Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-02-18

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 aldaris joined #openam
01:51 MegaMatt joined #openam
02:49 MegaMatt joined #openam
05:16 GLHMarmot joined #openam
06:21 metadaddy|lunch joined #openam
07:27 hos001 joined #openam
08:35 kala joined #openam
09:10 aldaris joined #openam
11:02 aldaris joined #openam
12:52 aldaris joined #openam
13:03 rghose joined #openam
13:04 rghose is it possible to add an existing OpenAM deployment to a load balancer configuration?
13:05 rghose I found a thread but that was way back in 2009. currently how can this be done
13:08 MegaMatt http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index.html#chap-session-failover
13:14 fatbloke joined #openam
13:20 rghose pardon my ignorance but what is meant by SFO btw?
13:21 kala session fail over
13:21 rghose haha thanks
13:23 dean Hey guys, this is an OpenSSO issue but thought you might be able to help. When I try to create an idp initiated saml request I get "Error processing AuthnRequest. Null input." Looking in the debug logs I see this: AuthenticatedSharedAgents.isMember():userDN is null or invalid IdType aaron@example.comIdType :IdType: user
13:23 dean Any idea why it seems to care if my users is an AuthenticatedSharedAgent?
13:25 asyd dean: do just just to be sure, you provide an authnrequest?
13:26 dean No, but I shouldn't have to if it's IdP initiated right?
13:27 asyd how you initiate it?
13:27 dean I hit this url: /opensso/idpssoinit?metaAlias=/idp&spEntityID=EntityID&binding=HTTP-POST with a valid authToken cookie.
13:28 dean Which works fine in our five other environments but seems to be failing in this one. I'm guessing there's some piece of configuration we missed somewhere.
13:28 aldaris joined #openam
13:33 aldaris dean, the null input is because either the SAML assertion, the signing private key or the assertion's ID is null
13:33 aldaris usually it's the signing key missing
13:33 rghose I am trying to install 2 instances of OpenAM on the same box, one of them runs as user a and the other as b. So is it necessary for them to share the same configuration directory? (as given https://wikis.forgerock.org/confluence/display/openam/5+Extending+to+a+Dual+Instance+Deployment)
13:33 dean Cheers, I'll check that aldaris.
13:44 fatbloke joined #openam
13:44 rghose I get this: AdminTokenAction:  FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password, refer to install.log under /home/openam/openam for more information.
13:44 aldaris WebSphere?
13:44 rghose um no, tomcat
13:44 rghose I use 2 instances of tomcat
13:45 aldaris have you provided the same amadmin password for both setups?
13:45 rghose yes
13:45 aldaris and the same encryption key?
13:45 rghose where to do that?
13:45 rghose I was just installing it now
13:45 dean @aldaris: Bang on the money. I changed the certificate alias to test and everything started working!
13:45 dean Thank you so much for the help =D
13:47 rghose Reinitializing system properties.AMSetupServlet.processRequest: errorcom.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction:  FATAL ERROR: Cannot obtain Application SSO token. <--- From the log
13:48 rghose opendj replication was successful, that I can see
13:50 aldaris are you using IBM JDK?
13:50 rghose Java(TM) SE Runtime Environment  (build 1.7.0_25-b15)
13:52 rghose yes
13:52 aldaris do you like pain? :D
13:52 rghose haha, why is that?
13:53 MegaMatt The line you pasted doesn't show the vendor string
13:53 aldaris I don't know, using IBM JDK is always a good painsource
13:53 aldaris http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/install-guide/index.html#prepare-java-ibm
13:54 MegaMatt I was under the impression that IBM JVMs had different build numbers, though.. but maybe they changed that in 1.7
13:55 rghose well, the vendor string was in neither of the lines in java -version
13:55 MegaMatt Or it could just be that I'm thinking of AIX
13:55 MegaMatt Sure it is
13:55 rghose java version "1.7.0_25", Java(TM) SE Runtime Environment (build 1.7.0_25-b15), Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode
13:55 MegaMatt Yeah, that's Oracle's JVM
13:56 MegaMatt You're right, it doesn't say specifically Oracle
13:56 rghose okay
13:56 rghose so, that is different from IBM java ?
13:56 rghose pardon my n00b qstns
13:57 rghose never knew ibm had a java of their own :P
13:57 MegaMatt They do,.. mostly for AIX .. but they also provide it on other platforms with their products to add some flavor
13:57 rghose okay.
13:57 rghose coming back to the original problem I faced
14:04 rghose I was under the impression when I use the option, "Add to existing installation" it will get the encryption keys and all from the existing deplyment
14:04 aldaris yeah, that should work
14:04 aldaris afaik
14:06 rghose ok for some strange it worked now, guessing it has got to do with Xmx values I changed in tomcat
14:08 MegaMatt Yeah, make sure your container has appropriate heap sizes - including perm space
14:08 rghose thanks guys :) works nice
14:56 hos001 joined #openam
14:59 fatbloke1 joined #openam
15:23 aldaris joined #openam
15:35 dean @aldaris Definitely  seems you were right about the key as changing it to test fixes the problem and I can see ERROR: Cannot recover key in the logs. But when I check the keystore the key is definitely there and the .storepass and .keypass files are correct. Any ideas as to what might cause that?
15:53 fatbloke joined #openam
16:08 aldaris dean the cannot recover key is either because you have incorrect storepass/keypass settings or simply because the keystore only contains the public cert..
16:09 rghose joined #openam
16:30 aldaris joined #openam
17:05 fatbloke joined #openam
17:06 dean Hmm it definitely seems to be the private key (keytool shows Entry type: PrivateKeyEntry). storepass and keypass appear to be right (I'd assume the test certificate would also throw an error if they weren't). And I'm fairly confident I'm looking at the right file path as I can see the debug logs updating in the same location with the errors.
17:07 aldaris have you created the pass files using encode.jsp?
18:06 dean Yep
18:07 aldaris and the config refers to the correct keystore and the correct pass files?
18:12 dean I think so. I might try just deleting the file and seeing if it still works with the test certificate selected.
18:17 dean ok so if I delete the keystore I can no longer update the sp definition as it complains it can't find the certificate. So that suggests I am working with the right key file.
18:17 dean It does beg the quesion though why can it see the certificates at this point but not when signing the saml assertion.
18:18 aldaris have you selected the correct alias in the federation settings?
18:20 dean Well if I select test it works. if I select the certificate I want to then I get the "Error processing AuthnRequest. Null input." error.
18:20 dean I know the keystore is correct as I copied it from another opensso server which is working correctly.
18:21 dean (it uses the same password)
18:24 dean Well I think I'm going to give up for today and start afresh tomorrow.
18:24 dean Thanks for the help aldaris.
18:25 aldaris np
19:51 aldaris joined #openam
20:02 aldaris joined #openam
20:39 aldaris joined #openam
21:05 hos001 left #openam
22:17 aldaris joined #openam
22:58 roysjosh joined #openam
23:10 aldaris joined #openam
23:32 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary