Page Comparison

Whenever you need to change settings in the update win32.config/unix.config file you'll need to continue from the setup phase. Follow the environment specific upgrade instructions or see the guidelines in here:

• Change configuration settings during installation process in Windows
• Change configuration settings during installation process in Linux

When:

• Installing or upgrading SSO and executing the setup script

What:

• Setup script complains about missing Accounting Service settings:

  Code Block
  language text
  error: required parameter is missing: accounting.instancename error: required parameter is missing: accounting.datasource.url error: required parameter is missing: accounting.jms.broker.port error: required parameter is missing: accounting.jms.broker.socket-timeout-ms

Why:

• The necessary settings have not been added to or have been deleted from the configuration file win32.config/unix.config

How to fix:

• Add the settings and modify the values according to your needs in win32.config/unix.config file as explained here and continue from the setup script again

When:

• Installing or upgrading SSO and executing install, update or remove script

What:

• Script complains about missing Java:

  Code Block
  language text
  ./config/tomcat/install.sh Creating serverhost keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx Unable to find Java

Why:

• JAVA_HOME environment variable has not been set but it is required by the Accounting Service with embedded scripts in the JAR file

How to fix:

• Add JAVA_HOME as explained here and rerun the script

When:

• Starting Accounting Service for the first time after installation or restarting Accounting Service after a successful installation

What:

• Database tables cannot be created in the initial startup or database connection cannot be created when checking the migration status, the following kind of error message in the Accounting Service application log:

  Code Block
  language text
  15:24:36.713 [main] ERROR Application run failed : o.s.boot.SpringApplication.reportFailure org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flyway' defined in class path resource [org/springframework/boot/autoconfigure/flyway/FlywayAutoConfiguration ... Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.flywaydb.core.Flyway]: Factory method 'flyway' threw exception; nested exception is java.lang.IllegalStateException: org.springframework.jdbc.support.MetaDataAccessException: Could not get Connection for extracting meta-data; nested exception is org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "accounting_user"

Why:

• Cannot connect to the PostgreSQL Database

How to fix:

• Check the root cause from the org.postgresql.util.PSQLException in the log, there are some alternatives:

org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "127.0.0.1", 
user "accounting_user", database "accountingdb", SSL off

• • You have not configured PostgreSQL to accept connections from your host to the configured database and user, see the comment about md5 here and fix your PostgreSQL setup, start the Accounting Service again
  • You have forgotten to create the database in the PostgreSQL server, follow instructions in here, start the Accounting Service again
  • You have configured a wrong JDBC connection URL or username in the Accounting Service settings in win32.config/unix.config file, follow instructions in here (check that there are no trailing spaces in your settings)

org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "accounting_user"

• • You have not configured PostgreSQL to accept password based authentication, see the comment about md5 here and fix your PostgreSQL setup, start the Accounting Service again

org.postgresql.util.PSQLException: FATAL: password authentication failed for user "accounting_user"

• • You have configured a wrong JDBC connection password in the Accounting Service settings in win32.config/unix.config file, follow instructions in here, check especially that you don't have extra spaces or other invisible characters after the password setting
  • Note that if you have created a user name having uppercase letters these are converted to lowercase letters by PostgreSQL

org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port 
are correct and that the postmaster is accepting TCP/IP connections.

• • Your PostgreSQL RDBMS server is down, start it, start the Accounting Service again
  • You have configured a wrong JDBC connection URL host name or port in the Accounting Service settings in win32.config/unix.config file, follow instructions in here
  • You cannot connect from the server SSO with Accounting Service is running to the correctly configured URL where the PostgreSQL RDBMS server is running, fix your network topology, firewall settings etc., start the Accounting Service again

org.postgresql.util.PSQLException: FATAL: the database system is starting up

• • Your PostgreSQL RDBMS server had not yet started when Accounting Service already tried to start, start the Accounting Service again when PostgreSQL server is up

When:

• Starting Accounting Service for the first time after installation or restarting Accounting Service after a successful installation

What:

• Accounting Service reads the secret key for pseudonymisation in startup which fails, the following kind of error message in the Accounting Service application log:

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2019-08-24 04:47:59.510 ERROR 53308 --- [main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'ssoEventReceiver' defined in URL 
...
Error creating bean with name 'ubisecure.ids.accounting.security-com.ubisecure.ids.accounting.configuration.SecurityConfigurationProperties': 
Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: 
Invalid value for 'ubisecure.ids.accounting.security.key-location-uri' ('secret-key-location')': 
file:////usr/local/ubisecure/ubilogin/sso/accounting/config/ids-accounting-service.secret
...
Caused by: java.io.IOException: Testing if file exists and is readable failed
        at com.ubisecure.ids.accounting.configuration.SecurityConfigurationProperties.init(SecurityConfigurationProperties.java:112)

Why:

• Accounting Service cannot access the key in the given location, see  Account Service security / Pseudonymisation

How to fix:

• Check the location from the stack trace
• NOTE that correctly set file:///usr/local/... turns into file:////usr/local/... in the log.

Invalid value for 'ubisecure.ids.accounting.security.key-location-uri' ('secret-key-location')': 
file:////usr/local/ubisecure/ubilogin/sso/accounting/config/ids-accounting-service.secret

• Check the root cause from the last causing exception in the stack trace, there are some alternatives

Caused by: java.io.IOException: Testing if file exists and is readable failed

• • You have configured a wrong security key location in the Accounting Service settings in win32.config/unix.config file, follow instructions in here
  • You have forgotten to set the key and put the file in place, create the file with a random key in it, start the Accounting Service again

Caused by: java.lang.IllegalArgumentException: URI has an authority component

• • When the location starts with file://usr/local/... it is not a proper file URI, turn into an absolute path by adding one / after the scheme, fix setting in the win32.config/unix.config file

Caused by: java.lang.IllegalArgumentException: Missing scheme

• • When the location starts with /usr/local/... it is not an URI, add the scheme file://, fix setting in the win32.config/unix.config file

When:

• Starting Accounting Service for the first time after installation or restarting Accounting Service after a successful installation

What:

• Database tables cannot be created in the initial startup, the following kind of error message in the Accounting Service application log:

15:24:36.713 [main]       WARN ConfigServletWebServerApplicationContext : Exception encountered during context initialization - 
cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flywayInitializer' 
defined in class path resource [org/springframework/boot/autoconfigure/flyway/FlywayAutoConfiguration$FlywayConfiguration.class]: 
Invocation of init method failed; nested exception is org.flywaydb.core.internal.exception.FlywaySqlException:
Error while retrieving the list of applied migrations from Schema History table "public"."flyway_schema_history"
----------------------------------------------------------------------------------------------------------------
SQL State  : 42501
Error Code : 0
Message    : ERROR: permission denied for relation flyway_schema_history

Why:

• Database user of the PostgreSQL Database does not have sufficient permissions to create tables and rows in the Accounting Service database
• Permission to create tables is required by the Flyway migration tool

How to fix:

• Grant more roles to the database user as advised here: PostgreSQL preparation on Linux / PostgreSQL preparation on Windows
• As an alternative you may define by the means of Spring Boot configuration a different database user for Flyway access with more permissions than the regular database user

When:

• Authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
• Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

• Authentication succeeds but SSO login page shows the following error message:
  Access to the requested resource is denied

Why:

• This user is not allowed to use the Accounting OAuth2 application in SSO, see Accounting Service installation about the Accounting application

How to fix:

• Use a different user account or configure this user to be a member of Accounting Users in SSO

When:

• Authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

• SSO login page shows the following error message:
  The requested application was not found
  

Why:

• The OAuth2 client credentials in Accounting Service and the Accounting OAuth2 application in SSO do not match or the application in SSO has been deleted, see finalise Accounting Service installation about the Accounting application
• The application and client credentials are automatically created and configured on both sides during SSO installation
• Installation has not been properly executed or the related configuration has been manually changed afterwards

How to fix:

• Install Ubisecure SSO and Accounting Service again

When:

• Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

• Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

• Error example:

  Code Block
  language xml
  <html> <head> <title>404 Not Found</title> </head> <body> <div> <h2>404 Not Found</h2> </div> </body> </html>

Why:

• Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails

How to fix:

• In case of the example above configure your load balancer / reverse proxy to allow access to the /api/* paths as advised here Installation requirements / Network requirements.
• See also section Empty events CSV due OAuth2 cookie / configuration error below for an other kind of error situation.