Ravi4 Frequent Contributor.
Frequent Contributor.
1888 views

error occurred while to contact the authentication service

Hi

I just implemented IDM 4.5 with OSP on tomcat and User application Websphere. It was working fine untill i moved OSP from 8080 to 8443(ssl) port .
Now when i am accessing the my user application url it is redirected to OSP login page , but after entering credentials it s give me the below error
An error occurred while attempting to contact the authentication service.

I know it is some certificate import issue , but cant figure where i need to make the changes

Waiting for some suggestions

Thanks,
cap
Labels (1)
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: error occurred while to contact the authentication service

On 11/7/2016 8:56 AM, CAPVCC SUPPORT wrote:
>
> Hi
>
> I just implemented IDM 4.5 with OSP on tomcat and User application
> Websphere. It was working fine untill i moved OSP from 8080 to 8443(ssl)
> port .
> Now when i am accessing the my user application url it is redirected to
> OSP login page , but after entering credentials it s give me the below
> error
> An error occurred while attempting to contact the authentication
> service.
>
> I know it is some certificate import issue , but cant figure where i
> need to make the changes


OSP is super finicky. Try reading my articles on teh topic, since you
have likely hit one of the issues I describe:

https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-1

https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-2

https://www.netiq.com/communities/cool-solutions/getting-started-with-osp-part-3

I.e. osp keystore needs eDir, Tomcat public keys, and OSP private key of
course. Tomcat keystore needs same set. cacerts needs OSP And Tomcat
public keys, or trusted roots that signed them.

0 Likes
Ravi4 Frequent Contributor.
Frequent Contributor.

Re: error occurred while to contact the authentication servi

Hi

I have gone through the below link
https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/

Imported and exported many certificates ,now more confused . Can you please explain the certificate part in little more details

Thanks for your support

Thanks,
CAP
0 Likes
Knowledge Partner
Knowledge Partner

Re: error occurred while to contact the authentication service

On 11/7/2016 10:26 AM, CAPVCC SUPPORT wrote:
>
> Hi
>
> I have gone through the below link
> https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-sspr-part-3/
>
> Imported and exported many certificates ,now more confused . Can you
> please explain the certificate part in little more details


Certificates have two parts. Private key and public key.

Private key is what Tomcat loads so it can offer SSL services to
incoming requests.

However, the web client coming in, should TRUST the signer of that
certificate.

So go to any commercial web page that uses HTTPS. Click on the lock
icon (every browser is a bit different) and get to the cert info. Look
at the certication chain/Heirarchy.

You will see that the signers are listed.

Your browser ships with the 'well known' signers public key, built in
their keystore to trust. Used to cost $18 million with Firefox to get
added.

If not, your browser says untrusted certificate or somesuch error.

OSP, UA, can be considered both web clients, making web requests to
Tomcat and each other back and forth.

Thus, their (OSP, Tomcat, UA) keystores must trust the certs. How do
you trust a cert?
1) Trust the cert itsefl (import the certs public key to a keystore with
-trustcacerts switch).
2) Trust the signer of the cert. (Import the signers public key same way).
3) If there is an intermediate CA, trust that as well. Import that as well.

So, OSP must trust Tomcat, and UA. So whoever signed the Tomcat cert (or
maybe you were WebSphere, whatever, the SSL cert webshpere is using is
what matters) needs to be trusted by the Java instance OSP and UA are
using. So osp keystore needs to import those public keys.

eDir's cert is needed for LDAP operations in OSP.

cacerts needs to have all the same trusted Certs as well, since that is
what UA uses.

In WebSphere, you have yet another possible keystore you can point at,
so do that and make sure it has all these certs in them,


0 Likes
Ravi4 Frequent Contributor.
Frequent Contributor.

Re: error occurred while to contact the authentication servi

Still the issue not fixed
i have update all the certs in respective keystores , but i cant import the osp certificate .
Could you please provide some suggestions on how to import the osp certificate. I can only see the osp.jks(keystore) file , cant find any certificate

Thanks,
CAP
0 Likes
Knowledge Partner
Knowledge Partner

Re: error occurred while to contact the authentication service

On 11/7/2016 3:16 PM, CAPVCC SUPPORT wrote:
>
> Still the issue not fixed
> i have update all the certs in respective keystores , but i cant import
> the osp certificate .
> Could you please provide some suggestions on how to import the osp
> certificate. I can only see the osp.jks(keystore) file , cant find any
> certificate


So the problem here is that the keystore has the private key, which
actually MUST remain secret, else we get into potential issues. (The
problem is, if you sent me the file, I could send you back a working
keystore in 1 minute... But I won't accept the file, due to the security
issue).

So lets see if I can write this free hand from memory.

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/tomcat/conf/osp.jks -storepass PASSWORD -list -v | less

Use that command to be sure you have the right path and password. I will
assume you aliased the cert as osp

So...
/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/tomcat/conf/osp.jks -storepass PASSWORD -export
-alias osp -file /tmp/osp.pub

Now you need this one in cacerts. But which cacerts? If eDir and UA
are on the same box, I would add it to both to be safe. But in theory
should the same JRE I am getting keytool from.

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/netiq/idm/apps/jre/lib/security/cacerts -storepass default -import
-alias osp-pub -file /tmp/osp.pub -trustcacerts

(Yes the password on cacerts is always default, it is a 'default', go
figure).

To be safe, if eDir were the I would do something like:

/opt/netiq/idm/apps/jre/bin/keytool -keystore
/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts
-storepass default -import -alias osp-pub -file /tmp/osp.pub -trustcacerts

(I think that is pretty close to being correct).








0 Likes
Ravi4 Frequent Contributor.
Frequent Contributor.

Re: error occurred while to contact the authentication servi

performed the above steps , but still getting the same error
0 Likes
Highlighted
Ravi4 Frequent Contributor.
Frequent Contributor.

Re: error occurred while to contact the authentication servi

Hi ,

It works now

Thanks for help
CAP
0 Likes
Knowledge Partner
Knowledge Partner

Re: error occurred while to contact the authentication service

On 11/7/2016 5:26 PM, CAPVCC SUPPORT wrote:
>
> Hi ,
>
> It works now
>
> Thanks for help


Any idea what change you might have made that could have fixed it? I.e.
Always good to understandthe specific issue, instead of some magic fixed
it. 🙂


0 Likes
Ravi4 Frequent Contributor.
Frequent Contributor.

Re: error occurred while to contact the authentication servi

i have two ua servers connected in cluster . I updated the same setting on the other server and copied the OSP.JKS
also i changed the alias name osp-pub to osp in all key stores
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.