Friday, February 25, 2011

Unexpected LDAP error - ssoadm

The project I am currently on requires High Availability for Single Sign-On in the production environment. A site is configured for this purpose having 2 nodes.

Today, I was debugging something and shut down Node 2 and used ssoadm.jsp to update a service (update-svc) which I previously created.





When I tried to save, I get Unexpected LDAP error on the UI.

I found out why when I saw the following in Configuration log file:

ERROR: SMSLdapObject.modify(): Error in modifying entry: ou=1.0,ou=sunAMAuthXXXAuthService,ou=services,o=XXX,c=sg
By Principal: id=amadmin,ou=user,o=XXX,c=sg
com.sun.identity.shared.ldap.LDAPException: error result (53); The Replication is configured for suffix  o=Ministry of Education,c=SG but was not able to connect to any Replication Server
        at com.sun.identity.shared.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4875)
        at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3163)
        at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3102)
        at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3111)
        at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3077)
        at com.sun.identity.sm.ldap.SMSLdapObject.modify(SMSLdapObject.java:435)



Hmm... any configuration change requires both nodes in the site to be up! Is this built by design? I need to find out more ...


.

Model must not be null in CCPropertySheet()

The project I am currently on requires High Availability for Single Sign-On in the production environment. (we have 2 nodes) The Authentication module is customized as we have special business logic to handle during users' login process.

So to plug in a new Authentication module is easy.
1. Deploy the jar
2. Dump the properties file in classes directory
3. Add in the XML file in config/auth/default directory
4. Create the new service
5. Register the authentication module

All went well with Node 1. However, I kept getting Model must not be null in CCPropertySheet() error on Node 2. I have restarted Node 2 more than once. Strange!


So what really happened?

I have forgotten to apply Step 1 - 3 on node 2. Ha!

(Note: Step 4 - 5 are only done once via the ssoadm.jsp UI)


.

Monday, February 21, 2011

Problems Solved By OpenSSO

I was reading the newly released OpenAM book by Indira Thangasamy and came across this diagram in the overview section.


Great stuff! I always salute those who can illustrate the capability of their products in a diagram. 

This diagram is able to show the 4 types of problems that OpenSSO/OpenAM is built for:

1. Access management
2. Federation
3. Securing web services
4. Entitlements

.

Wednesday, February 16, 2011

How to decode CSR?


After generating CSR (Certificate Signing Request) and before submitting to a CA to generate a Server certificate, it would be good if we can double check what has been generated.

If OpenSSL is installed, the following command can be used:
openssl req -in mycsr.csr -noout -text

I'm lazy. :) Thanks to SSLShopper. Here's the link.


.

Monday, February 14, 2011

Failed to establish chain from reply


If your server certificate (end-entity certificate) is signed by a Intermediate CA, then it is important to take note to import both Root CA and Intermediate CA certificates into your keystore (certificate store) before importing the server certificate.




Importing only Root CA certificate into the keystore is not sufficient. Otherwise, you'll get the following error when you import the Server certificate without the Intermediate CA certificate - "Failed to establish chain from reply".




.

Thursday, February 10, 2011

Active Directory Primary Server Configuration for Multiple OpenSSO Servers


In a large scale IAMS infrastructure setup, it would be better if each OpenSSO server is configured to authenticate against a dedicated authentication source (in my case, Microsoft Active Directory).

Is this feature available in OpenSSO 8.0 U2? Yes, as far as the OpenSSO Admin Console is concerned. (see digram below)



However, you need to first figure out what does "local server name" means?

I had a hard time figuring out what this really mean. In the end, I had to read the source codes from OpenAM 9.5 (forgerock.com) to figure out. The code refers "local server name" to AM_SERVER_HOST.

private static final String localDsameServer = SystemPropertiesManager.get(
        Constants.AM_SERVER_HOST); 


OK, AM_SERVER_HOST should then be FQDN of the OpenSSO server.

Server Name is protocol://FQDN:port/opensso-uri

So, I'm up and running. I have the following in my Active Directory Primary Server:
osso1.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636
osso2.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636

I configured the reverse for my Active Directory Secondary Server:

osso1.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636
osso2.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636

Theoretically, this will definitely work. I was wrong! There is a bug in OpenSSO 8.0 U2.

The method getServerMapAttr() in CollectionHelper class is not able to detect that there are multiple entries. What's worse is it is not able to parse the String with the "|" to return the appropriate Active Directory server.


The code simply gets the first entry without any parsing and tries to connect. And of course, "Unknown host" is thrown.

Luckily, the code for this method in OpenAM 9.5 looks good. I copied and finally fixed the issue. 

Thank you, OpenAM!



.





Wednesday, February 9, 2011

An internal authentication error has occurred


I am near the final milestone of this IAMS project - deploying the Production environment.

We have a custom Authentication Module for this enterprise Single Sign-On infrastructure. I have done it many times in the development and staging environment and they worked!

However, I keep getting "An internal authentication error has occurred" when this custom Authentication module is turned on.



No choice. I need to turn on the verbose logging and this is what is been captured in Authentication debug log - "unable to find LoginModule class"




Ok, I must have made a mistake during the registration of the auth module via ssoadm.jsp. I think I must have key in only the Java class name without the full package path.



So I went ahead with ssoadm.jsp again to register with a full package Java class name.


Restarted OpenSSO server just to play safe. No luck!

Hmmm.... I recalled that in the days of Sun Access Manager 6.x and 7.x, there was no such thing as registering an authentication module via ssoadm.jsp. We did it manually and one of the steps was to add in the Pluggable Authentication Module Classes in Configuration > Core.

So I went ahead to verify the entries. Jackpot! 


Removing the last entry resolved the issue.


.