Page Comparison

...

Info

title	Invalid CSV file contents

When:

Accounting Service authorised user tries to access the browser end-points like https://manage.example.com/accounting/report (example URL)

What:

Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

Error example:

Code Block

language	xml

<html>
  <head>
    <title>404 Not Found</title>
  </head>
  <body>
    <div>
      <h2>404 Not Found</h2>
    </div>
  </body>
</html>

Why:

Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails

How to fix:

In case of the example above configure your load balancer / reverse proxy to allow access to the /api/* paths as advised here Installation requirements / Network requirements.
See also section Empty events CSV due OAuth2 cookie / configuration error below for an other kind of error situation.

Info

title	Empty CSV file contents because Accounting certificate not in place

When:

Accounting Service authorised user tries to access the browser end-points like https://manage.example.com/accounting/report (example URL)

What:

Authentication succeeds and a CSV file is returned but it is empty, when each CSV file should have at least a header row

There is a following kind of error message in the Accounting Service application log:

Code Block

language	text

2019-11-08 14:26:27.719 ERROR 24737 --- [http-nio-8442-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1329)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1224)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794)
    at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416)
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1499)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1513)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1397)
    ... 21 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching accounting.ids-centos7.localdomain found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
    ... 30 common frames omitted

Why:

Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails because of certificate with Accounting DNS name is not present: "No subject alternative DNS name matching accounting.ids-centos7.localdomain found"

How to fix:

Add certificate to the trust store e.g. by including the configured DNS (hostname from accounting.url in win32.config/unix.config) as a Subject Alt Name, see Add Server Certificate to Java Trust Store
See also section Empty events CSV due OAuth2 cookie / configuration error below for an other kind of error situation.

Info

title	Refreshing secret key fails

When:

Accounting Service is trying to initialise the secret key for pseudonymisation by reading it from the given location on the first 15 minutes of each month

What:

Refreshing secret key (HMAC key) fails, the following kind of error messages in the Accounting Service application log:

Code Block

language	text

2019-08-01 00:00:00.242 ERROR 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
HMAC key could not be read from the key file and events cannot be stored. Service is not stopped but the system setup and 
key file in location: <secret key location> should be checked and fixed. 
java.nio.file.NoSuchFileException: <secret key file name>


2019-08-01 00:00:00.691 ERROR 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
Invalid HMAC key in the key file and events cannot be stored. Service is not stopped but the key file in 
location: <secret key location> should be checked and fixed.
java.lang.IllegalArgumentException: Empty key

Why:

The Accounting Service would not have started if you had a faulty key location or contents after the installation
You have accidentally either prevented access to the network resource or file, removed the file in the given location, or corrupted (emptied) its contents later, which is notified when the service tries to read the key again in the turn of the month

How to fix:

If the configured accounting.secret-key-location-uri is correct make the location available and have a random key present
The system will use the previous valid key up to the next time slot it tries to refresh the key
If you realise that accounting.secret-key-location-uri should be changed, fix setting in the win32.config/unix.config file

In normal case the job writes to the application log:

Code Block

language	text

2019-08-01 00:00:01.684  INFO 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
Successfully initialised MAC provider with algorithm: HmacSHA256 and key of length: 32.

...

Check from diagnostics logs if there are any warnings or errors, in particular the following ones. If you have followed the installation / upgrade process the broker URL host name should always be localhost and the port number should match with the one configured on the Accounting Service side.

Code Block

language	text

2019-05-03 16:48:18,707 init WARN Error in opening Accounting Service JMS connection in SSO startup. Accounting Service is a required component of SSO that needs to be functioning when running SSO.
javax.jms.JMSException: Could not connect to broker URL: tcp://localhost:61616?connectionTimeout=10. Reason: java.net.SocketTimeoutException: connect timed out

2019-05-03 17:00:08,112 tech WARN Error in opening Accounting Service JMS connection, event cannot be sent. Accounting Service is a required component of SSO that needs to be functioning when running SSO.
javax.jms.JMSException: Could not connect to broker URL: tcp://localhost:61616?connectionTimeout=10. Reason: java.net.SocketTimeoutException: connect timed out

Check from diagnostics logs if there is the following warning. It implies that you have not properly installed / upgraded SSO or the respective LDAP entry has been manually modified.

Code Block

language	text

2019-05-03 18:09:46,030 tech WARN MessageQueueSender missing Accounting Service broker URL. Accounting Service is a required component of SSO that needs to be functioning when running SSO.

If the connection is in tact and the Accounting Service is running SSO diagnostics log shows in the startup

Code Block

language	text

2019-05-03 13:00:03,998 init MessageQueueSender initialised with connection to Accounting Service broker URL: tcp://localhost:36161?connectionTimeout
=10

If Accounting Service is not running start it.
If connection timeout is too short on your server change the respective Accounting Service setting in win32.config/unix.config file, follow instructions in here. Remember to update LDAP.

If the connection seems to be in tact change log level of uas/tech to DEBUG (see Management UI logging configuration) and check for the following messages in the diagnostics log. If the events are sent normally then the problem is on the Accounting Service receiving side.

Code Block

language	text

2019-08-14 12:43:35,969 tech DEBUG Going to send JMS message to the queue: SSOEventQueue
2019-08-14 12:43:35,970 tech DEBUG Elapsed time in MessageQueueSender: 3377300 nanos (3 ms), enabled: true, message sent: true

In the end remember to set the SSO log level back to INFO

...

Versions Compared

Old Version 1

New Version 2

Key