Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-05-01

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:50 BATHORY joined #openam
02:50 BATHORY Hi someone can help me?
03:35 BATHORY joined #openam
04:10 m0sf3t joined #openam
07:47 aldaris joined #openam
07:49 aldaris hey BATHORY
08:16 fatbloke joined #openam
10:07 aldaris joined #openam
10:45 palt joined #openam
10:54 palt joined #openam
11:00 palt joined #openam
11:06 aldaris joined #openam
11:21 MegaMatt joined #openam
13:12 aldaris joined #openam
14:02 fatbloke joined #openam
14:08 aldaris1 joined #openam
14:11 fatbloke joined #openam
14:29 failshell joined #openam
14:36 failshell javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching foo.example.com found
14:36 failshell i want to bypass that error on the CLI
14:36 aldaris yeah, probably you won't be able to
14:37 failshell hmmm
14:37 asyd you can use /etc/hosts or equiv
14:37 failshell Apache's serving the load-balancer certificate
14:38 failshell so the hostname in the certificate doesn't match the fqdn
14:38 asyd using ssoadm?
14:38 failshell openam-configurator.jar
14:38 aldaris why are you accessing AM through LB for configuration?
14:38 failshell not the LB
14:38 aldaris LB/RP
14:38 failshell im local on the machine
14:43 aldaris joined #openam
14:44 aldaris1 joined #openam
14:46 MegaMatt I don’t think that’s a problem with configurator.jar
14:46 MegaMatt It’s more certs/hosts/java/anything else
14:46 aldaris1 it sounds more like a problem with env/config file
14:46 failshell yeah
14:47 aldaris1 is this SSL passthrough then or what exactly are you doing?
14:48 failshell I just added apache's vhost
14:49 aldaris so why is an apache instance for a given node presenting the LB URL's cert?
14:49 failshell because that's how load balancing works
14:50 aldaris I suppose you know that Apache is not an LB
14:50 MegaMatt so wait, you’re pointing the configurator.jar not at the tomcat instance, but at an apache LB?
14:51 failshell apache's not a LB
14:51 failshell it's just ready to serve data behind the LB
14:51 failshell hence why it's serving the LB's url
14:51 failshell you also said i can't configure openam to point to localhost
14:51 MegaMatt What are you pointing the configurator at?
14:51 failshell whatever's in the config file
14:52 failshell openam's only going to run on localhost
14:53 aldaris so do you have an Apache RP in front of each AM?
14:53 aldaris and an LB in front of all the RPs?
14:53 aldaris next reasonable step would be for you to attach a deployment diagram as so far this doesn't really add up
14:55 failshell forget the load balancer
14:55 failshell its really simple
14:55 failshell openam is served by tomcat on localhost, apache's RP to tomcat to expose the service
14:56 failshell the service is exposed as the LB url at the end of the config file
14:56 failshell as we'll have more than one machine eventually
14:56 aldaris so this is a one server only setup?
14:56 failshell until i get the configurator running yes
14:57 failshell then ill cluster opendj and have 2 nodes of openam
14:58 aldaris so what is the added value of running Tomcat on loopback and putting an Apache in front of it?
14:58 aldaris do you want to use that single Apache in front of ALL the AM instances you plan to have?
14:58 failshell no one per machine
14:58 aldaris right
14:58 failshell ProxyPass /sso https://localhost:8443/sso
14:59 aldaris then surely the LB URL shouldn't point to your first Apache RP protecting your first AM
14:59 failshell dont worry about the LB
14:59 failshell i mean, this is a standard setup we use with all our java stacks
14:59 failshell its very simple and standard
14:59 MegaMatt Java is the one complaining about the cert ;)
15:00 aldaris It doesn't necessarily make it a good setup :)
15:00 aldaris on each box set up an AM and the Apache RP, each box will have its own FQDN
15:01 aldaris in the configurator you'll provide the box's FQDN for configuration and you provide the LB URL as the site URL
15:01 failshell that's already the case
15:01 aldaris now normally you would put an LB in front of all the Apache instances then
15:02 aldaris so you can decide whether you want to do SSL passthrough, SSL offload or SSL reencryption
15:03 MegaMatt So the certificate that’s rejected by configurator.jar is the cert from the site URL , is what you’re saying?
15:03 failshell yes
15:04 aldaris yeah, seems like the RPs are using the LB URL and not their own
15:04 aldaris which suggests SSL passthrough
15:05 aldaris the configurator won't be able to access the RP over SSL if the cert only contains the LB URL
15:06 aldaris and even after a successful configuration it will cause you problems (as AM servers contact each other directly resulting in the same SSLHandshakeExceptions)
15:09 MegaMatt I think the cert will need the multiple host names
15:09 failshell that's problematic
15:10 failshell that means we need to pay for a new cert
15:10 aldaris or you'll need reencryption (I suppose offloading is not an option)
15:10 MegaMatt Or give everything the same hostname, I guess.. since it’s all the same machine.. heh
15:11 failshell i managed to get the configurator to run
15:11 failshell but it says it fails
15:12 failshell how can i know why?
15:13 failshell and by the way, it works when i do it with the webui
15:13 MegaMatt I think the configurator.jar also uses -Dcom.iplanet.services.debug.level=message
15:13 MegaMatt -Dcom.iplanet.services.debug.direcory="/path/to/write/dir"
15:13 aldaris yes, because the webapp obviously does not try to connect to itself
15:14 aldaris @MegaMatt it doesn't and if it would, it wouldn't matter
15:14 MegaMatt Bummer
15:14 aldaris the configurator just sends a POST request to AM
15:14 aldaris you have the logs at AM
15:16 MegaMatt Yeah, I mean you can use those options on the server, not the configurator.jar… the contianer jvm
15:17 aldaris yepp, that is helpful
15:18 aldaris but the CLI install fails since the POST can't be send (SSL issue), the GUI install works because it doesn't connect to itself
15:18 aldaris but all in all once you have two servers this setup will not properly work as AM2 will be unable to get a session from AM1
15:19 failshell ill change tomcat to run on the server's ip then
15:19 failshell and firewall the ports our security team wants restricted
15:20 aldaris then you'll need to access the GUI configurator on the tomcat port (unprotected) and then all the AM instances should be able to access each other through that
16:19 aldaris1 joined #openam
16:38 aldaris joined #openam
16:40 aldaris1 joined #openam
16:51 aldaris joined #openam
17:21 BATHORY joined #openam
21:07 aldaris joined #openam
22:21 aldaris joined #openam
22:40 jfroot aldaris: in case you are curious.. we finally got our SAML thing working!
22:40 aldaris congratz
22:45 aldaris jfroot: how?
22:47 jfroot well two things were at play.. I had to uncheck a few things from the IDP side of the SAML2 setup.. (I was only unchecking them on the SP side in there at first). specifically about signing the request. And.. the other end needed the certificate in a very specific format.. I had to dig into the library they were using which was onelogin/python-saml on github
22:47 jfroot They actually needed the cert ASCII header chunk.. the ---- BEGIN CERT --- shit.. why god why.
22:48 aldaris that is pretty much quite common
23:22 aldaris joined #openam
23:30 aldaris joined #openam
23:54 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary