Anonymous_User Absent Member.
Absent Member.
1374 views

Accessing SSPR config when I can't authenticate

I recently had an error with my LDAP server when its certificates
expired. I resolved this, but SSPR doesn't seem to know that. Every
time I try to log onto SSPR, I get "directory unavailable." I can't
check the SSPR configuration because it won't let me get into that
component unless I authenticate. I tried 'unlock configuration', but it
still won't let me into the configuration editor -- I just get a more
verbose error message when I try to authenticate.

I am testing two SSPR servers. One is version 4.1.0.5, the other is
4.2.0.0, and they both exhibit the same behavior.

Shouldn't there be a way to edit the SSPR configuration without
authenticating against my configured LDAP server? I _thought_ 'Unlock
configuration would do that, but no.

Thanks
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Accessing SSPR config when I can't authenticate

Update: on one of the two test servers, I chose to wipe the
configuration. It let me perform the initial guided configuration and I
am able to authenticate to the app, but I still can't launch the
configuration editor -- it just doesn't appear as an option on the
/sspr/private/admin/dashboard page.


.... is this a Monday or something?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Accessing SSPR config when I can't authenticate

Could you explain how you are trying to unlock things? You should be able
to update your SSPRConfiguration.propreties (or whatever it is called) and
set it to be editable there, and then it does not require LDAP
authentication to get in. Have a backup of your file before you go too
crazy, of course.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Accessing SSPR config when I can't authenticate

ab,

> Could you explain how you are trying to unlock things? You should be able
> to update your SSPRConfiguration.propreties (or whatever it is called) and
> set it to be editable there, and then it does not require LDAP
> authentication to get in. Have a backup of your file before you go too
> crazy, of course.
>
>



Here's what I do:
Navigate to URL https://<FQDN>:9443
Provide root user credentials
Click on 'Administrative commands'
Click 'Unlock configuration'
Click "SSPR Configuration"

At that point, I expected to be able to edit the configuration *from the
GUI* without first authenticating to LDAP, but that is not the case.

I suppose I could go fishing in the appliance's file system for the
applicable configuration file to edit, but I've been expressly warned
not to do this with the SSPR appliance.

The fact that I am unable to access the config editor on the other
system (the SSPR 4.2 system, which is more or less working) would seem
to be an unrelated issue. Maybe I should have posted it separately.






0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Accessing SSPR config when I can't authenticate

> Navigate to URL https://<FQDN>:9443
> Provide root user credentials
> Click on 'Administrative commands'
> Click 'Unlock configuration'
> Click "SSPR Configuration"
>
> At that point, I expected to be able to edit the configuration *from the
> GUI* without first authenticating to LDAP, but that is not the case.
>
> I suppose I could go fishing in the appliance's file system for the
> applicable configuration file to edit, but I've been expressly warned
> not to do this with the SSPR appliance.
>



I finally gave up and nuked the configuration, then recreated it from
scratch. I sure hope I don't have this issue when the system is in
production.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Accessing SSPR config when I can't authenticate

Doug;2466976 wrote:
I recently had an error with my LDAP server when its certificates
expired. I resolved this, but SSPR doesn't seem to know that. Every
time I try to log onto SSPR, I get "directory unavailable." I can't
check the SSPR configuration because it won't let me get into that
component unless I authenticate. I tried 'unlock configuration', but it
still won't let me into the configuration editor -- I just get a more
verbose error message when I try to authenticate.

I am testing two SSPR servers. One is version 4.1.0.5, the other is
4.2.0.0, and they both exhibit the same behavior.

Shouldn't there be a way to edit the SSPR configuration without
authenticating against my configured LDAP server? I _thought_ 'Unlock
configuration would do that, but no.

Thanks


Had the same issue with the 4.1 and 4.2 appliance.
There's a TID somewhere, I think, that I Found and I simply edited the properties file so that I could edit the config so that I could "re-fetch" the certs and then all was well.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Accessing SSPR config when I can't authenticate

On 9/27/2017 3:16 PM, kjhurni wrote:
>
> Doug;2466976 Wrote:
>> I recently had an error with my LDAP server when its certificates
>> expired. I resolved this, but SSPR doesn't seem to know that. Every
>> time I try to log onto SSPR, I get "directory unavailable." I can't
>> check the SSPR configuration because it won't let me get into that
>> component unless I authenticate. I tried 'unlock configuration', but
>> it
>> still won't let me into the configuration editor -- I just get a more
>> verbose error message when I try to authenticate.
>>
>> I am testing two SSPR servers. One is version 4.1.0.5, the other is
>> 4.2.0.0, and they both exhibit the same behavior.
>>
>> Shouldn't there be a way to edit the SSPR configuration without
>> authenticating against my configured LDAP server? I _thought_ 'Unlock
>> configuration would do that, but no.
>>
>> Thanks

>
> Had the same issue with the 4.1 and 4.2 appliance.
> There's a TID somewhere, I think, that I Found and I simply edited the
> properties file so that I could edit the config so that I could
> "re-fetch" the certs and then all was well.


It is near the top of the file (5th or 6th line) and is

<property key="configIsEditable"
modifyTime="2016-11-23T15:56:08Z">false</property>


Change it to true and the save should restart the SSPR instance to use it.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Accessing SSPR config when I can't authenticate

Geoffrey Carman,
>> Had the same issue with the 4.1 and 4.2 appliance.
>> There's a TID somewhere, I think, that I Found and I simply edited the
>> properties file so that I could edit the config so that I could
>> "re-fetch" the certs and then all was well.

>
> It is near the top of the file (5th or 6th line) and is
>
>     <property key="configIsEditable"
> modifyTime="2016-11-23T15:56:08Z">false</property>
>
>
> Change it to true and the save should restart the SSPR instance to use it.
>
>

And the name of that file is ... ?

Thanks

0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Accessing SSPR config when I can't authenticate

Doug;2467123 wrote:
Geoffrey Carman,
>> Had the same issue with the 4.1 and 4.2 appliance.
>> There's a TID somewhere, I think, that I Found and I simply edited the
>> properties file so that I could edit the config so that I could
>> "re-fetch" the certs and then all was well.

>
> It is near the top of the file (5th or 6th line) and is
>
> Â*Â*Â* <property key="configIsEditable"
> modifyTime="2016-11-23T15:56:08Z">false</property>
>
>
> Change it to true and the save should restart the SSPR instance to use it.
>
>

And the name of that file is ... ?

Thanks


The file is named SSPRConfiguration.xml usually starting with SSPR 4 it stored under /opt/netiq/idm/apps/sspr/sspr_data - but the appliance might use a different location. But simply search for this file!

In the current version of SSPR the setting can be found close to the end of the configuration file!

BTW: If you need to fix LDAP Authentification errors due to a changed servercertificate you could remove the imported old certificate from SSPRConfiguration.xml as well. In this case the LDAPS binds will work since the new certificate provided by the LDAP server will be trusted. The only reason to import the servercertificate is to implement a higher level of security since ldap binds will only work if the imported certificate and the certifificate provided by the LDAP server do match!

The LDAP certificate is stored in the following section of the SSPRConfiguration.xml file:

<setting key="ldap.serverCerts" syntax="X509CERT" profile="default" syntaxVersion="0" modifyTime="2017-05-11T12:57:41Z">
<label>LDAP Certificates</label>
<value> ... CertificateData ...</value>
</setting>

simply delete all data between the <value> tags.

For sure make a backup of the configuration file first 😉

Kind regards,

Thorsten
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.