Highlighted
Established Member..
Established Member..
937 views

Issue with SSO configuration on SRC9.40

Hello Expert,

We have installated HPSM 9.40 and SRC 9.40. I am trying to configure SSO for SRC and have done below setup for the same. After completing all the below steps i am receiving error in catalina,out as "org.springframework.ws.client.WebServiceIOException: I/O error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Has anyone face the same issue ? Or have i missed any steps for enabling SSO ?

1). Generated below files using openssl and keytool

cacerts

smKeystore.jks

srcKeystore.jks

clientcerts.keystore

certificateAuthorityCert.pem

certificateAuthorityKey.pem

smCert.pem

smCSR.pem

srcCert.pem

srcCSR.pem

 

2). Copied below files to Service Manager/RUN folder

smKeystore.jks

cacerts

clientcerts.keystore

 

3). Copied below files to SRC installed folder

Cacerts

srcKeystore.jks

 

4). Updated applicationContext.properties file for SRC as below

sm.protocol=https

Port: 13443

Hostname : <fully qualified domain name>

 

src.trustStore=C:\\.......\\_TSO\\cacerts

src.trustStorePassword=changeit

src.keyStore=C……..\\_TSO\\srcKeystore.jks

src.keyStorePassword=changeit

 

src.security.mode=tso

src.security.SSOenabled=true

 

5). Updated the property tomcatAuthentication to false in Server.xml

 

<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />

 Regards

 

 

 

Tags (1)
0 Likes
6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Issue with SSO configuration on SRC9.40

It is failing at the SSL Handshake. In the sm.ini file - in addition to the parameters you've already specified - what about sslConnector, ssl, ssl_reqClientAuth and trustedsignon set at? Those should look like below:

sslConnector:1
ssl:1
ssl_reqClientAuth:2
trustedsignon:1 

However, since it's failing at the handshake we should turn off the TSO part and see if you can login with just SSL active. If SSL fails then the problem could be with the generated certificates. To disable TSO, but leave SSL active you need to:

For Service Manager
A. In the sm.ini set trustedsignon to 0
B. Add this tracing parameter to sm.ini: debughttp:1

For SRC
A. In the applicationContext.properties set src.security.mode=default and src.security.SSOenabled=false

Stop and restart both SRC and SM, clear the logs for both and see if you can login. If you can look in the sm.log for SSL Connection Accepted. If so then you know SSL is actually working and you can work on the TSO portion knowing the problem is somewhere around there. If it fails then SSL errors will continue.

Highlighted
Established Member..
Established Member..

Re: Issue with SSO configuration on SRC9.40

Hi Brett,

 

Thanks for your response.

 

I do not have trustedsignon parameter on SM.ini but I have mentioned it in SM.CFG file with all the required parameters for SSL.

Attached are my SM.ini and SM.cfg files for your reference.

I tried with the option you suggested to disable TSO and test only with SSL. I am still receiving the same error. That means issue is with SSL.

Should I regenerate all the certificates ? or am I missing any steps for configuring SSL ?

Regards,

Avinash

 

 

 

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Issue with SSO configuration on SRC9.40


Do the following to the line you're using in the sm,cfg

1. Set trustedsignon:0
2. Add these to the line -JVMOption0:-Djavax.net.debug=ssl and debughttp:1
3. The line should now look like this:

sm -httpPort:13090 -httpsPort:13443 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debugnode:1 -debughttp:1 -JVMOption0:-Djavax.net.debug=ssl -log:../logs/mSRCwebservicedebug.log

4. Stop Service Manager
5. Clear out all sm logs
6. Start Service Manager
7. Attempt to login via SRC
8. If it fails attach the sm.log, the mSRCwebservicedebug.log and the sm_<PID>stdouterr.log (there may be more than one so send in all of those sm_<PID>stdouterr.log files)

Highlighted
Established Member..
Established Member..

Re: Issue with SSO configuration on SRC9.40

Hi Brett,

 

I made the changes to SM.CFG as you suggested, also did below changes to SRC parameters in ApplicationContext.properties.

src.security.mode=default

src.security.SSOenabled=false

There is no inofrmation recorded to mSRCwebservice.log because SRC is not starting. Also there are many sm_pid_stdouterr.logs but none of them is having data.

There are some informtion recorded to logs at Tomcat folder. I am attaching here both Tomcat and SM logs.

Regards,

 

0 Likes
Highlighted
Established Member..
Established Member..

Re: Issue with SSO configuration on SRC9.40

Do we need to make any changes to ...\src-9.40\WEB-INF\classes\lwssofmconf..properties file ?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Issue with SSO configuration on SRC9.40

If you have lwsso configured then disable it. We only want to test SSL when a user logs into SRC.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.