Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2013-11-04

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:22 m0sf3t joined #openam
07:17 tsmalmbe joined #openam
08:49 aldaris joined #openam
09:44 aldaris joined #openam
09:46 aldaris1 joined #openam
09:56 balo morning
10:06 balo what is an openam site exactly? i mean, now i can setup a site with two servers and session failover but what does it openam do exactly when a server running as part of a site? are there any configuration synchronization maybe?
10:17 jjpp it probably influences how openam reads the configuration (some parameters might come from site configuration). and in some cases it might find that the client was served by some other node in site beforehand and do the internal redirection (or rather subrequest).
10:19 jjpp the config store should be shared in some sense as well, i believe. you would either use the same ldap server or have multiple servers with replicated configuration (of openam)
10:24 balo thanks, yeah, i think i get it now: i read the docs again: http://openam.forgerock.org/openam-docu​mentation/openam-doc-source/doc/install​-guide/index.html#add-servers-to-site
10:24 balo makes sense now :)
10:49 balo sometimes can be annoying that I can't access to AME-* issues
10:54 hos002 joined #openam
11:07 aldaris joined #openam
11:11 aldaris site is just a notion of an LB
11:12 aldaris so if you have an LB, then use the LB's URL as the site URL, and then you can assign servers to that site (that most likely are actually in the LB's pool)
11:15 balo thanks. I'm more interested in however what an openam instance does differently if it's part of a site.
11:19 aldaris ClientSDK will start to only talk to the site URL
11:19 aldaris it won't connect to individual AM nodes theoretically
11:27 balo i see.
11:28 aldaris and if you have 2 sites, then AM1 from site1 will contact site2 if the session sits at server3 within site2, if the session sits in the same site, then AM will contact the server directly
11:33 balo hmm
11:34 aldaris so you can get 2 request forwards in certain scenarios in case sticky LB is not enable, first hitting site1, then site2 but wrong server
11:35 balo so if there are two sites, how the AM1 know about the other site?
11:35 aldaris iPlanetAMPlatformService?
11:35 aldaris the servers and sites configuration is in the configstore
11:36 balo oh, ok, i get it. i forgot i can add multiple sites to the config
11:38 balo i'm constantly feeling myself on a roller coaster. I look at it "oo, that's easy" then I try to understand it, then "oh wait" :D
11:48 MegaMatt joined #openam
13:21 kim__ is "ERROR: JCEEncryption:: Unsupported version: -98" a know error i could ignore?
13:24 jjpp iirc this means that you use non-sun jdk?
13:24 aldaris nah, it's always there
13:24 aldaris some strange status of the stars, but mostly harmless
13:26 kim__ i see, thanks
13:39 kim__ is it possible to import a backup xml to opensso without the encryption key?
13:39 aldaris not sure if yes
13:39 aldaris possibly all the password would end up as binary crap
13:41 kim__ i dont mind about the crap, as long as i could see the configuration for all other things
13:42 aldaris it would probably also mean that you can't login, since amadmin's password would be also crap :)
13:43 kim__ thats might be an issue:)
13:46 jjpp but then again, you could replace admin password with something that is encrypted with known password?
13:46 jjpp befire import, that is
13:46 aldaris but then again you would have to make sure that dsameuser's password is also covered
13:53 kim__ the main issue: migrating from opensso 8 to openam 10.0.0 with an xml backup without the encryption key and not much information about the application using openam
13:55 aldaris https://bitbucket.org/ztarcsay/tools/src/ad73b0c6​3c56b6715973d59c08768fd0cb27f140/OpenAM?at=master
13:55 aldaris you may find this useful
13:56 aldaris it's not a full blown solution but basically it helps you visualize AM configuration, i.e. XML -HTML
13:57 kim__ this is what the application complains about: http://pastebin.com/94QVvpGZ
13:57 kim__ thanks, should be very usefull!
13:58 aldaris at the end of the config XML you can find the SHA1 hash of the password btw
13:59 aldaris if you modify that to a known SHA, then you can probably let the import to finish
13:59 aldaris basically the import contains all the necessary informations to generate new set of passwords
13:59 aldaris am.encryption.pwd is used by JCEEncryption
14:00 aldaris you can set up a dummy AM, and use encode.jsp to generate passwords you'd like
14:00 aldaris the amadmin password though will be hashed on top of it with SHA1
14:01 aldaris so if you have the time you can go through the XML to find all the passwords and modify them, so upon import you can get a working instance
14:01 aldaris all password in AM starts with AQI
14:01 aldaris so you would just search for those in the XML export
14:01 aldaris (except the amadmin/urlaccessagent password, which is hashed with SHA1)
14:02 aldaris the invalid server ID error is shown because you try to visit the instance with a token acquired at a different env. The server ID stored in the cookie is not resolvable by OpenAM, probably you should clear cookies or use private browsing
14:04 kim__ amlbcookie?
14:04 aldaris nope, not that one
14:04 aldaris amlbcookie is only used by LB
14:05 kim__ JSESSIONID, amlbcookie and iPlanetDirectoryPro is the only coockies i get
14:06 aldaris iPDP cookie contains the server ID
14:06 aldaris AMAuthCookie also does
14:10 kim__ ConfigVisualizer was very nice, might be able to find any missing configuration
14:11 aldaris as said, it doesn't display every bits of the config AFAIK
14:23 kim__ defintly more then i had:)
19:24 hos002 left #openam
20:33 aldaris joined #openam
20:35 pdurbin does "Got StatusCode urn:oasis:names:tc:SAML:2.0:status:Responder should be urn:oasis:names:tc:SAML:2.0:status:Success" mean anything to anybody?
20:46 aldaris Responder is the error code when there was an error at the Responder :p
20:46 pdurbin :)
20:46 aldaris everything alright at the IdP?
20:47 pdurbin he's looking. it's ADFS and I'm using OIOSAML: http://digitaliser.dk/forum/1075627
20:47 aldaris I need to prepare my evil laugh then :p
20:48 pdurbin interop is fun
20:48 aldaris no, event log is fun
20:48 aldaris I've never seen anyone getting useful debug data out of event logs :p
20:48 pdurbin does openam "just work" with ADFS?
20:49 aldaris hehehehehe
20:49 aldaris you're funny :p
20:49 pdurbin ?
20:49 aldaris but I think it actually does work more or less okay with it
20:49 aldaris SAML2 or WS-Fed?
20:49 pdurbin buh
20:49 aldaris there is a bug in ADFS that it generates the SAML metadata in a non XML schema compliant way
20:49 pdurbin the IdP metadata URL ends wtih FederationMetadata/2007-06/FederationMetadata.xml
20:50 aldaris and how does the content look like?
20:50 aldaris I think it contains both SAML and WS-Fed
20:52 pdurbin I see a lot of wsfed in the IdP metadata
20:53 pdurbin SAML:2.0:protocol stuff too
21:07 pdurbin he had the IdP stop sending assertions and now I'm seeing "org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData"
21:07 pdurbin and we're wondering about "For those of you who will get this problem, it was related to the fact that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files was not installed and it was not letting me use encryption better than AES-128. Replacing the policy files with the JCE policy files, I was able to successfully decrypt my encrypted assertion." --
21:07 pdurbin http://stackoverflow.com/questions/9422545/​decrypting-encrypted-assertion-using-saml-2​-0-in-java-using-opensaml/9500718#9500718
21:20 aldaris well, how is your assertion encrypted
21:23 pdurbin rsa-sha1, I think
21:24 pdurbin from looking at "SigAlg" with samltracer (firefox)
21:25 aldaris hmm, SigAlg
21:26 aldaris I wonder if Sig stands for Signature...
21:26 aldaris so how is it _encrypted_ again? :)
21:26 pdurbin :)
21:26 pdurbin aldaris: I'm looking, I'm looking
21:29 pdurbin aldaris: can you give me a hint? :)
21:29 aldaris there should be an EncryptionMethod element IIRC
21:30 aldaris should be a URI
21:34 pdurbin I'm pretty sure when his IdP is the destination I'm not sending an EncryptionMethod element
21:34 aldaris well you are not really clear on what's going on
21:34 aldaris he had the IdP stop sending assertions and now I'm seeing "org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData"
21:35 aldaris so you are seeing this error
21:35 aldaris hence you should receive something..
21:35 pdurbin I'm actually seeing the original error now but he went home. Sorry so confusing
21:37 pdurbin when my SP is the destination I see at least one instance of this in my logs: <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
21:37 aldaris :|
21:38 aldaris I'm not even sure if AM supports that
21:39 pdurbin I'm also seeing <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
21:39 aldaris well aes256 definitely needs jurisdiction files
21:39 pdurbin the JCE thing, you mean
21:39 aldaris yepp, that is it
21:39 pdurbin ok, tomorrow I'll see if I have that
21:40 aldaris java.oracle.com and you will...
21:40 pdurbin :)
21:40 pdurbin thanks for listening. I need to go home myself
21:45 metadaddy___ joined #openam
21:56 metadaddy___ joined #openam
22:11 MegaMatt joined #openam
23:22 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary