Error trying to contact with authentication service

Hello Everyone,

I am having some trouble with a 3.7.0 service that is not correctly starting up. When I try to log in with igadmin it throws

OSP integration is configured locally in the same machine as IG. The OSP is integrated with Active Directory but the bootstrap admin is configured as a file. The bootstrap admin was created during the installation and used to work perfectly.

At first, I found this error in the OSP log

Preamble: [OSP]
Priority Level: SEVERE
Java: internal.osp.framework.servlet.OSPServletContext.<init>() [115] thread=main
Time: 2024-09-04T18:28:34.003-0400
Log Data: Configuration load failed. An empty configuration will be used.: internal.atlaslite.jcce.exception.CoreExceptionWithOutcome: Loading system configuration named 'current' failed. Reason: Loading bootstrap properties.
=>internal.atlaslite.jcce.validation.ValidationException: java.lang.NoClassDefFoundError: Could not initialize class com.netiq.ism.config.ConfigurationFactory
Validation messages (2):
1) Error:

java.lang.NoClassDefFoundError: Could not initialize class com.netiq.ism.config.ConfigurationFactory
2) Error:

Unable to obtain properties from bootstrap configuration.

But after stopping the service, moving every folder in Webapps to a backup folder, the same for the work/catalina/localhost folder, and deleting the temp folder content before finally starting the service again, it is not throwing the java.lang.NoClassDefFoundError but the OSP log has a lot of warnings:

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [332] thread=main
Elapsed time: 657.753 microseconds
Time: 2024-10-14T11:25:16.139-0300
Log Data: Validation of authentication service configuration resulted in one or more warnings:
      Validation messages (14):
         1) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication
               The default contract decorator value "defaultContract" is deprecated and support for the value will be removed. Use instead "default" as the decorator value.
         2) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication
               The default contract decorator value "defaultContractNP" is deprecated and support for the value will be removed. Use instead "Password" as the decorator value.
         3) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/AuthContract[User Name/Password Login (id=np-contract)]
               Unrecognized attribute 'showExpiredPwdUI'
         4) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/AuthContract[OAuth2 Resource Owner Credentials Login (id=ro-np-contract)]
               Unrecognized attribute 'showExpiredPwdUI'
         5) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=formbuilder,uri=https://igqa.bice.cl:8443/formbuilder/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         6) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=rptw,uri=https://igqa.bice.cl:8443/IDMRPT/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         7) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://igqa.bice.cl:8443/cx/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         8) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://igqa.bice.cl:8443/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         9) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[SRVADCQA1.BICEQA.LOCAL:636]
               The LDAP data store configured LDAP bind timeout value will be used.
         10) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[SRVADCQA1.BICEQA.LOCAL:636]
               The LDAP data store configured read timeout value will be used.
         11) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
               The OSP system LDAP bind timeout value will be used.
         12) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]
               The OSP system LDAP read timeout value will be used.
         13) Information:
               AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
               No filename specified; assuming path specifies both path and filename.
         14) Information:
               AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
               No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [338] thread=main
Time: 2024-10-14T11:25:16.262-0300
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

The line that says "Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found." really calls my attention but I don't know what else to check out.

Have you ever encountered this error? Any ideas?

  • Suggested Answer

    0  

    I have seen the second log quite a bit.  Those warnings are "normal" and should not impede login.

    In the first error, that No Class Def Found error is a good indicator that java can't find the jar files needed to run the program.  In this case you cleared /temp and /work folders in tomcat, and it looks like that resolved that issue.  Tomcat will expand the contents of wars in webapps into work, and it will use the temp folder as well during normal operation. Anytime you change the content of the webapps folder is a good time to remove the work and temp directories.   Upon restart, tomcat will rebuild those - no need to back those two up.   

    After the second log are you still seeing the same issue in the interface?  You will want to ensure your connection from OSP to AD is functional.  I would focus there.  If you run configupdate, make sure you can browse to the OU where your user search base is.   Browsing will exercise the connection and your credentials, and if you can browse, you are past several errors.   Also, in configutil, you will need to make an update to the attributes you use to identify the user.  This is listed in the documentation for when you are working with AD as the authentication source.   Its a small tweak.

    --Jim

  • 0 in reply to   

    Thanks for you insight, we changed the strategy and found out the problem was related to expired SSL Certificates. Once that was fixed IG worked just fine