netiq idmapplications user app:The requested service may have been disabled or not configured properly

I have installed a POC with IDM+IdentityApps 4.8.6 (4.8 -> 4.8.6) to work with FromBuilder feature but qhen I try to create a new request
and I look for the permission (PRD) created with Designer it doesn't retrieve any result.
In the Chrome Developer Tools I see and error like
suseidmapps:8543/.../permissions
401 Unauthorized

and in the catalina log only have a message like
INFO com.netiq.idm.auth.oauth.OAuthRestFilter - [RBPM] SSO Header issued by SSO Filter oauth for User cn=uaadmin,ou=sa,o=data.

If I try to access to url

suseidmapps:8543/osp/a/idm/auth/oauth2/grant?response_type=token&redirect_uri=suseidmapps:8543/.../oauth.html&client_id=ualanding&state=spiffystate0.7645864660083901

It gives me an error like
Error: The requested service may have been disabled or not configured properly. Please contact your system administrator. (The requested OAuth2 application was not recognized.)

I have tested several workarounds I found in netiq forum but nothing works and I don't know what more to test.
Could someone help me,please?

catalina.txt

  • 0  

    OSP (and OAuth providers in general) are super sensitive to the EXACT URL that the request comes from.

    By SUPER sensitive, I mean case sensitive, which normally is not a think in a Domain name.  So your servers susesidapps vs SuSeidmapps would be an issue.  And the ports.  Now you are using 8543 so you are ok, but 443 causes problems since the browser says "I am clever" and removes the 443 since it is implied by default https.  But that is not your case.

    So next Q, I said it it is super sensitive.  So what is it comparing it to?  Initially it was only the URL you specified in ism-configuration.properties in the tomcat conf directory.  Later JVM's added new security features such that the Certificate for SSL has to have an extension, Subject Alternate Name, where the specific URL you are using is included (Not port thankfully, just DNS name and IP address). 

    Then just to be ludicrous, if DNS returned more than one DNS name for the IP, it used to use either the longer or shorter of the two, I forget.  Anyway, make sure there is only one name returned via DNS to avoid this. (Imagine you had susidmapps1.acme.com and idm.acme.com for the same IP that would trigger this issue).

  • 0 in reply to   

    Hi Geoffrey, thanks for your help.

    All the installations I have done it using lowercase and I don't have a DNS, the ip resolution is done using /etc/hosts

    192.168.56.101 suseedir
    192.168.56.105 suseacdi
    192.168.56.113 suseidmapps
    192.168.56.108 ssprapp

    suseidmapps:# hostname -f
    suseidmapps

    Anyway I'll use this christmas to reinstall userApps using IPs instead of server names

    I have check in environments of some customer and about OSP they have the same error. 

    I think the problem I'm having is that uaadmin doesn't have rights to work with roles and requests objects, at least is what catalina says, what sound weird in my mind.

  • 0   in reply to 

    Do not forget that the SSL cert used in the Tomcat private key for https needs to have both the IP and DNS name in the Subject Alternate NAmes extensions.

    When you ran configupdate.sh did you specify one User App Admin user with all the Roles or did you make seperate ones?  When you do the install, make sure do it all as one and then delegate rights after.

    This level of permissioning is done via the Roles assignment.