Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-04-29

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:21 pdurbin oh, did I miss the annoucement?
00:23 aldaris pretty much
00:23 pdurbin a security fix? that's it?
00:23 aldaris and 11.0.1 being released along with 3.3.1 agents
00:25 pdurbin hmm. ok. thanks
00:38 MegaMatt joined #openam
06:03 pfreixes joined #openam
06:22 rghose joined #openam
06:52 aldaris joined #openam
07:51 jjpp joined #openam
08:10 aldaris joined #openam
09:17 aldaris joined #openam
10:22 aldaris joined #openam
11:06 MegaMatt joined #openam
12:42 aldaris joined #openam
12:46 fatbloke joined #openam
13:27 rghose joined #openam
13:28 rghose is there any way to implement single sign out with OpenAM ?
13:28 rghose for Oauth2 based clients
13:49 fatbloke joined #openam
14:04 fatbloke1 joined #openam
14:49 failshell joined #openam
14:50 rghose aah, stupid me
14:51 rghose btw, anybody have any tips for the OAuth authorization page ? Save Consent does not seem to work
14:58 fatbloke joined #openam
15:11 failshell MegaMatt: ping
15:12 fatbloke joined #openam
15:23 MegaMatt Pong?
15:24 MegaMatt failshell: delayed Pong? that is ;)
15:29 failshell so i progressed since yesterday
15:29 failshell i can do a default install, and a custom install without SSL
15:29 failshell i tried what you said, i exported the OpenDJ SSL and imported it into the Tomcat keystore
15:29 MegaMatt That’s good news.. I think I know where you’re headed next though
15:29 failshell but that's still a no go
15:30 failshell i dunno how you want to proceed next also, we have a contract support. do you prefer if i open a ticket? or we do this here?
15:30 MegaMatt I’ll admit, I’m not the best when it comes to SSL certificates ..
15:31 failshell is there a log somewhere for the configurator? something that could point me in the right direction?
15:32 MegaMatt I think you can turn on a log, but I’m not sure at how helpful it is
15:33 MegaMatt But at least now it looks like it is a certificate / trust issue
15:33 MegaMatt and not something else
15:33 failshell yes
15:36 MegaMatt can you list the certificate from the keystore on the openam jvm?
15:36 MegaMatt Because OpenDJ has a few certificates iirc
15:36 MegaMatt So you have to be sure you imported the right one
15:37 MegaMatt There’s an admin port certificate as well as the LDAPS connector .. I believe
15:37 MegaMatt Maybe you imported one of the other certificates from OpenDJ?
15:38 MegaMatt (And we probably should open a ticket at some point, just to have all this documented - especially if we find a solution)
15:39 failshell ok, so i'll open a ticket now
15:39 MegaMatt Take a look at http://opendj.forgerock.org/opendj-server/d​oc/admin-guide/index/chap-change-certs.html
15:39 failshell it'll be easier to track
15:39 MegaMatt You can see all the certificates
15:40 MegaMatt Just make sure you imported the right one
15:40 failshell the one i should have is the server-cert right?
15:41 MegaMatt oh, I’m thinking about this backwards I think, openam is making the connection and has to trust openDJ’s cert .. not the reverse….
15:42 failshell yes. i imported opendj's server-cert into tomcat's keystore
15:43 MegaMatt I need to read Chapter 17 of the OpenAM documentation again then.. So I make sure I’ve got it right in my head.
15:45 failshell ok
15:45 failshell going to revert to my snapshot to attempt SSL this time
15:47 MegaMatt I’m thinking you should be able to test the trust from that JVM that you installed the cert into
15:47 MegaMatt With out tomcat/openam doing it … but trying to think of the easiest way to test the JVM connection to the OpenDJ server
15:48 MegaMatt To see if you trust the cert or not
15:48 MegaMatt I know you can do java  -Djavax.net.debug=all  to see what it’s doing
15:48 MegaMatt maybe adding that to your tomcat would be sufficient
15:49 MegaMatt And you can use http://docs.oracle.com/javase/1.5.0/do​cs/guide/security/jsse/ReadDebug.html as a guide to the output
15:49 failshell what i don't get though, is that during step 3 of the configurator, it seems the JVM is able to talk to OpenDJ
15:49 failshell as i can move forward to step 4
15:50 failshell why does it then fail on step 4?
15:51 fatbloke joined #openam
15:51 MegaMatt I’m not sure.. yeah,.. hmm
15:51 MegaMatt But with out SSL it all works ;)
15:52 failshell yeah well, who'd want to use an authentication service without SSL?
15:52 failshell i don't understand how devs can even allow something like that
15:52 MegaMatt I hear yah - I’m just saying maybe we can see why the SSL is failing with the debug turned on for the JVM
15:52 MegaMatt Or maybe it will show that SSL isn’t failing
15:55 failshell hmmm
15:55 failshell ill import all the keystores from opendj into tomcat's
15:55 MegaMatt Ok, then start tomcat with the javax.net.debug=all
15:55 failshell yeah
15:56 MegaMatt (And watch it work)
15:56 * MegaMatt crosses fingers
16:02 failshell ok keystores imported, tomcat running with debug
16:03 MegaMatt Ok, I’ll say the magic prayer
16:04 failshell well, now tomcat can't start on 8443
16:07 MegaMatt … that’s .. odd..
16:07 MegaMatt What does it complain about?
16:08 failshell LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Cannot recover key
16:08 failshell from what i can find, the configured keystore password is invalid
16:08 failshell but i just listed the certs with it ...
16:10 MegaMatt keystorePass="changeit" is the default
16:12 failshell sure, but i imported it into tomcat's
16:12 failshell so that shouldn't change the keystore's password
16:12 MegaMatt no, .. it should be changeit still…
16:12 MegaMatt unless you changed it
16:13 fatbloke joined #openam
16:13 aldaris failshell, use portecle for managing keystores
16:14 failshell its not changeit
16:14 failshell LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Keystore was tampered with, or password was incorrect
16:14 aldaris if in doubt specify the necessary JVM properties for the tomcat process so it uses a different keystore/truststore than the JDK's
16:14 failshell its pointing to the right one
16:14 failshell and the one i imported the certs to
16:15 failshell its lunch time here, so ill go eat and come back later
16:15 failshell debugging on a full stomach will be better :)
16:47 aldaris joined #openam
17:03 failshell that's too verbose to be helpful
17:04 MegaMatt It is verbose...
17:04 MegaMatt But it should be helpful too
17:04 MegaMatt It should have something like
17:04 MegaMatt Found trusted certificate:
17:05 MegaMatt What did you do to fix the startup error?
17:05 failshell i only imported one cert
17:05 failshell the server-cert generated by opendj
17:06 MegaMatt The URL I posted above from oracle should walk through the important bits from the debug output
17:07 MegaMatt The stuff highlighted in red on that URL
17:07 MegaMatt Is the stuff to look for
17:07 failshell look for that in catalina.out?
17:07 MegaMatt yep
17:09 failshell well nothing matches those strings
17:09 failshell so openam must not be logging it
17:09 MegaMatt But you see SSL debugging information in the catalina.out now, right?
17:10 failshell i do
17:10 failshell but i doubt it's for LDAPS
17:10 failshell that seems more like me to tomcat's https
17:11 failshell its all HTTP calls
17:12 MegaMatt Is there any ClientHello ?
17:12 failshell yes
17:13 MegaMatt So then there should be a Certificate chain too
17:13 failshell its only tracing HTTP calls
17:13 failshell not LDAP
17:13 failshell so
17:14 failshell and im going to circle back to this once more: it works in step 3, why not in step 4?
17:14 failshell what's different?
17:14 failshell its the same config, same cert
17:14 failshell same server
17:14 failshell same java version
17:14 failshell its all on the same machine
17:16 MegaMatt Yeah, I don’t know.
17:16 MegaMatt You’ve got me stumped…
17:16 failshell well, at this point, im going to open an official ticket, as we pay for support and we need a resolution
17:16 MegaMatt Fair enough, we can have more eyes on it
17:17 failshell im hoping we're not the only ones trying to use encryption with your softwares ...
17:17 aldaris there was an issue where it was problematic when the ip address was not pingable
17:17 aldaris and that was only for one of the steps
17:18 MegaMatt Well, I would hope 127.0.0.1 is pingable :/
17:18 aldaris you never know :D
17:19 MegaMatt I think maybe a workaround would be to install, and then swtich to ssl afterwards
17:23 failshell how do you do that?
17:27 MegaMatt Just add a new datastore?
17:28 MegaMatt You’re trying to set up an external datastore, right?
17:28 MegaMatt one of the checkboxes is for ssl/tls
17:28 failshell i think so, step 3 and 4 of the configurator
17:28 failshell those are ticked
17:28 MegaMatt I’d have to go through the configurator again, I’m not sure which screens are “3” and “4” ..
17:29 MegaMatt But why not just set it up with out SSL first.. then once everything is installed — move it over to SSL?
17:29 failshell why provide the option in the configurator at all then?
17:29 MegaMatt Well, because I believe it typically works ;)
17:30 MegaMatt I can try it myself again, if you want...
17:30 MegaMatt I’ll grab 11.0.1
17:30 MegaMatt And do it fresh
17:30 failshell its fine, we'll open a ticket and then you guys will have to fix it for us
17:30 MegaMatt I’m going to try it now anyhow
17:31 MegaMatt Your external OpenDJ is 2.6.0?
17:31 failshell what's more, on step 3, sometimes i have to put the hostname, and then sometimes the fqdn
17:31 MegaMatt Or 2.6.1?
17:31 failshell hilarious
17:31 failshell 2.6.0
17:31 MegaMatt you should always use the fqdn
17:31 MegaMatt even in the URL that you are accessing the GUI from
17:31 failshell well it doesn't accept it
17:31 MegaMatt The browser URL has to be FQDN’d
17:31 failshell that's what i use
17:33 MegaMatt Ok
17:33 MegaMatt I’m moving 11.0.1 to my local machine now
17:33 MegaMatt I’ll see if I can reproduce
17:33 MegaMatt I should probably make a clean 2.6.0 too, while I’m here
17:33 MegaMatt And set it up for SSL too
17:34 MegaMatt Are you on CentOS?
17:34 failshell RHEL
17:34 balo left #openam
17:34 failshell 6.5
17:34 MegaMatt Ok, close enough :D
17:35 MegaMatt (I hope ..) .. Going to spin up another CentOS since it’s easier to copy that image
17:46 MegaMatt Enable SSL on LDAP Port 1636
17:46 MegaMatt Create a new Self-Signed Certificate
17:48 fatbloke joined #openam
17:49 MegaMatt ok
17:49 MegaMatt So step 3 is your config store
17:49 MegaMatt and step 4 is your user store
17:51 MegaMatt So on step 3, I’m putting .. ssl checked.. fqdn of my macine.. and port 1636
17:51 MegaMatt and step 3 allowed me to continue
17:51 MegaMatt step 4, I’m going to select OpenDJ
17:51 MegaMatt SSL
17:51 MegaMatt fqdn
17:51 MegaMatt 1636 again
17:53 MegaMatt I see.. it’s saying “could not connect to server” on step 4
17:56 failshell that's what I get
17:56 MegaMatt 29/Apr/2014:13:54:47 -0400] DISCONNECT conn=96 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown"
17:56 failshell ive opened 3345
17:56 MegaMatt I see it
17:56 MegaMatt So now I have to add the certificate, I believe
17:57 MegaMatt Do you have that same message in your ldap access log?
17:57 failshell i dont get that error
17:57 MegaMatt what does your ldap access log say?
17:57 MegaMatt I’m going to address that and see if I can move past step 4
17:57 failshell what file has that error?
17:57 failshell i dont have it in catalina.out
17:57 failshell but i removed debugging
17:58 MegaMatt No, I’m looking at my ldap server
17:58 MegaMatt because the connection is trying to be made to that
17:58 MegaMatt so in my openDJ access logs
17:58 MegaMatt I see when it’s trying to connect it gives certificate_unknown error
17:58 failshell ok i have the same error
17:59 failshell so, it would be tomcat's cert that we need to add to opendj's keystore then?
17:59 MegaMatt Yep, looks like it
18:07 MegaMatt I’m going to try and export from OpenDJ now and put it into my cacerts for tomcat
18:07 MegaMatt and see if that works for me
18:08 failshell can't we just disable cert validation in opendj?
18:09 MegaMatt I think it’s the AM side still, I haven’t imported my cert yet
18:09 MegaMatt So I want to check tha tfirst
18:10 failshell ok
18:10 MegaMatt you said you imported yours - so I need to do the same
18:10 failshell true
18:10 failshell i had the same result with it imported or not
18:11 MegaMatt Ok, but we gotta make sure it’s in the right trust store that’s in your server.xml
18:11 MegaMatt Or we could create a new keystore with keytool, set it up as a trust store in server.xml and import the cert to that
18:12 MegaMatt my tomcat installation is a bit funky
18:13 MegaMatt I might go the -Djavax.net.ssl.trustStore= route
18:13 MegaMatt just to make it easier
18:22 failshell once we figure this out, i need to put all that in Chef
18:23 MegaMatt exporting my certificate is not behaving for me
18:23 MegaMatt keytool always hates me :)
18:23 failshell im becoming an expert with it today
18:29 MegaMatt ok, I finally got it to list my keystore file on DJ .. I had a character missing from my pw
18:29 MegaMatt keystore.pin didn’t copy right
18:30 MegaMatt and exported
18:30 MegaMatt now to import to tomcat
18:36 MegaMatt I think you didn’t import to the cacerts
18:36 MegaMatt keytool -importcert -alias openam.example.com -file openam.crt
18:36 MegaMatt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
18:37 MegaMatt the cacerts is the truststore
18:39 failshell does it work for you after?
18:40 MegaMatt starting it up now
18:43 MegaMatt hmm no, but now at least it’s failing at step 3 ;)
18:44 failshell so adding it once configured initially over LDAP wouldn't work either
18:44 failshell is it can't trust the cert
18:45 failshell switching to LDAPs i mean
18:46 MegaMatt yeah, it doesn’t like my trustStore either at the moment
18:49 MegaMatt Hmm
18:49 MegaMatt I’m getting a different error now though
18:49 MegaMatt on step 3
18:49 MegaMatt So I messed something else up
18:51 MegaMatt keytool -import -keystore cacerts -file ~/opendj/config/dj.crt -alias dj
18:52 MegaMatt did that and now it works
18:52 MegaMatt where cacerts is my javahome cacerts for the JVM that tomcat is using
18:52 MegaMatt it went through this time
18:52 failshell ok lemme try that
18:54 failshell which cert did you export in opendj? the one from the keystore? admin-keystore? ads-trustore?
18:54 MegaMatt the keystore
18:54 MegaMatt using keystore.pin
18:54 MegaMatt as the password
18:54 MegaMatt keytool -export -keystore keystore -alias server-cert -file dj.crt
18:55 MegaMatt but
18:55 MegaMatt I checked my listener fist
18:55 MegaMatt in opendj to make sure that was the cert for the ldaps listener
18:55 MegaMatt I checked it using dsconfig
18:56 MegaMatt I think it was option 38
18:56 MegaMatt no, it was option 18
18:56 MegaMatt 18)  Key Manager Provider
18:57 MegaMatt 3)  View and edit an existing Key Manager Provider -> 2)  JKS
18:57 MegaMatt 2)  key-store-file                      config/keystore
18:57 MegaMatt make sure yours isn’t somewhere else ;)
18:58 failshell how do you find the cacerts password?
18:58 MegaMatt cacerts should be changeit
18:58 MegaMatt if it’s the default jvm
19:02 failshell here we go
19:03 failshell now to automate all that with Chef
19:03 MegaMatt Oh nice, so it worked? ;)
19:04 failshell yes
19:04 MegaMatt Btw, my colleuge just told me where this is all documented
19:04 MegaMatt http://marginnotes2.wordpress.com/2012/08​/09/openam-connecting-to-opendj-over-ssl/
19:04 MegaMatt heh
19:04 MegaMatt In that one they use an external truststore
19:04 failshell well, that should be in the official documentation, not sure random person's blog ;p
19:05 failshell if it is already in the official doc, i couldn't find it
19:05 MegaMatt Heh.. not really a random person ;)
19:05 MegaMatt That’s Mark’s blog
19:05 MegaMatt but yes, the docs could probably be a bit more clear
19:05 MegaMatt the problem is that each container can handle things differently
19:05 MegaMatt I’ll update your ticket btw
19:06 failshell thanks
19:06 failshell the important thing is, we got it to run
19:06 MegaMatt Agreed :)
19:06 failshell now, to reflect all that with Chef
19:09 MegaMatt I put your ticket in pending
19:09 MegaMatt just to be sure you want to close it now :)
19:09 MegaMatt Feel free to add any notes you want to it, just to make things clear for others who might find it in the future ;)
19:12 failshell is there an api to configure openam?
19:12 failshell like adding a circle of trust, data store, etc
19:12 MegaMatt you mean like using ssoadm?
19:13 failshell i dunno, supporting openam just landed on my plate
19:13 failshell i'm tasked with making it redundant and automated
19:13 failshell so im learning as i go :)
19:13 MegaMatt Yes, use ssoadm to do stuff from command line
19:14 failshell like what we just did
19:14 failshell im guessing that's configuring all that into some XML file
19:14 MegaMatt You want to do the configuration via scripts, or configure after installation?
19:14 MegaMatt It puts it into your config store
19:15 MegaMatt Which is either internal dj , or some other config store you put up
19:15 failshell so the web configurator, is it possible to do the same and configure from CLI?
19:15 failshell kinda like what i did with opendj?
19:16 MegaMatt yeah, you can use configurator.jar I believe it’s called to do the initial setup non GUI
19:17 MegaMatt look in your extracted files
19:17 MegaMatt should be a jar file
19:25 aldaris joined #openam
19:31 failshell can't find that jar on my system
19:31 MegaMatt it’s got a fuller name
19:31 MegaMatt should be where you unzipped your files
19:31 failshell the openam war?
19:32 MegaMatt Yeah, SSOConfiguratorTools-11.0.1.zip
19:32 MegaMatt open that guy up
19:32 failshell oh i didnt download that
19:32 MegaMatt and you get openam-configurator-tool-11.0.1.jar
19:32 MegaMatt It should be in the .zip file for 11.0.1
19:33 MegaMatt ClientSDK-11.0.1.jar
19:33 MegaMatt ExampleClientSDK-CLI-11.0.1.zip
19:33 MegaMatt ExampleClientSDK-WAR-11.0.1.war
19:33 MegaMatt Fedlet-11.0.1.zip
19:33 MegaMatt IDPDiscovery-11.0.1.war
19:33 MegaMatt ldif
19:33 MegaMatt legal-notices
19:33 MegaMatt OpenAM-11.0.1.war
19:33 MegaMatt OpenAM-DistAuth-11.0.1.war
19:33 MegaMatt OpenAM-ServerOnly-11.0.1.war
19:33 MegaMatt SSOAdminTools-11.0.1.zip
19:33 MegaMatt SSOConfiguratorTools-11.0.1
19:33 MegaMatt SSOConfiguratorTools-11.0.1.zip
19:33 failshell i downloaded only the .war
19:33 failshell fetching the other one
19:33 MegaMatt ah ok
19:35 pfreixes joined #openam
19:42 failshell so taht configurator, you run it once the war is deployed right?
19:42 MegaMatt Yes, silent install after it’s deployed
19:43 MegaMatt http://openam.forgerock.org/openam-doc​umentation/openam-doc-source/doc/refer​ence/index/man-configurator-jar-1.html
19:43 failshell that's definitely what i was looking for
19:43 failshell and ill look into ssoadmin after, to generate CoTs and the likes
19:44 MegaMatt If you want to really automate everything, it might be better to create another keystore that you just use the option in tomcat for
19:44 MegaMatt if you’re using self signed certs
19:44 MegaMatt like in the blog post above
19:44 MegaMatt so you don’t have to mess with the JVM - you can just copy the other store
19:44 MegaMatt and use the argument when tomcat starts
19:45 MegaMatt or even better, use real certs
19:45 MegaMatt instead of selfsigned ;)
19:45 aldaris I don't think this IRC was ever so busy than now :)
19:45 aldaris s/than/as
19:45 failshell we'll be using real certs
19:45 MegaMatt It’s been pent up, I hate not using IRC :D
19:45 MegaMatt Now the flood gates are unleashed.. ..
19:45 failshell fancy youngsters and their web 2.0
20:34 aldaris joined #openam
20:56 aldaris joined #openam
21:11 aldaris joined #openam
22:00 jfroot How important is the security patch that just came out?
22:03 aldaris it includes critical fixes
22:03 aldaris so QUITE important
23:25 MegaMatt joined #openam
23:53 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary