• State Not Answered
  • Replies replies
    4
  • Subscribers subscribers
    18
  • Views views
    348
  • Users 0 members are here

Identity Governance Login Issue with http port 8080, LDAP user

Ling Ee jhia

Hi, Im facing issue after set up IG with OSP together installed in 1 server using port 8080. Initially it able to work, but randomly sometimes it suddenly unable to login anymore with LDAP users (tested 2 builds with both with edir and AD users). It seems it is very unstable and inconsistence where suddenly im unable to login with the user. It just keeps looping me at the login page, im not sure what i can do anymore.

Attached is catalina log and OSP log.

catalina.2024-10-15.log 

Fullscreen osp-idm.2024-10-15.log Download 
Preamble: [OIDP idm]
Priority Level: WARNING
Java: internal.osp.oidp.service.configuration.ConfigurationManager.initialize() [446] thread=main
Elapsed time: 1.604 milliseconds
Time: 2024-10-15T00:07:11.650+0800
Log Data: Validation of authentication service configuration resulted in one or more warnings:
      Validation messages (8):
         1) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=formbuilder,uri=https://demoig99:8443/formbuilder/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         2) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=rptw,uri=http://demoig99:8080/IDMRPT/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         3) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=cx,uri=https://demoig99:8443/cx/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         4) Warning:
               AuthenticationService[OSP Configuration (id=auth)]/Authentication/Protocols/OAuth2Protocol/OAuth2Clients/Client[id=ig,uri=https://demoig99:8443/oauth.html]
               This public client is set to allow non-user-interactive authorization grants. This is not recommended by RFC 6819 section 5.2.3.2.
         5) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[Server1.demo.com:389]
               The OSP-system-specified bind timeout value will be used.
         6) Information:
               AuthenticationService[OSP Configuration (id=auth)]/LDAPDataSource[LDAP Directory Data Source (id=idm_idv)]/Server[Server1.demo.com:389]
               The OSP-system-specified read timeout value will be used.
         7) Information:
               AuthenticationService[OSP Configuration (id=auth)]/FileDataSource[CSV File Data Source (id=firstFile)]
               No filename specified; assuming path specifies both path and filename.
         8) Information:
               AuthenticationService[OSP Configuration (id=auth)]/JDBCIDataSource[File User Instance Datasource (id=ds-file-instance-data)]
               No JNDI environment context name; JNDI datasource name specifies both context and name.

Preamble: [OIDP idm]
Priority Level: WARNING
Java: internal.osp.oidp.service.source.AuthPluginManager.autoConfigure() [338] thread=main
Time: 2024-10-15T00:07:12.206+0800
Log Data: Unable to auto configure authentication plugins for 'Authentication Source for File Users' Instance Data(id=as-file-instance-data)' because no suitable authentication plugins were found.

Preamble: [Tenant idm]
Priority Level: WARNING
Java: internal.osp.framework.OSPTenant$ProbeTlsTask.run() [3912] thread=osp-common-thread-1-3
Time: 2024-10-15T00:07:13.750+0800
Log Data: Server is not configured for Transport Layer Security (TLS)

Preamble: [OIDP idm]
Txn: j7p_UYpHEe-UTAAMKcZRjw
Priority Level: WARNING
Java: internal.osp.oidp.service.source.ldap.LDAPSource.search() [734] thread=http-nio-8080-exec-8
Elapsed time: 133.936 milliseconds
Time: 2024-10-15T00:15:43.115+0800
Log Data:          Admin search:
         Admin search:

Preamble: [OIDP idm]
Txn: kjGZ0YpHEe-UTAAMKcZRjw
Priority Level: WARNING
Java: internal.osp.oidp.service.source.ldap.LDAPSource.search() [734] thread=http-nio-8080-exec-10
Elapsed time: 356.86 milliseconds
Time: 2024-10-15T00:15:47.184+0800
Log Data:          Admin search:
         Admin search:

Trying to set it up using HTTPS with port 8443, but it still doesnt work as well.

Im accessing to C:\netiq\idm\apps\idgov\bin\configutil.cmd to change to HTTPS using below guide.

https://www.microfocus.com/documentation/identity-governance/4.3/install-guide/t4aewza6ye7r.html

configutil.cmd

server.xml

Certificate is self-signed and still valid.

  • 0  

    Hello,

    1) As for HTTP, there was an update recently for Firefox that blocked http access from working.  You will need to make a change in your Firefox browser to get it to work again.

    2) If you are switching to HTTPS post install, you have to "install" the certificate that Tomcat is running with in the app-truststore file in the tomcat/conf directory.  If you are not familiar with how to export certs and import them, you can:

    start Tomcat, launch configupdate and then press okay to close it and you will be prompted to accept the cert. configupdate will perform the necessary actions. After accepting the certificate, a restart of Tomcat is required.

    3) Make sure you have extended the schema in Active Directory as outlined in the documentation.

    4) If your eDirectory server is a Vault server (IDM & eDirectory) then the schema was extended when you installed IDM.  If it is just an eDirectory server, then you will need to extend the schema as outlined in the documentation.

    5) I see that you are utilizing a short dns value of demoig99.  If this value is shorter than the full DNS value, you will have issues accessing.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hi Steven,

    For 2,ive tried to use config update but didnt prompt for accepting the certificate, do i just need to import into app-truststore? is there any other store i need to import as well?

    For 3, ive extended the schema of AD.

    For 5, if im changing using the long dns, i just needs to update it in the configupdate util?

    1 more thing to confirm, i see there are 2 configutil, 1 is configupdate and another 1 is configutil, which one should i be using to change to HTTPS?

  • 0   in reply to 

    Use keytool.

    Open the web page over SSL so you can click the lock icon in the browser URL bar and view the cert.  Export it from there.

    /opt/netiq/common/jre/bin/keytool -keystore /path/to/app-truststore -storepass default -import -file /path/to/exported/cert -alias ig-server

    One thing Steve did not mention to double check is, did you make a SAN (Subject Alternate Name) for each possible DNS name for the server?  The URL base has to match one of the certs values in the SAN.

    Configutil.sh manages config data in the database where most of the IG config resides.

    Configupdate.sh manages OSP and other server file side settings (Usually in the ism-configuration.properties file).

    Sometimes it is confusing which tool fixes which issues.

  • 0  

    I'll suggest making HTTP work properly and consistently before you add TLS/certs.   If you are having intermittent issues with HTTP, you should try to fix that first.

    --Jim

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.