UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
571 views

OSP certificate error

Hello everyone I reclently did a clean installation of the user application module (version 4.7) in a rhel server. After having some trouble to make tomcat (the user app server) use SSL, now i have problems with the osp certificate.
First, the install of the User Application (and therefore the OSP and the SSPR), and then the configuration (i executed the configure.sh script) didn't created the osp.jks keystore (the one in the folder / opt / netiq / idm / apps / osp) (not the first time this happend), so when i executed the configupdate.sh script, i was forced to create the keystore by myself, literally using this command:

/ opt / netiq / idm / apps / jre / bin / keytool -genkey -keyalg RSA -keysize 2048 -keystore "/opt/netiq/idm/apps/osp/osp.jks" -storepass *password* -keypass *password* -alias osp -validity 730 -dname "cn = *IP of the server*"

using as password the common password used in the configure.sh script after installation. So now i can save the configupdate script without any trouble at all, using the same password as used in the command. I tested those by listing the content of the keystore osp.jks succesfully. Now, when i started the tomcat, i get this error everytime:

[IMG] https://i.imgur.com/Uj6GKX5.png [/ IMG]

So, as i said before, the passwords are consistent in all of those places. Doing some google search, I reach this post: https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/ (thx geoffc again). So like he said in the middle of the post, I followed the steps to create the osp.jks (using the command). Until here, i undestand the steps. Now when I need to export the certificate with alias "osp" from "osp.jks", this certificate does not exist inside that keystore (gererated by me). I do not know if this is the error, but at least it's a clue. In the post does not specify where i can find this certificate.
Help please? 🙂 I need to test some functionallity in the 4.7.2 but first i need to get the 4.7 working
Labels (1)
0 Likes
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 4/16/2019 3:54 PM, gtejo wrote:
>
> Hello everyone I reclently did a clean installation of the user
> application module (version 4.7) in a rhel server. After having some
> trouble to make tomcat (the user app server) use SSL, now i have
> problems with the osp certificate.
> First, the install of the User Application (and therefore the OSP and
> the SSPR), and then the configuration (i executed the configure.sh
> script) didn't created the osp.jks keystore (the one in the folder / opt
> / netiq / idm / apps / osp) (not the first time this happend), so when i
> executed the configupdate.sh script, i was forced to create the keystore
> by myself, literally using this command:
>
> / opt / netiq / idm / apps / jre / bin / keytool -genkey -keyalg RSA
> -keysize 2048 -keystore "/opt/netiq/idm/apps/osp/osp.jks" -storepass
> *password* -keypass *password* -alias osp -validity 730 -dname "cn = *IP
> of the server*"


So here you have the -alias of osp. So should have a cert in there.
-dname should be IP name, and you should probably do a SAN of -ext
san:dns=MyServer.acme.com,ip:123.123.123.123 since now if the cert name
does not match the DNS name there are problems. (Java security chnage,
dang it!). If you are using a clustered install, then in the SAN add
each nodes native DNS name and IP as well to be safe.

Also set validity to more than 2 years. This is JUST for SAML
federation mostly (Never customer facing) so make it 5 or 10 years to
save pain in the future.


> using as password the common password used in the configure.sh script
> after installation. So now i can save the configupdate script without
> any trouble at all, using the same password as used in the command. I
> tested those by listing the content of the keystore osp.jks succesfully.
> Now, when i started the tomcat, i get this error everytime:
>
> [IMG] https://i.imgur.com/Uj6GKX5.png [/ IMG]


Test it with:
/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/osp/osp.jks -storepass PASSWORD -list -v | less

and look at what is in there. Yoou can try different passwords till you
get that right.



> So, as i said before, the passwords are consistent in all of those
> places. Doing some google search, I reach this post:
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
> (thx geoffc again). So like he said in the middle of the post, I


That guy must be a jerk for leaving you hanging like this...

> followed the steps to create the osp.jks (using the command). Until
> here, i undestand the steps. Now when I need to export the certificate
> with alias "osp" from "osp.jks", this certificate does not exist inside
> that keystore (gererated by me). I do not know if this is the error, but
> at least it's a clue. In the post does not specify where i can find this
> certificate.


You need the public key of the signer, of the private key which in this
case, being self signed, is the public key of the osp key. So...

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/osp/osp.jks -storepass PASSWORD -export -alias osp
-file /tmp/osp-pub.pem

Which you can import intot the tomcat keystore with the command

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/tomcat/conf/tomcat.jks -storepass PASSWORD -import
-trustcacerts -alias osp-pub -file /tmp/osp-pub.pem

Then you need Tomcat's public key in the OSP keystore. This is LIKELY
a real public cert, so you need the CA's that sign it public keys. They
will be in the tomcat store, ,so look at that store with:

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/tomcat/conf/tomcat.jks -storepass PASSWORD -list -v
| less

THen build the command by removing the -list -v and adding -export
-alias ALIAS -file Some/file/name.pem

And so on.

Does that help?

Also make sure the eDir CA's public key is in osp and tomcat. If you are
doing SAML make sure the public key of the SAML cert is in OSP for sure,
tomcat to be safe as well.



> Help please? 🙂 I need to test some functionallity in the 4.7.2 but
> first i need to get the 4.7 working
>
>


0 Likes
Absent Member.
Absent Member.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.