried the following:
- Restarts of eDir and Tomcat Identity Applications (and the servers
themselves)
- Checked date/time of both servers (equal)
- Check in iManager if NMAS login method SAML assertion is in use (it
is)
- Have the configupdate.sh recreate the RBPMSAML object via advanced
options (works fine)
- Checked the SSO clients for errors (URL's and secrets)
- Checked the password policy for users that can resolve passwords
(removed a user, observed an SSPR error and re-added the user)

I really don't know what's going on and the logging doesn't help me
either apart from the fact that i can see that the uaadmin login fails
somehow.

Can someone please point me in a direction how to debug this?


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: IDM 4.5.2 Identity Applications suddenly broken

On 12/16/2015 9:44 AM, Sjoerdk wrote:
>
> I'm having problems with the 4.5.2 Identity Applications. I've added a
> post to this thread but decided to create a different post due to the
> fact that i have a newer version.
> http://tinyurl.com/prf9ps4
>
> Last week I installed and patched a new environment. It's on the latest
> eDir version (8.8.8 patch 6) with latest IDM and Identity Application
> patches (4.5.2). The whole install went fine and I left the environment
> in a working state. Today i tried to access the Identity Applications
> and it failed:
>
> 1. go to IPaddress/landing
> 2. Log in with uaadmin account
> 3. landing page only displays a blue line at the top and an empty white
> page
> 4. /IDMProv fails as well. After a minute of trying to load the page it
> fails with the following error on screen (browser)
>
>
> Code:
> --------------------
>
> Identity Manager authentication is not correctly configured or Identity Manager to eDirectory SAML communication is not functioning correctly. Please contact an administrator to correct the problem.
>
> --------------------
>
>
> catalina.out displays the following error:
>
> Code:
> --------------------
>
> 2015-12-16 14:16:37,949 [http-bio-8080-exec-4] INFO com.novell.pwdmgt.util.PasswordHelper- [RBPM] [Login_Failure] cn=uaadmin,o=Company failed to log in.
> 2015-12-16 14:16:37,951 [http-bio-8080-exec-4] ERROR com.novell.common.auth.JAASManager- [RBPM] Login failed for user: cn=uaadmin,o=Company
>
> --------------------
>
>
> /RRA also displays this error after a minute or so. When browsing to
> http://server:8080/osp/a/idm/auth/app?sid=2 the One SSO platform does
> display a logged in uaadmin user so it really seems like a SAML
> problem.
>
> Strange thing is that I am the only one with logins to the environment.
> Nothing has changed in the past few days in configuration of eDirectory
> or Tomcat/Identity Applications.
>
> I've tried the following:
> - Restarts of eDir and Tomcat Identity Applications (and the servers
> themselves)
> - Checked date/time of both servers (equal)
> - Check in iManager if NMAS login method SAML assertion is in use (it
> is)
> - Have the configupdate.sh recreate the RBPMSAML object via advanced
> options (works fine)
> - Checked the SSO clients for errors (URL's and secrets)
> - Checked the password policy for users that can resolve passwords
> (removed a user, observed an SSPR error and re-added the user)
>
> I really don't know what's going on and the logging doesn't help me
> either apart from the fact that i can see that the uaadmin login fails
> somehow.
>
> Can someone please point me in a direction how to debug this?


osp.log is next. Edit tomcat/bin/envset.sh and find the property ending
in WARN and change it to TRACE or ALL. (ALL is SUPER verbose).

See what errors come up there.

PS: In Catalina, look earlier, as IDMProv.war is deployed to see if SSO
filter is working or not.


0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


Ok.. my reply just went away.. Second attempt:

I have 1 error in the OSP log. None in the catalina.out apart from the
already mentioned login failed for uaadmin. OSP filter is enabled (and
always has been).

OSP log:
Error
Class: com.novell.oidp.authentication.classes.sspr.SSPRChecksClass
Text: Get status request to SSPR returned an error
Code: 5027
Message: You do not have permission to perform the requested action

Strange thing is.. i tried to go to IDMProv, and not SSPR, so i'm not
even sure if this error is related.


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM 4.5.2 Identity Applications suddenly broken


That error is unrelated to the other problem. This is OSP trying to see
if you should be forced through SSPR to change password, add password
recovery, or update profile.

Here is a thread about that
https://forums.netiq.com/showthread.php?54794-Landing-App-and-SSPR

The last post by me explains the solution.


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM 4.5.2 Identity Applications suddenly broken


I am seeing similar issues. I have not submitted SRs yet, but I *think*
I have found two contributing factors.

First, clearing browser cookies have seemed to clear the issue most of
the time. Don't know why or what conditions of stale sessions cause
this.

Second, is that normally in SAML communications between an IDP and SP
for SSO, there is a client involved that puts enough back-and-forth that
the time isnt an issue as much. Between the issue instant from the IDP
which gets sent to the client browser and some generated redirects, to
the point it gets to the SP, nearly a second goes by so if the IDP and
SP are off by a few hundredths of a second (even when on NTP), no big
deal. In OSP and eDirectory, OSP is generating a SAML assertion (IDP)
to use in a SASL bind to eDirectory (SP). Even though that the error is
an LDAP error 49 (bad credentials) it is actually a SASL error 1642. I
am assuming that there is sloppy error return codes and that the problem
is NTP. *NOT VERIFIED* So the NTP time needs to be much more precise
between those servers. When talking to my sysadmin, we were only
syncing time every few days, and since this is running in VMware the
time would be off by a 1/4 sec or more. We are now at 64 seconds, not
as much of an issue (only since Friday though).


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


Cookie clearing did not work. However: refreshing the page on /landing
causes a quick red error bar at the bottom of the page to appear, but
it's only visible for like 1/10th of a second. Trying to get the error
from that now 🙂 (the page itself is still only a blue line at the top
with the rest of the page blank).


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM 4.5.2 Identity Applications suddenly broken


Try purposefully setting the time on your eDirectory server to be a bit
fast and see if the problem goes away. My sysadmin won't allow me to do
that. The idea is that you want the eDirectory server to think it is
1-2 seconds faster than the Identity apps.

The other thing is that the problem for me is not OSP but the landing,
dash and IDMProv app. I see much better errors in catalina.out from
going to /IDMProv than from /landing or /dash. SSPR has never been a
problem because that doesn't try to bind to eDirectory as the end user
(using SASL/SAML).


--
schwoerb
------------------------------------------------------------------------
schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


I have no way of doing that either (in an easy way). I can confirm that
SSPR is working fine. All the other endpoints eventually give the error:
Identity manager authentication is not correctly configured or Identity
Manager to eDirecotry SAML communciation is not functioning correctly.
The landing page (the blue line on top with the empty space) also
eventually produces this error. So I'm quite sure at this moment that
indeed eDirectory SAML is the problem. I did a tcpdump and observed
outgoing and incoming LDAP traffic so that connection seems fine
(although I must admit that I am not an networking expert). Furthermore,
like already stated, SSPR is working fine and the OSP endpoint shows a
loggged in uaadmin user.

Inspecting iMonitor with NMAS tracing on when pressing ENTER on OSP
authentication screen (after browsing to /IDMProv) produces the
following (short version):

Code:
--------------------

Begin server module 0x00000024
NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Server Module 0x00000024 Read
Error -1639 from MAF_Read
SAML LSM exiting with status: -1639

--------------------


This seems to be related so i will be investigating this error further.


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM 4.5.2 Identity Applications suddenly broken

On 12/17/2015 3:17 AM, Sjoerdk wrote:
>
> I have no way of doing that either (in an easy way). I can confirm that
> SSPR is working fine. All the other endpoints eventually give the error:
> Identity manager authentication is not correctly configured or Identity
> Manager to eDirecotry SAML communciation is not functioning correctly.
> The landing page (the blue line on top with the empty space) also
> eventually produces this error. So I'm quite sure at this moment that
> indeed eDirectory SAML is the problem. I did a tcpdump and observed
> outgoing and incoming LDAP traffic so that connection seems fine
> (although I must admit that I am not an networking expert). Furthermore,
> like already stated, SSPR is working fine and the OSP endpoint shows a
> loggged in uaadmin user.
>
> Inspecting iMonitor with NMAS tracing on when pressing ENTER on OSP
> authentication screen (after browsing to /IDMProv) produces the
> following (short version):
>
> Code:
> --------------------
>
> Begin server module 0x00000024
> NMAS Audit with Audit PA not installed
> NMAS Audit with XDAS not installed
> Server Module 0x00000024 Read
> Error -1639 from MAF_Read
> SAML LSM exiting with status: -1639
>
> --------------------
>
>
> This seems to be related so i will be investigating this error further.


I would contemplate deleting the NMAS method from .Security and
reimporting the schema. The actual binary code for Windows, Linux, etc
is stored as attribute values in schema! Which is kind of crazy!

0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


Yes.. I've thought about that as well, but i don't want to ruin
eDirectory completely so that would be a last-resort solution for me.
Not sure what I will break deleting those objects (yeah.. NMAS of
course.. but what else).


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


Sjoerdk;263526 Wrote:
> Yes.. I've thought about that as well, but i don't want to ruin
> eDirectory completely so that would be a last-resort solution for me.
> Not sure what I will break deleting those objects (yeah.. NMAS of
> course.. but what else).


I managed to fix the implementation by installing the SAML methods from
IDM45-Apps-HF-3 into the tree:
nmasinst -addmethod cn=admin.o=services TREE-NAME config.txt -h
IP-ADDRESS

After that the Identity Apps authentication worked again.


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
sjoerdk Frequent Contributor.
Frequent Contributor.

Re: IDM 4.5.2 Identity Applications suddenly broken


Got an extra error out of the page. When browsing to IDMProv after the
empty landing page, the following error is displayed:


Code:
--------------------

The server is unreachable. Verify your network connection and make sure that the server is running.

--------------------


Almost looks like a timeout. The Identity Applications server can reach
the LDAP server on 389, 636, 8443, 8028, 8030. Am i missing a port that
has been blocked by [someone] in the past few days?


--
Sjoerdk
------------------------------------------------------------------------
Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
View this thread: https://forums.netiq.com/showthread.php?t=54941

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.