Nihii Respected Contributor.
Respected Contributor.
1382 views

SSPR Private URL Issue

Hello,

We are currently running on IDM 4.7.2, eDir - 9.1.2, SSPR - 4.3.0.4, OSP - 6.3.1 on RHEL 7.6. SSPR public url's works fine but when trying to access SSPR private url's brings up blank screen on the browser.
When observed OSP logs, character F is not being removed from sspr/public/oauth url. Checked ism-configuration file and SSPRConfiguraiton.xml files.

OSP Log:


Preamble: [OIDP]
Priority Level: SEVERE
Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError() [582] thread=https-jsse-nio-8443-exec-11
Time: 2019-05-14T14:31:36.678-0400
Log Data: Code: internal.osp.oidp.service.oauth2.handler.HandlerException.<init>() [183]
Text: Client-supplied redirect URI is not registered: https://www.inet.jnet.beta.pa.govFsspr/public/oauth

Catalina:

2019-05-14T14:29:35Z, TRACE, http.PwmRequest, {210} GET request for: /sspr/private/setup-responses (no params) requestID=157 [172.18.87.134]
2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, {210} preparing to redirect user to oauth authentication service, setting nextUrl to /sspr/private/setup-responses [172.18.87.134]
2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, {210} issuing oauth state id=10 with the next destination URL set to /sspr/private/setup-responses [172.18.87.134]
2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, calculated oauth self end point URI as 'https://www.inet.jnet.beta.pa.gov/sspr/public/oauth' using method SiteURL Setting
2019-05-14T14:29:35Z, TRACE, state.CryptoCookieLoginImpl, {210} wrote LoginInfoBean={"a":false,"p":"*hidden*","t":"UNAUTHENTICATED","af":[],"rq":"2019-05-14T18:29:35Z","g":"jve4ovbtdyiDkhyBEhIas0t5XHPyiq12ScfTzglCUKhTAGYN1BaKxV0jHXHWMQHb
EHtAeZ3A","c":0,"lf":[]} [172.18.87.134]
2019-05-14T14:29:35Z, TRACE, http.PwmResponse, {210} sending 302 redirect to https://www.inet.jnet.beta.pa.gov:443/osp/a/idm/auth/oauth2/grant?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQ1a7sebIB9j82VL6hjFpUGm
vupUOLb4LvpgLiOP_CEuvz8LBwzusF6IunMGTAcJ5vSkN9BI2uLy7I03ttTouF6zpm97gKTWYoecL08q9i7V9ogFqAVf7TlanN5FgRMnzmJVp5Jdrn0QT5ysV5YcWoWBBzosSaGx1V4h2Hi_io998tV4lIW-pvpIKaUFAKRCeYmOivzTX9HS2PL0lWO9MMA2_i42KtpihYji3MsAAAAA%3D%3D&redirect_uri=https
%3A%2F%2Fwww.inet.jnet.beta.pa.gov%2Fsspr%2Fpublic%2Foauth [172.18.87.134]
2019-05-14T14:29:35Z, DEBUG, oauth.OAuthMachine, {210} redirecting user to oauth id server, url: https://www.inet.jnet.beta.pa.gov:443/osp/a/idm/auth/oauth2/grant?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQ1a
7sebIB9j82VL6hjFpUGmvupUOLb4LvpgLiOP_CEuvz8LBwzusF6IunMGTAcJ5vSkN9BI2uLy7I03ttTouF6zpm97gKTWYoecL08q9i7V9ogFqAVf7TlanN5FgRMnzmJVp5Jdrn0QT5ysV5YcWoWBBzosSaGx1V4h2Hi_io998tV4lIW-pvpIKaUFAKRCeYmOivzTX9HS2PL0lWO9MMA2_i42KtpihYji3MsAAAAA%3D%3
D&redirect_uri=https%3A%2F%2Fwww.inet.jnet.beta.pa.gov%2Fsspr%2Fpublic%2Foauth [172.18.87.134]

Any advice, how to get this fixed?

Thanks
Nihith
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: SSPR Private URL Issue

On 5/15/2019 10:14 AM, ngujjula wrote:
>
> Hello,
>
> We are currently running on IDM 4.7.2, eDir - 9.1.2, SSPR - 4.3.0.4, OSP
> - 6.3.1 on RHEL 7.6. SSPR public url's works fine but when trying to
> access SSPR private url's brings up blank screen on the browser.
> When observed OSP logs, character F is not being removed from
> sspr/public/oauth url. Checked ism-configuration file and
> SSPRConfiguraiton.xml files.


Hey Nihith, tell KP I say hi if he is still there!

> OSP Log:
>
>
> Preamble: [OIDP]
> Priority Level: SEVERE
> Java:
> internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError()
> [582] thread=https-jsse-nio-8443-exec-11
> Time: 2019-05-14T14:31:36.678-0400
> Log Data: Code:
> internal.osp.oidp.service.oauth2.handler.HandlerException.<init>()
> [183]
> Text: Client-supplied redirect URI is not registered:
> https://www.inet.jnet.beta.pa.govFsspr/public/oauth



OSP follows the standard, which requires that the URL exactly match the
configured URL. (It is even annoyingly case sensitive!)

So in your ism-configuration.properties file, on the OSP server and on
the SSPR server, what are the values for the osp hosts? Does it match
this exact name?

If you have a /etc/hosts file on either of those boxes that resolves the
IP to the above DNS name, make sure it is in the format of:
10.1.1.0 longname.acme.com longname

and not:
10.1.1.0 longname longname.acme.com

Did you set the OSP log level to above INFO/WARN, in the
tomcat/bin/setenv.sh file (Look at the last line for a logging level)
and restart the Tomcat instance? (I like ALL, but I am a sadist and
like reading ALL. It is good for troubleshooting).


> Catalina:
>
> 2019-05-14T14:29:35Z, TRACE, http.PwmRequest, {210} GET request for:
> /sspr/private/setup-responses (no params) requestID=157 [172.18.87.134]
> 2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, {210} preparing to
> redirect user to oauth authentication service, setting nextUrl to
> /sspr/private/setup-responses [172.18.87.134]
> 2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, {210} issuing oauth
> state id=10 with the next destination URL set to
> /sspr/private/setup-responses [172.18.87.134]
> 2019-05-14T14:29:35Z, TRACE, oauth.OAuthMachine, calculated oauth self
> end point URI as 'https://www.inet.jnet.beta.pa.gov/sspr/public/oauth'
> using method SiteURL Setting
> 2019-05-14T14:29:35Z, TRACE, state.CryptoCookieLoginImpl, {210} wrote
> LoginInfoBean={"a":false,"p":"*hidden*","t":"UNAUTHENTICATED","af":[],"rq":"2019-05-14T18:29:35Z","g":"jve4ovbtdyiDkhyBEhIas0t5XHPyiq12ScfTzglCUKhTAGYN1BaKxV0jHXHWMQHb
> EHtAeZ3A","c":0,"lf":[]} [172.18.87.134]
> 2019-05-14T14:29:35Z, TRACE, http.PwmResponse, {210} sending 302
> redirect to
> https://www.inet.jnet.beta.pa.gov:443/osp/a/idm/auth/oauth2/grant?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQ1a7sebIB9j82VL6hjFpUGm
> vupUOLb4LvpgLiOP_CEuvz8LBwzusF6IunMGTAcJ5vSkN9BI2uLy7I03ttTouF6zpm97gKTWYoecL08q9i7V9ogFqAVf7TlanN5FgRMnzmJVp5Jdrn0QT5ysV5YcWoWBBzosSaGx1V4h2Hi_io998tV4lIW-pvpIKaUFAKRCeYmOivzTX9HS2PL0lWO9MMA2_i42KtpihYji3MsAAAAA%3D%3D&redirect_uri=https
> %3A%2F%2Fwww.inet.jnet.beta.pa.gov%2Fsspr%2Fpublic%2Foauth
> [172.18.87.134]
> 2019-05-14T14:29:35Z, DEBUG, oauth.OAuthMachine, {210} redirecting user
> to oauth id server, url:
> https://www.inet.jnet.beta.pa.gov:443/osp/a/idm/auth/oauth2/grant?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQ1a
> 7sebIB9j82VL6hjFpUGmvupUOLb4LvpgLiOP_CEuvz8LBwzusF6IunMGTAcJ5vSkN9BI2uLy7I03ttTouF6zpm97gKTWYoecL08q9i7V9ogFqAVf7TlanN5FgRMnzmJVp5Jdrn0QT5ysV5YcWoWBBzosSaGx1V4h2Hi_io998tV4lIW-pvpIKaUFAKRCeYmOivzTX9HS2PL0lWO9MMA2_i42KtpihYji3MsAAAAA%3D%3
> D&redirect_uri=https%3A%2F%2Fwww.inet.jnet.beta.pa.gov%2Fsspr%2Fpublic%2Foauth
> [172.18.87.134]
>
> Any advice, how to get this fixed?
>
> Thanks
> Nihith
>
>


Nihii Respected Contributor.
Respected Contributor.

Re: SSPR Private URL Issue

Hi Geoff, I did say hi to KP on your behalf 😉

OSP and SSPR host value matches in ism-configuraiton file.

Follwed 10.1.1.0 longname.acme.com longname, this format to resolve IP's to DNS.

Enable ALL logging on OSP.

OSP tail -f logs for this issue:

Priority Level: FINER
Java: internal.osp.common.logging.HttpResponseLogger.log() [138] thread=https-jsse-nio-8443-exec-54
Time: 2019-05-16T09:44:00.653-0400
Log Data: HttpServletResponse (Number 4088)
Duration (seconds): 0.17
Content type: text/html;charset=UTF-8
Character encoding: UTF-8
Locale: en
Buffer size: 8192

Preamble: [OSP]
Priority Level: FINER
Java: internal.osp.common.logging.HttpRequestLogger.log() [340] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.946-0400
Log Data: HttpServletRequest (Number 4089)
Method: GET
Request URL: /osp/a/idm/auth/oauth2/grant
Query String: ?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQvdPQJ6AzF8MK3YuhG_-pHE4YnNKWtAGOB2xTMm5Dqg5gM3gskSvtm9lEcPaRB-AJuceJqO--n0_5v_xmtPM39H-DnRQrxXb3kvMVm8gC6d6V54ImlXemCMdi2_fm6jzcZ2fk-7zY8U_AMG1RCQqcvFmXnSM1v3ymsNAXiCDCUMLcbFgZGDoy2TDo_GbzHdB1UzAeJF7wY8MnsZ36F2febkqF5xz7CgllRNRUsAAAAA%3D%3D&redirect_uri=https%3A//www.inet.jnet.beta.pa.govFsspr/public/oauth
Scheme: https
Context Path: /osp
Servlet Path: /a
Path Info: /idm/auth/oauth2/grant
Server Name: www.inet.jnet.beta.pa.gov
Server Port: 443
Locale: en_US
Host IP Address: 164.156.19.129
Remote Client IP Address: 10.182.69.11
Cookies
(1 of 1): AAAA03ecd25d59=AQAAAAAAAACPk2PJwRrKXwPo5MWVpNb8
Headers
host=www.inet.jnet.beta.pa.gov
user-agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0
accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language=en-US,en;q=0.5
accept-encoding=gzip, br
referer=https://www.inet.jnet.beta.pa.gov/nidp/idff/sso?sid=0&sid=0
dnt=1
cookie=(see above)
upgrade-insecure-requests=1
via=1.1 www.inet.jnet.beta.pa.gov (Access Gateway-ag-32F7159943D603E7-140622)
x-forwarded-for=172.18.87.134
x-forwarded-host=www.inet.jnet.beta.pa.gov
x-forwarded-server=www.inet.jnet.beta.pa.gov
connection=Keep-Alive
Session
Id: F000652880D3B769D841739A1B9C978B
Last Accessed Time: 2019-05-16T09:49:29.946-0400 (1558014569946)
Parameters
client_id
response_type
state
redirect_uri
Attributes
org.apache.tomcat.util.net.secure_protocol_version
javax.servlet.request.key_size
javax.servlet.request.ssl_session_mgr
javax.servlet.request.cipher_suite
javax.servlet.request.ssl_session_id
OSPRequestContext

Preamble: [OSP]
Priority Level: FINEST
Java: internal.osp.framework.servlet.OSPServlet.process() [198] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.946-0400
Log Data:
Class: OSPRequestContext
HttpServletResponse exists.
Http request type: GET
Request number: 4089
Tenant: For IDM and IG
Service: For IDM and IG(id=auth)
Path element count: 2
Element: oauth2
Element: grant
Override locale: en_US

Preamble: [OIDP]
Priority Level: FINEST
Java: internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler.resolveHandler() [199] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.946-0400
Log Data: IDP oauth2 handler to process request received for grant

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.oauth2.handler.Grant.getCommand() [204] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.947-0400
Elapsed time: 23.262 microseconds
Log Data: Parse OAuth 2.0 response_type or grant_type:
response_type: code
Maps to: Authorization Code Grant profile

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.session.NIDPSession.<init>() [344] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.947-0400
Elapsed time: 48.225 microseconds
Log Data: Creating new session:
Identifier: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
Type: PERSISTANT
Tracking identifier: bXh6sXfhEem0ZQBQVp8yhw

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.cluster.ClusterCookieContext.resolveSession() [147] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.947-0400
Elapsed time: 265.641 microseconds
Log Data: Session was created for this user request because no cookie accompanied the request: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec
Session cached:
Class: NIDPSession
Identifier: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
Sub-identifier: 0
Auth tracking identifier: bXh6sXfhEem0ZQBQVp8yhw
Type: PERSISTANT
Create time: 2019-05-16T09:49:29.947-0400 (1558014569947), elapsed: 0 (0)
Authenticated time: 1969-12-31T18:59:59.999-0500 (-1), elapsed: 18032d 13h 49m 29.948s (1558014569948)
Last used time: 2019-05-16T09:49:29.947-0400 (1558014569947), elapsed: 0 (0)
Main JSP: main
Set activity: true
Storage cache: <none>
Logout flag: 0
Show logout: false

Preamble: [OIDP]
Priority Level: FINEST
Java: internal.osp.oidp.service.session.NIDPSession.checkAuthenticated() [2711] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.948-0400
Elapsed time: 13.5 microseconds
Log Data: Session authenticated?
Identifier: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec
Zero consumed authentications.
Authenticated: false

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.session.NIDPSession.getSessionData() [811] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.948-0400
Elapsed time: 10.456 microseconds
Log Data: Get session data based on request:
Creating new session data; id: 1

Preamble: [OIDP]
Priority Level: SEVERE
Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError() [582] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.948-0400
Log Data: Code: internal.osp.oidp.service.oauth2.handler.HandlerException.<init>() [183]
Text: Client-supplied redirect URI is not registered: https://www.inet.jnet.beta.pa.govFsspr/public/oauth

Preamble: [OIDP]
Priority Level: FINEST
Java: internal.osp.oidp.service.oauth2.handler.BrowserHandlerBase.handleError() [1113] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.948-0400
Elapsed time: 532.46 microseconds
Log Data: Send user to error page: Client-supplied redirect URI is not registered: https://www.inet.jnet.beta.pa.govFsspr/public/oauth

Preamble: [OIDP]
Priority Level: INFO
Java: internal.osp.oidp.service.oauth2.handler.TokenRequestHandlerBase.auditTokenCreation() [392] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.949-0400
Log Data: IssueOAuthCode

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler.commit() [569] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.949-0400
Elapsed time: 9.468 milliseconds
Log Data: Persisting session: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
Session to cookie: true

Preamble: [OIDP]
Priority Level: FINER
Java: internal.osp.framework.UIResponder$Response.setResponse() [1424] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.959-0400
Elapsed time: 3.871 milliseconds
Log Data: Set response:
Forwarding:
Page: /idm/jsp/err.jsp

Preamble: [OSP]
Priority Level: FINER
Java: internal.osp.common.logging.HttpResponseLogger.log() [138] thread=https-jsse-nio-8443-exec-48
Time: 2019-05-16T09:49:29.963-0400
Log Data: HttpServletResponse (Number 4089)
Duration (seconds): 0.18
Content type: text/html;charset=UTF-8
Character encoding: UTF-8
Locale: en
Buffer size: 8192
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSPR Private URL Issue

On 5/16/2019 10:54 AM, ngujjula wrote:
>
> Hi Geoff, I did say hi to KP on your behalf 😉


Was not sure if he was still there. 🙂 Hope all is well there. Remind
the bosses we are still around if they have some work they need done. 🙂

> OSP and SSPR host value matches in ism-configuraiton file.
>
> Follwed 10.1.1.0 longname.acme.com longname, this format to resolve IP's
> to DNS.
>
> Enable ALL logging on OSP.
>
> OSP tail -f logs for this issue:


Come now, we do not use tail. We use less, then F to turn it into tail
Ctrl-c to break out. Then you can search within the tailing logs.

Regardless, this problem seems to be coming up lately, and there is a
setting for ism-configuration.properties that seems to help. (Since
Identity Governance and Identity Apps also use OSP the answers are in
that forum.)

You can try this to see if OSP thinks iit has the right URL's:

%host%:%port%/osp/a/idm/auth/oauth2/.well-known/openid-configuration

The line for the ism config file would be:

com.netiq.idm.osp.tenant.http-interfaces = ${com.netiq.idm.osp.url.host}

I.e. Explicitly add this value. Which should be there already, which is
kind of odd.

> Priority Level: FINER
> Java: internal.osp.common.logging.HttpResponseLogger.log() [138]
> thread=https-jsse-nio-8443-exec-54
> Time: 2019-05-16T09:44:00.653-0400
> Log Data: HttpServletResponse (Number 4088)
> Duration (seconds): 0.17
> Content type: text/html;charset=UTF-8
> Character encoding: UTF-8
> Locale: en
> Buffer size: 8192
>
> Preamble: [OSP]
> Priority Level: FINER
> Java: internal.osp.common.logging.HttpRequestLogger.log() [340]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.946-0400
> Log Data: HttpServletRequest (Number 4089)
> Method: GET
> Request URL: /osp/a/idm/auth/oauth2/grant
> Query String:
> ?client_id=sspr&response_type=code&state=H4sIAAAAAAAAAAGwAE__UFdNLkdDTTEQvdPQJ6AzF8MK3YuhG_-pHE4YnNKWtAGOB2xTMm5Dqg5gM3gskSvtm9lEcPaRB-AJuceJqO--n0_5v_xmtPM39H-DnRQrxXb3kvMVm8gC6d6V54ImlXemCMdi2_fm6jzcZ2fk-7zY8U_AMG1RCQqcvFmXnSM1v3ymsNAXiCDCUMLcbFgZGDoy2TDo_GbzHdB1UzAeJF7wY8MnsZ36F2febkqF5xz7CgllRNRUsAAAAA%3D%3D&redirect_uri=https%3A//www.inet.jnet.beta.pa.govFsspr/public/oauth
> Scheme: https
> Context Path: /osp
> Servlet Path: /a
> Path Info: /idm/auth/oauth2/grant
> Server Name: www.inet.jnet.beta.pa.gov
> Server Port: 443
> Locale: en_US
> Host IP Address: 164.156.19.129
> Remote Client IP Address: 10.182.69.11
> Cookies
> (1 of 1): AAAA03ecd25d59=AQAAAAAAAACPk2PJwRrKXwPo5MWVpNb8
> Headers
> host=www.inet.jnet.beta.pa.gov
> user-agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0)
> Gecko/20100101 Firefox/66.0
>
> accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> accept-language=en-US,en;q=0.5
> accept-encoding=gzip, br
>
> referer=https://www.inet.jnet.beta.pa.gov/nidp/idff/sso?sid=0&sid=0
> dnt=1
> cookie=(see above)
> upgrade-insecure-requests=1
> via=1.1 www.inet.jnet.beta.pa.gov (Access
> Gateway-ag-32F7159943D603E7-140622)
> x-forwarded-for=172.18.87.134
> x-forwarded-host=www.inet.jnet.beta.pa.gov
> x-forwarded-server=www.inet.jnet.beta.pa.gov
> connection=Keep-Alive
> Session
> Id: F000652880D3B769D841739A1B9C978B
> Last Accessed Time: 2019-05-16T09:49:29.946-0400 (1558014569946)
> Parameters
> client_id
> response_type
> state
> redirect_uri
> Attributes
> org.apache.tomcat.util.net.secure_protocol_version
> javax.servlet.request.key_size
> javax.servlet.request.ssl_session_mgr
> javax.servlet.request.cipher_suite
> javax.servlet.request.ssl_session_id
> OSPRequestContext
>
> Preamble: [OSP]
> Priority Level: FINEST
> Java: internal.osp.framework.servlet.OSPServlet.process() [198]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.946-0400
> Log Data:
> Class: OSPRequestContext
> HttpServletResponse exists.
> Http request type: GET
> Request number: 4089
> Tenant: For IDM and IG
> Service: For IDM and IG(id=auth)
> Path element count: 2
> Element: oauth2
> Element: grant
> Override locale: en_US
>
> Preamble: [OIDP]
> Priority Level: FINEST
> Java:
> internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler.resolveHandler()
> [199] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.946-0400
> Log Data: IDP oauth2 handler to process request received for grant
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java: internal.osp.oidp.service.oauth2.handler.Grant.getCommand() [204]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.947-0400
> Elapsed time: 23.262 microseconds
> Log Data: Parse OAuth 2.0 response_type or grant_type:
> response_type: code
> Maps to: Authorization Code Grant profile
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java: internal.osp.oidp.service.session.NIDPSession.<init>() [344]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.947-0400
> Elapsed time: 48.225 microseconds
> Log Data: Creating new session:
> Identifier: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
> Type: PERSISTANT
> Tracking identifier: bXh6sXfhEem0ZQBQVp8yhw
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java:
> internal.osp.oidp.service.cluster.ClusterCookieContext.resolveSession()
> [147] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.947-0400
> Elapsed time: 265.641 microseconds
> Log Data: Session was created for this user request because no cookie
> accompanied the request:
> 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec
> Session cached:
> Class: NIDPSession
> Identifier:
> 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
> Sub-identifier: 0
> Auth tracking identifier: bXh6sXfhEem0ZQBQVp8yhw
> Type: PERSISTANT
> Create time: 2019-05-16T09:49:29.947-0400 (1558014569947),
> elapsed: 0 (0)
> Authenticated time: 1969-12-31T18:59:59.999-0500 (-1), elapsed:
> 18032d 13h 49m 29.948s (1558014569948)
> Last used time: 2019-05-16T09:49:29.947-0400 (1558014569947),
> elapsed: 0 (0)
> Main JSP: main
> Set activity: true
> Storage cache: <none>
> Logout flag: 0
> Show logout: false
>
> Preamble: [OIDP]
> Priority Level: FINEST
> Java: internal.osp.oidp.service.session.NIDPSession.checkAuthenticated()
> [2711] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.948-0400
> Elapsed time: 13.5 microseconds
> Log Data: Session authenticated?
> Identifier: 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec
> Zero consumed authentications.
> Authenticated: false
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java: internal.osp.oidp.service.session.NIDPSession.getSessionData()
> [811] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.948-0400
> Elapsed time: 10.456 microseconds
> Log Data: Get session data based on request:
> Creating new session data; id: 1
>
> Preamble: [OIDP]
> Priority Level: SEVERE
> Java:
> internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError()
> [582] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.948-0400
> Log Data: Code:
> internal.osp.oidp.service.oauth2.handler.HandlerException.<init>()
> [183]
> Text: Client-supplied redirect URI is not registered:
> https://www.inet.jnet.beta.pa.govFsspr/public/oauth
>
> Preamble: [OIDP]
> Priority Level: FINEST
> Java:
> internal.osp.oidp.service.oauth2.handler.BrowserHandlerBase.handleError()
> [1113] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.948-0400
> Elapsed time: 532.46 microseconds
> Log Data: Send user to error page: Client-supplied redirect URI is not
> registered: https://www.inet.jnet.beta.pa.govFsspr/public/oauth
>
> Preamble: [OIDP]
> Priority Level: INFO
> Java:
> internal.osp.oidp.service.oauth2.handler.TokenRequestHandlerBase.auditTokenCreation()
> [392] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.949-0400
> Log Data: IssueOAuthCode
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java:
> internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler.commit()
> [569] thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.949-0400
> Elapsed time: 9.468 milliseconds
> Log Data: Persisting session:
> 6d787ab077e111e9b4650050569f3287-84ede0e9a9e5f1f0ec-CX
> Session to cookie: true
>
> Preamble: [OIDP]
> Priority Level: FINER
> Java: internal.osp.framework.UIResponder$Response.setResponse() [1424]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.959-0400
> Elapsed time: 3.871 milliseconds
> Log Data: Set response:
> Forwarding:
> Page: /idm/jsp/err.jsp
>
> Preamble: [OSP]
> Priority Level: FINER
> Java: internal.osp.common.logging.HttpResponseLogger.log() [138]
> thread=https-jsse-nio-8443-exec-48
> Time: 2019-05-16T09:49:29.963-0400
> Log Data: HttpServletResponse (Number 4089)
> Duration (seconds): 0.18
> Content type: text/html;charset=UTF-8
> Character encoding: UTF-8
> Locale: en
> Buffer size: 8192
>
>


Nihii Respected Contributor.
Respected Contributor.

Re: SSPR Private URL Issue


>Was not sure if he was still there. 🙂 Hope all is well there. Remind
>the bosses we are still around if they have some work they need done. 🙂

Sure. Will do



> OSP and SSPR host value matches in ism-configuraiton file.
>
> Follwed 10.1.1.0 longname.acme.com longname, this format to resolve IP's
> to DNS.
>
> Enable ALL logging on OSP.
>
> OSP tail -f logs for this issue
Come now, we do not use tail. We use less, then F to turn it into tail
Ctrl-c to break out. Then you can search within the tailing logs.

Regardless, this problem seems to be coming up lately, and there is a
setting for ism-configuration.properties that seems to help. (Since
Identity Governance and Identity Apps also use OSP the answers are in
that forum.)

You can try this to see if OSP thinks iit has the right URL's:

%host%:%port%/osp/a/idm/auth/oauth2/.well-known/openid-configuration

The line for the ism config file would be:

com.netiq.idm.osp.tenant.http-interfaces = ${com.netiq.idm.osp.url.host}

I.e. Explicitly add this value. Which should be there already, which is
kind of odd.


Tried adding above line, still same issue.
0 Likes
Nihii Respected Contributor.
Respected Contributor.

Re: SSPR Private URL Issue

Actually on Catalina, I have following error

2019-05-20T13:59:45Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR (unexpected HTTP status code (401) during oauth code resolver request to https://%host%:443/osp/a/idm/auth/oauth2/authcoderesolve))
0 Likes
Nihii Respected Contributor.
Respected Contributor.

Re: SSPR Private URL Issue

Solved!!!

Issue is at NAM - Web Server configuration. Issue resolved when I changed the Host Header to Forward Received Host Name.  

Thanks

Nihii

Micro Focus Expert
Micro Focus Expert

Re: SSPR Private URL Issue

On 2019-05-15 16:14, ngujjula wrote:
>
> Hello,
>
> We are currently running on IDM 4.7.2, eDir - 9.1.2, SSPR - 4.3.0.4, OSP
> - 6.3.1 on RHEL 7.6. SSPR public url's works fine but when trying to
> access SSPR private url's brings up blank screen on the browser.
> When observed OSP logs, character F is not being removed from
> sspr/public/oauth url.
> Text: Client-supplied redirect URI is not registered:
> https://www.inet.jnet.beta.pa.govFsspr/public/oauth



> &redirect_uri=https%3A%2F%2Fwww.inet.jnet.beta.pa.gov%2Fsspr%2Fpublic%2Foauth


This does URL-decode properly to you registerd URI.

Look into the network tab on the development tools in your browser: What
requests are actually send to OSP?

--
Norbert
Nihii Respected Contributor.
Respected Contributor.

Re: SSPR Private URL Issue

Request URL to OSP is being sent out without any illegal character(F).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.