Issue with SSO configuration on SRC9.40
We have installated HPSM 9.40 and SRC 9.40. I am trying to configure SSO for SRC and have done below setup for the same. After completing all the below steps i am receiving error in catalina,out as "org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Has anyone face the same issue ? Or have i missed any steps for enabling SSO ?
1). Generated below files using openssl and keytool
2). Copied below files to Service Manager/RUN folder
3). Copied below files to SRC installed folder
4). Updated applicationContext.properties file for SRC as below
Hostname : <fully qualified domain name>
5). Updated the property tomcatAuthentication to false in Server.xml
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />
It is failing at the SSL Handshake. In the sm.ini file - in addition to the parameters you've already specified - what about sslConnector, ssl, ssl_reqClientAuth and trustedsignon set at? Those should look like below:
However, since it's failing at the handshake we should turn off the TSO part and see if you can login with just SSL active. If SSL fails then the problem could be with the generated certificates. To disable TSO, but leave SSL active you need to:
For Service Manager
A. In the sm.ini set trustedsignon to 0
B. Add this tracing parameter to sm.ini: debughttp:1
A. In the applicationContext.properties set src.security.mode=default and src.security.SSOenabled=false
Stop and restart both SRC and SM, clear the logs for both and see if you can login. If you can look in the sm.log for SSL Connection Accepted. If so then you know SSL is actually working and you can work on the TSO portion knowing the problem is somewhere around there. If it fails then SSL errors will continue.
Thanks for your response.
I do not have trustedsignon parameter on SM.ini but I have mentioned it in SM.CFG file with all the required parameters for SSL.
Attached are my SM.ini and SM.cfg files for your reference.
I tried with the option you suggested to disable TSO and test only with SSL. I am still receiving the same error. That means issue is with SSL.
Should I regenerate all the certificates ? or am I missing any steps for configuring SSL ?
Do the following to the line you're using in the sm,cfg
1. Set trustedsignon:0
2. Add these to the line -JVMOption0:-Djavax.net.debug=ssl and debughttp:1
3. The line should now look like this:
sm -httpPort:13090 -httpsPort:13443 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debugnode:1 -debughttp:1 -JVMOption0:-Djavax.net.debug=ssl -log:../logs/mSRCwebservicedebug.log
4. Stop Service Manager
5. Clear out all sm logs
6. Start Service Manager
7. Attempt to login via SRC
8. If it fails attach the sm.log, the mSRCwebservicedebug.log and the sm_<PID>stdouterr.log (there may be more than one so send in all of those sm_<PID>stdouterr.log files)
I made the changes to SM.CFG as you suggested, also did below changes to SRC parameters in ApplicationContext.properties.
There is no inofrmation recorded to mSRCwebservice.log because SRC is not starting. Also there are many sm_pid_stdouterr.logs but none of them is having data.
There are some informtion recorded to logs at Tomcat folder. I am attaching here both Tomcat and SM logs.