dvandermaas1 Absent Member.
Absent Member.
1649 views

OSP stopped working with latest version


Can somebody help me out here .... pretty please.

We have an IDM45 (latest SP) infrastructure with most IDM Applications
set up.
So UserApp/HPD with SP5 JVM 1.8.121 SSPR 4.0.0.2 and OSP 6HF5 running on
SLES servers

We started of with everything running non secure IP based => That
worked
We changed every setting according the documentation and Geoffrey's
coolsolutions to DNS names based => That worked.
We did all the certificate stuff using signed certificates from an
external CA (comodo) and moved to https => That worked.
We did use host files for the DNS names were pointing towards a NAM
setup, but everything went ok including the oauth authentication.
So every setting in configupdate and sspr was with
hostname:8443/whatever

As last step we removed the port or changed it to 443 and have the
Access Manager in place including the SAML federation.

Now first , what i noticed is that any of the changes made in
configupdate does NOT end up in
/opt/netiq/idm/apps/tomcat/conf/ism-configuration.properties which
should to my opninion.(?)
Secondly, the documentation lacks a lot of information. On the
certificate stuff , but more importent on the configuration !. I needed
to revert my changes a couple of times because sspr was unreachable, so
i needed to makes the changes there first. learning all the time ......


Every system involved uses the same wildcard, externally signed
certificate
At one point we started to get this on the browser.
"{"Fault":{"Code":{"Value":"Sender","Subcode":{"Value":"XDAS_OUT_POLICY_VIOLATION"}},"Reason":{"Text":"Unrecognized
interface. Invalid Host Header Name or Request URL Domain Name."}}}"

We checked, changed and tried every setting regarding host names,
redirect urls etc. We reverted the saml federation but the error dit not
go away.
In the osp logging is shows :

OSP] 2017-03-29T06:18:17.359+0200
Level: WARN
Code: com.novell.osp.servlet.OSPServlet.auditFailedRequest() [531]
thread=http-bio-8443-exec-3
Message: InternalError

[OSP] 2017-03-29T06:17:20.087+0200
Level: ERROR
Code: com.novell.osp.servlet.OSPServlet.errorResponse() [312]
thread=localhost-startStop-1
Message:
Level: ERROR
Code: com.netiq.osp.exception.OSPAuthenticationException.<init>()
[40]
Thread: http-bio-8443-exec-3
Correlation Id: 764d662f-21f6-4bdd-9cf9-8b0fbda8610a
Text: Unrecognized interface. Invalid Host Header Name or Request URL
Domain Name.

In the local_access we stumbled upon this

10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET /landing/ HTTP/1.1" 200
7931
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/com.netiq.ualanding.index/jquery.min.js HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/com.netiq.ualanding.index/com.netiq.ualanding.index.nocache.js
HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/masonry.pkgd.min.netiq.js HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET /landing/landing.min.js
HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/jquery.ui.touch-punch.js HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/jquery.ui.datepicker.js HTTP/1.1" 302 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/date HTTP/1.1" 302 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/jquery.ui.datepicker-en-US.js HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:16 +0200] "GET
/landing/js/lib/i18n/date-en-US.js HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/com.netiq.ualanding.index/spiffyui.min.css HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/com.netiq.ualanding.index/NovellGWTLib.css HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/custom/custom.css HTTP/1.1" 200 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/images/favicon.png HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/com.netiq.ualanding.index/9143734E2C6233432D7F467966BBB924.cache.html
HTTP/1.1" 200 262953
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/landing/SpiffyUi.min.css HTTP/1.1" 304 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/IDMProv/rest/access/users/fullName HTTP/1.1" 401 -
10.3.0.29 - - [29/Mar/2017:06:18:17 +0200] "GET
/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=https://xxxxxxxxxxxx.xxxxxxxxxxxxx.xx/landing/com.netiq.ualanding.index/oauth.html&client_id=ualanding&state=spiffystate0.29279431547721113
HTTP/1.1" 403 193

The IP address is a gateway, there is no rewriter authN policy or
anything els in place. It is a protected resource and the hostnames are
internally the same as from the outside.
Looking at the trace i see a http 401 and a 403 (193) , unauthorized and
forbidden, but i really don't know why.

What are we doing wrong here ?? Thanks in advance for any answer .....
(BTW, i did work when we used the 4.5 stock version)


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=57711


The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

Removing the port (say443) entirely has been problematic for others. Didn't
Steve say it wasn't really supported by configupdate?
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: OSP stopped working with latest version


Ok, that is understandable, but what should i use, because the a browser
will remove the 443 and from what i have read in an earlier post OSP is
very sensitive for that.
I put the 443 back in but is still renders the same.
I have ismconfig.properties backed up, will it work to put them back and
start from there?


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=57711


The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

On 3/29/2017 8:24 AM, dvandermaas wrote:
>
> Ok, that is understandable, but what should i use, because the a browser
> will remove the 443 and from what i have read in an earlier post OSP is
> very sensitive for that.
> I put the 443 back in but is still renders the same.
> I have ismconfig.properties backed up, will it work to put them back and
> start from there?


As far as I can tell, as of 4.5.5, (not checked in 4.6, nor in AR's) the
main thing Configupdate does that is mostly NOT in the configupdate file is:
NMAS SAML method install.
Change the WAR name (Context?)
Regrant the Admin Roles.
Switch SSPR or LEgacy Password provider.

For the most part, everything else you do, specifically in the space you
are working with are read straight out of ism-configuration.properties
so edit away.

PS: Also you mentioned that the file was not updated after some changes?
Make sure you run the configupdate from User App, not the stripped down
version OSP comes with for SSPR. Different paths.

0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: OSP stopped working with latest version


Ok, this ehhh somewhat strange behaviour then... Well as long as i am
aware of it. I am going to reset the ism-configuration ans work from
there.
Thx !
(I knew about the other configupdate, it even breaks the userapp ;-( )


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=57711


The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

> We changed every setting according the documentation and Geoffrey's
> coolsolutions to DNS names based => That worked.


Finally you did something correct and read what I wrote! (Hey David!)

> So every setting in configupdate and sspr was with
> hostname:8443/whatever
>
> As last step we removed the port or changed it to 443 and have the
> Access Manager in place including the SAML federation.


Ok, so this is the key issue. Configupdate has a strange limitations.
ask Tim Edmonds about this one, he is working an open bug on this.
Basically you CANNOT do http://ipaddess without a :port/ at the end.
You MUST have a port.

However, OSP is kinda goofy, and requires that the URL the browser set,
match 100% exactly and perfectly the values configured in OSP.

So go to https://www.mysite.com:443/ and all browsers that I know about
rewrite that and send that as: https://www.mysite.com/

Those are semantically identical, however to OSP one of these things is
not like the others. That is, from OSP's view:
https://www.mysite.com != https://www.mysite.com

So... To work around a bug in Configupdate.sh, what you do is, every
time you use it, enter some crazy number, and then edit
ism-configuration.properties after to remove that crazy number.



0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: OSP stopped working with latest version


Haha, i always follow your guidelines 😉 don't I ......... well you know
me .. but the coolsolutions provide a lot of good background
information.
I will reset the properties and see what it does , good idea to use
goofy numbers, easy to replace ...


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=57711


The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

On 3/29/2017 10:44 AM, dvandermaas wrote:
>
> Haha, i always follow your guidelines 😉 don't I ......... well you know
> me .. but the coolsolutions provide a lot of good background
> information.
> I will reset the properties and see what it does , good idea to use
> goofy numbers, easy to replace ...


Ya, I think that adding extra stuff that is not 100% directly relevant
is still helpful, since a lot of this is hard to understand based on
just the docs. You need some extra info, tidbits, and so on.

0 Likes
Mishra Contributor.
Contributor.

Re: OSP stopped working with latest version

Hi Team ,

I also facing same problem in Identity Governance 3.0,
Can you provide any solution for this issue.
whem i got to page it showing
{"Fault":{"Code":{"Value":"Sender","Subcode":{"Value":"XDAS_OUT_POLICY_VIOLATION"}},"Reason":{"Text":"Unrecognized interface. Invalid Host Header Name or Request URL Domain Name."}}}
0 Likes
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

Generally that error (Though not that spepcific one) means that the URL you typed to get to the web page does not perfectly match the value i the ism-configuration.properties file.

 

This most commonly breaks when using HTTPS over 443. 

You would think, in configupdate.sh set it to myhost.domain.com and port 443.

Then try https://myhost.domain.com:443/idmdash

But your browser is smarter than you are and rewrites that to:

https://myhost.domain.com/idmdash

and it removes the :443

Well guess what?  That counts as different! ARGH!

Problem: configupdate.sh GUI and console requires a port value. Cannot leave it blank and properly save.

Solution: Enter 443 in the GU, then save. Edit the ism-configuration.properties file and remove the :443 from the references.

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: OSP stopped working with latest version

One other possibility... Does DNS return 2 names for the IP of the server?

For some reason OSP uses the shorter or longer of the two (I forget which).  Which invariably ends up being the wrong one. There is a parameter for ism-configuration.properties to override that silliness and push it to a specific DNS name.

If you have 2 or more aliases for this IP then I can go dig up the config value.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.