Invalid Credential when Add to Existing Deployment - Part IV

I have blogged quite a lot on this topic (see here and here) and I have also find out the Configurator is only expected to work for a particular setup (see here).

It will fail if customers happen to arrange the Organization and Administrator Authentication configurations in a way that was described in my previous posting.

Today, I am again setting up a pair of OpenAM for internal testing for a customer of mine. This time round, there is no customization at all. Just a plain vanilla setup.

And of course, the Configurator works like a charm as long as the First instance of OpenAM server is alive and running.

The Configurator will "contact" the 1st instance and grab all the configured parameters over. What's more, it will suggest the next best port numbers to use (since the default port numbers have already been used by the 1st instance).

Nice right? Only if the Organization and Administrator Authentication configurations are arranged in a way the Configurator likes.

.

ForgeRock Product Release Levels

I must say ForgeRock is getting more and more organized in terms of their product releases.


ForgeRock defines Major, Minor, and Maintenance product release levels. The release level is reflected in the version number. The release level tells you what sort of compatibility changes to expect.

Read more here .... There's another link which is also important to note: Stability of Product Interfaces .

Good job!

.

OpenAM Policy Agent for Apache HTTPD server

My customer has this weird problem with OpenAM Policy Agent for Apache HTTPD server which I can't explain yet.

We know if we want immediate policy/configuration update from OpenAM, we can restart the Apache HTTPD server and the new configuration will be fetched from OpenAM server.

Well, he did restarted the Apache HTTPD server as what I had instructed him to do. But whenever he did it himself, it'll not work. There's no change to the new configuration. However, if I helped him to perform the restart, it'll work 100% of the time!

Very strange!

I found out the difference later.

HE: $./apachectl restart

ME: $./apachectl stop; ./apachectl start


Why? I seriously do not know why. My main concentration last week was on another task. So I didn't spend the time debugging why.

Seriously very strange!

.

Invalid Credential when Add to Existing Deployment - Part III

In my previous post, I talked about encountering the same Failed to create new Authentication Context: null error even though I have followed the instruction to change to "adminconsoleservice" login.

org.apache.jasper.JasperException: An exception occurred processing JSP page /getServerInfo.jsp at line 76 

73: 
74: AuthContext lc = new AuthContext("/"); 
75: //AZLABS lc.login(); 
76: lc.login(AuthContext.IndexType.SERVICE, "adminconsoleservice"); 
77: while (lc.hasMoreRequirements()) { 
78: Callback[] callbacks = lc.getRequirements(); 
79: ArrayList missing = new ArrayList(); 


So, I spent some time yesterday to investigate why.


First, I started by manually testing via the UI using .../openam/UI/Login?service=adminconsoleservice.

Bingo!

It's very obvious why the Authentication Context is null. The administrative account "amadmin" is used during configuration, thus by showing a Active Directory Authentication module, the "amadmin" user is never ever going to be able to login.

So, this has to be fixed. 

With the same URL .../openam/UI/Login?service=adminconsoleservice, the following UI has to be shown in order for the amended code to work.

However, I do not know what has gone wrong with the initial configuration at first. It took me quite a while to discover. It has got to do with how the Organization and Administrator Authentication configurations are arranged.


In fact, I have not made any change to it. It comes by default.

What I have changed, however, is the ldapService in Authentication Chaining.

I have toggled the default DataStore instance to AZAD instance. This is to allow all users to authenticate via Microsoft Active Directory by default. For administrator, he/she has to manually append the module=DataStore to the URL - .../openam/UI/Login?module=DataStore.

I found out that this is the root cause!

What's the workaround?

Step 1: Create a new Authentication service - azService.

Step 2: Choose AZAD as the default instance.

Step 3: Toggle back to DataStore instance for Authentication service - ldapService.

Step 4: Now, this is the important step. Change Organization Authentication Configuration from ldapService to azService.

Test accessing the URL .../openam/UI/Login?service=adminconsoleservice again. Now the UI is what I am expecting!

And of course, the OpenAM Configurator wizard is no longer complaining now. Happy!


.

Invalid Credential when Add to Existing Deployment - Part II

With the release of OpenAM 10.1 Xpress, I was keen to find out whether or not a previous issue I encountered while configuring a 2nd instance of OpenAM via the wizard has been solved.

Too bad.. not resolved yet. In fact, as pointed out, there is a bugster raised for this issue. (See here for more info)

Sad thing is when I go to the Tomcat webapp for OpenAM 10.1-Xpress, the source code in getServerInfo.jsp has not been modified at all.

The catalina.out showed the following trace stack:

org.apache.jasper.JasperException: An exception occurred processing JSP page /getServerInfo.jsp at line 75 72: } 

73: 
74: AuthContext lc = new AuthContext("/"); 
75: lc.login(); 
76: while (lc.hasMoreRequirements()) { 
77: Callback[] callbacks = lc.getRequirements(); 
78: ArrayList missing = new ArrayList(); 

Stacktrace: at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:568) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:455) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:99) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1780) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Caused by: javax.servlet.ServletException: com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: null


I took a look at the Fisheye and discovered the fix. So I went ahead to change the source code in getServerInfo.jsp.

No luck also.

org.apache.jasper.JasperException: An exception occurred processing JSP page /getServerInfo.jsp at line 76 

73: 
74: AuthContext lc = new AuthContext("/"); 
75: //AZLABS lc.login(); 
76: lc.login(AuthContext.IndexType.SERVICE, "adminconsoleservice"); 
77: while (lc.hasMoreRequirements()) { 
78: Callback[] callbacks = lc.getRequirements(); 
79: ArrayList missing = new ArrayList(); 

 Stacktrace: at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:568) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:455) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:99) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1780) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Caused by: javax.servlet.ServletException: com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: null


Hopefully I have some time to play with the source code tomorrow.


.

Cross Domain Single Sign On - What's it?

The concept of why a cookie created specifically for a particular domain cannot be accessed by another domain has been explained repeatedly year over year.

A lot of articles tried to explain, but in words, which can get a little complicating. (ok, maybe to me :>)

The following diagram explains it all. (yes, OpenSSO articles is still the to-go place for reading-up concepts)

Clear and precise. Why talk so much when a simple diagram can do the job? (maybe technical writers just like to write, but doesn't like to draw)


To introduce CDSSO, each SSO product implement its proprietary mechanism to support single sign-on across multiple domains. 


OpenAM / OpenSSO introduced Cross-Domain Controller Servlet (CDCServlet) to handle CDSSO.

SiteMinder introduced Cookie Provider to handle the same scenario.

.

OpenAM HMAC-based One Time Password

There are many Authentication modules available out-of-the-box from ForgeRock OpenAM. One of them is HOTP - HMAC-based One Time Password.

Fairly easy to configure and integrate with the default LDAP module. So, the user will be first prompted with a user name and password fields to key in. Once successful, he/she will be redirect to the HOTP page to key in the OTP.

The previous implementation of HOTP in OpenAM was a little cumbersome such that user has to manually click on "Send OTP" button in order to fire the sending of the OTP to the user's email and/or SMS.

This feature has been enhanced in the latest release of OpenAM 10.1. (I'm not too sure of 10.0.1, but I'm pretty sure 9.5.x doesn't have this feature). The latest enhancement is to "Auto Send OTP Code".

Simple enhancement, yet it makes the user experience so much better!

.

Federation: Redirect POST vs POST Artifact

I attended an Identity course last week and Federation was covered (of course).

We covered Redirect-POST and POST-Artifact and made some comparison.

Well, whenever I need diagrams on Federation, I always go to PingIdentity. Their document is tip-top - my #1! So, here's the link ...


I should say Redirect-POST is the most commonly deployed.

Most activities revolves around redirection via the user's browser. Easily achievable.


When it comes to POST-Artifact, the problem lies in the highlighted red box.

Usually, when different organizations choose Federation for integration, they would most likely not like to expose their backend identity infrastructure as much as possible. However, POST-Artifact requires the Federation Servers in the SP side and the IdP side to communicate to each other.

Adoption rate will be definitely low, as one can easily predicate. 

.

Fix for the famous Configuration Options page

I just saw a new fix for OpenAM (OPENAM-2230 - Users should not be redirected to config/options.htm if OpenAM has already been configured but the config store is unavailable).

This fix is to resolve the famous Configuration Options page which I have blogged about here and here some time back.

And the solution is exactly what I have suggested way back in 2011!

Stay tuned, the fix will be incorporated in the next release of OpenAM - 10.2!

Cool!

.

Cross Domain Single Sign-On

In an environment where there are multiple domains and single sign-on across the domains is required, CDSSO (Cross Domain SSO) shall be utilized. This is a good article to kick-start.

When using CA SiteMinder, the same can be achieved via Cookie Provider. The concept is pretty similar to that in OpenAM.

OpenAM uses iPlanetDirectoryPro as its cookie name; SiteMinder uses SMSession.

.

OpenAM 10.1 Session Failover Mechanism Part II

I talked more about the new Session Failover mechanism in OpenAM 10.1 in my previous blog. The use of  Open Message Queue and Berkeley DB Java Edition has been dropped in favor of the embedded OpenDJ that ships with each OpenAM release.

So how does it work with the embedded OpenDJ?

A new ou is created - ou=tokens. Whenever a user logs in and a session is created, an entry will be created in the OpenDJ under ou=famrecords,ou=openam-session,ou=tokens,dc=xxx,dc=xx.

And if you have multi instances of OpenAM, the multi-master replication (MMR) in the embedded OpenDJ kicks in to take care of session replication from nodes to nodes.

As simple as that. Neat!

.

OpenAM 10.1 Session Failover Mechanism

In my previous blog, I mentioned that there is a new implementation of the Session Failover in OpenAM 10.1.

This new implementation is important to me as all my customers are using Session Failover in their production environment. So I need to evaluate it in order to advise them.

Well, if one install OpenAM 10.1 via the GUI (i seldom use GUI though), this is how easy one can turn on Session Failover. You just need to check on "Enable Session HA Persistence and Failover". Yes, that's it!

Now, let's assume session failover is not enabled during installation and configuration, it is equally easy to turn on Session Failover post-configuration.

Navigate to Configuration > Global > Session. Click on New.

Do nothing. Click on Add.

That's it? Yes, that's it!

Gone are the days when one has to install AMSFO utilities which include the Open Message Queue and Berkeley DB Java Edition. And then to instruct OpenAM to store user sessions into the appropriate message queue via the Database Url. 

The bad news for Systems Integrator is that we have lesser man-days to quote for professional services. *sigh* Thanks to OpenAM 10.1!

.

OpenAM 10.1.0 Release Notes

It's great news that OpenAM 10.1.0 Xpress has been released late last week.

With this new release, the session failover mechanism has been changed. It used to be utilizing Open Message Queue and Berkeley DB Java Edition.

The current implementation makes use of the embedded OpenDJ server to store user sessions. The best thing about it is this implementation can be used to make sessions persist across restart for single OpenAM servers.

However, do take note: "When session failover is configured to use external OpenDJ directory servers, OpenAM must access those directory servers through an LDAP load balancer that can fail over connections from OpenAM whenever a directory server goes offline. Otherwise, sessions could continue to persist after users logout of OpenAM."


There are 2 other limitations which I think worth mentioning.

1. Do not run different versions of OpenAM together in the same OpenAM site.

==> This has not been possible before. But I really hope it can happen in the future. This will make migration really easy. Just a wish, no harm wishing. :)


2. Not all features of OpenAM work with IPv6.

==> IPv6 is pretty hot these days and the IT governing body in Singapore has even dictated that all software be compliant with IPv6 in all the ministries. This makes life difficult for Systems Integrators like us. If a software does not fully support IPv6, what can we do? It takes time for all software (especially matured software) to slowly conform to IPv6.

.

OpenDJ Utilities

The following links are helpful if you want to extract useful information from OpenDJ logs:

Github - ludomp/opendj-utils
Github - chrisridd/opendj-utils


.

OpenAM Lineage

I have told customers multi-times - OpenAM is not a new product, even though ForgeRock is only 2. In fact, OpenAM is around 13 years old now. The history of OpenAM dates back to early 2000 when Sun Microsystems started this as a Directory Server Access Management Edition (DSAME).

Interestingly, after Oracle took over Sun OpenSSO, the product was "chopped" into several non-compatiable products - each sold differently :).

.

ForgeRock Open Source Advantage

The following slide sums up what my customers have been asking for the past 1-2 years regarding ForgeRock Open Source Advantage.

Great job!

.

ForgeRock Global Partner Network

Azimuth Labs is in ForgeRock Global Partner Network!

.

Architecture Definition

It is always hard to balance between the Problem space and Solution space when architecting solutions for customers. 

An art indeed.

.

Invalid Credential when Add to Existing Deployment - Part II

Last week, I posted this - Invalid Credential when Add to Existing Deployment where I attempted to install and configure a 2nd instance of OpenAM server via the Configuration Wizard UI.

Not successful if the default ldapService is not switched to DataStore.

Out of curiosity, I install a 3rd instance of OpenAM server in our test labs. However, I choose to configure via SSO Configurator Tool this time round.

Went through smoothly like a breeze!


[azlabs@idp config]$ java -jar configurator.jar -f am3config
Checking configuration directory /home/azlabs/var/am3....Success.
Installing OpenAM configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Extracting OpenDJ, please wait...Complete
Running OpenDJ setupSetup command: --cli --adminConnectorPort 7888 --baseDN dc=azlabs,dc=sg --rootUserDN cn=Directory Manager --ldapPort 52389 --skipPortCheck --rootUserPassword xxxxxxx --jmxPort 3689 --no-prompt --configFile /home/azlabs/var/am3/opends/config/config.ldif --doNotStart --hostname am3.azlabs.sg %0AOpenDJ+2.4.5%0APlease+wait+while+the+setup+program+initializes...%0A%0ASee+%2Fhome%2Fazlabs%2Fopt%2Ftomcat-7.0.34-am3%2Ftemp%2Fopends-setup-6235062839150188850.log+for+a+detailed+log+of+this+operation.%0A%0AConfiguring+Directory+Server+.....+Done.%0A%0ATo+see+basic+server+configuration+status+and+configuration+you+can+launch+%2Fhome%2Fazlabs%2Fvar%2Fam3%2Fopends%2Fbin%2Fstatus%0A...Success.
...Success
Installing OpenAM configuration store in /home/azlabs/var/am3/opends...Success.
:
:
:

...Success.
Reinitializing system properties....Done
Configuring server instance....Done
Setting up monitoring authentication file.
Configuration complete!


Strange indeed.


.

OpenIDM Architecture

A picture says a thousand words.

Honestly, it's still not ready for today's enterprises after talking to customers. But we shall see in a year or 2... I'm optimistic about this product! :)

.