Versions Compared

Old Version 1

changes.mady.by.user ubisebastian

Saved on

compared with

New Version Current

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.4

...

Info
titleDatabase connection fails


When:

  • Starting Accounting Service for the first time after installation or restarting Accounting Service after a successful installation

What:

  • Database tables cannot be created in the initial startup or database connection cannot be created when checking the migration status, the following kind of error message in the Accounting Service application log:

    Code Block
    languagetext
    15:24:36.713 [main]       ERROR Application run failed : o.s.boot.SpringApplication.reportFailure
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flyway' 
defined in class path resource [org/springframework/boot/autoconfigure/flyway/FlywayAutoConfiguration
...
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.flywaydb.core.Flyway]:
Factory method 'flyway' threw exception; nested exception is java.lang.IllegalStateException: 
org.springframework.jdbc.support.MetaDataAccessException: Could not get Connection for extracting meta-data; nested exception is 
org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is 
org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "accounting_user"

Why:

  • Cannot connect to the PostgreSQL Database

How to fix:

  • Check the root cause from the org.postgresql.util.PSQLException in the log, there are some alternatives:

Code Block
languagetext
org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "127.0.0.1", 
user "accounting_user", database "accountingdb", SSL off
    • You have not configured PostgreSQL to accept connections from your host to the configured database and user, see the comment about md5 here and fix your PostgreSQL setup, start the Accounting Service again
    • You have forgotten to create the database in the PostgreSQL server, follow instructions in here, start the Accounting Service again
    • You have configured a wrong JDBC connection URL or username in the Accounting Service settings in win32.config/unix.config file, follow instructions in here (check that there are no trailing spaces in your settings)



Code Block
languagetext
org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "accounting_user"
    • You have not configured PostgreSQL to accept password based authentication, see the comment about md5 here and fix your PostgreSQL setup, start the Accounting Service again


Code Block
languagetext
org.postgresql.util.PSQLException: FATAL: password authentication failed for user "accounting_user"
    • You have configured a wrong JDBC connection password in the Accounting Service settings in win32.config/unix.config file, follow instructions in here, check especially that you don't have extra spaces or other invisible characters after the password setting
    • Note that if you have created a user name having uppercase letters these are converted to lowercase letters by PostgreSQL


Code Block
languagetext
org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port 
are correct and that the postmaster is accepting TCP/IP connections.
    • Your PostgreSQL RDBMS server is down, start it, start the Accounting Service again
    • You have configured a wrong JDBC connection URL host name or port in the Accounting Service settings in win32.config/unix.config file, follow instructions in here
    • You cannot connect from the server SSO with Accounting Service is running to the correctly configured URL where the PostgreSQL RDBMS server is running, fix your network topology, firewall settings etc., start the Accounting Service again


Code Block
languagetext
org.postgresql.util.PSQLException: FATAL: the database system is starting up
    • Your PostgreSQL RDBMS server had not yet started when Accounting Service already tried to start, start the Accounting Service again when PostgreSQL server is up

...

When:

  • Authorised user tries to access the browser end-points like https://manage.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but SSO login page shows the following error message:
    Access to the requested resource is denied

Why:

How to fix:

  • Use a different user account or configure this user to be a member of Accounting Users in SSO
Info
titleProper SSO certificate not in place


When:

  • Accounting Service authorised user tries to access the browser end-points like https://manageaccounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_token_response] error page:

Why:

  • Account Service can not complete the authentication flow as it does not trust SSO server when accessing it from server side
  • SSO server is not added to the Java trust store or the owner of the certificate is not correct
  • In the case above IP address has been used instead of the host name, which is not possible for the certificate subject

How to fix:

  • If the certificate is missing from the Java trust store, add it by following the instructions in here, and restart Accounting Service
  • If the host name in the certificate is not correct, fix settings in win32.config/unix.config file, remove the already created certificate from the installation directory before continuing with the installation
Info
titleOAuth2 authorisation fails
Info
titleOAuth2 client authentication fails

When:

  • Authorised user tries to access the browser end-points like https://manageIf the respective API end-point like https://accounting.example.com/api/v1/accounting/report is requested directly 401 is returned without any response data, the following kind of error message in the Accounting Service application log:
Code Block
languagetext
2019-11-13 15:06:47.677 ERROR 4100 --- [http-nio-8084-exec-10] c.u.i.a.oauth2.IntrospectingJwtDecoder   : 
Token: eyJjdHkiOiJKV1QiLCJhb...6Gfpp6GF877syj7OIo8oA introspection failed: ResourceAccessException:I/O error on 
POST request for "https://sso.example.com/uas/oauth2/introspection": sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path 
to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path 
to requested target

Why:

  • Account Service can not complete the authentication flow as it does not trust SSO server when accessing it from server side
  • SSO server is not added to the Java trust store or the owner of the certificate is not correct
  • In the case above IP address has been used instead of the host name, which is not possible for the certificate subject

How to fix:

  • If the certificate is missing from the Java trust store, add it by following the instructions in here, and restart Accounting Service
  • If the host name in the certificate is not correct, fix settings in win32.config/unix.config file, remove the already created certificate from the installation directory before continuing with the installation


Info
titleOAuth2 authorisation fails


When:

  • Authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Browser redirects to the SSO login page shows the where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but SSO login page shows the following error message:
    The requested application was not foundAccess to the requested resource is denied

Why:

  • The OAuth2 client credentials in Accounting Service and This user is not allowed to use the Accounting OAuth2 application in SSO do not match or the application in SSO has been deleted, see finalise Accounting Service installation about the Accounting application
  • The application and client credentials are automatically created and configured on both sides during SSO installation
  • Installation has not been properly executed or the related configuration has been manually changed afterwards

How to fix:

Install Ubisecure SSO and Accounting Service again

How to fix:

  • Use a different user account or configure this user to be a member of Accounting Users in SSO


Why:

  • Behind a proxy OAuth2 redirection requires a link to the proxy and not to the physical address of the machine hosting your application
  • Account Service redirect URI needs to be exactly the same in the browser and in the configuration
  • Browsers tend to change an uppercase hostname to lowercase and checking on Spring framework side is case sensitive

How to fix:

  • In case of proxy check that you have not overridden server.use-forward-headers to false in Accounting Service additional configuration and configured your reverse proxy / load balancer to send X-Forwarded-For and X-Forwarded-Proto headers
  • Check that access URL (in lowercase) matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly

When:

  • Accounting Service authorised user tries to access the browser end-points like https://manage.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

Authentication succeeds but the report is not downloaded, there is this kind of [authorization_request_not_found] error page:

Why:

  • Account Service can not complete the authentication flow as the session cookie (JSESSIONID) has expired or does not have a matching hostname
  • Spring framework creates the session cookie with the hostname from the original request URL and tries to find the cookie with the hostname in the redirect URL and if they differ the problem occurs

How to fix:

  • Session expires by default in 10 minutes, try again if the error persists
  • Check that access URL matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly
<html> <head> <title>404 Not Found</title> </head> <body> <div> <h2>404 Not Found</h2> </div> </body> </html>shows the following error message:
The requested application was not found

Why:

  • The OAuth2 client credentials in Accounting Service and the Accounting OAuth2 application in SSO do not match or the application in SSO has been deleted, see finalise Accounting Service installation about the Accounting application
  • The application and client credentials are automatically created and configured on both sides during SSO installation
  • Installation has not been properly executed or the related configuration has been manually changed afterwards

How to fix:

  • Install Ubisecure SSO and Accounting Service again
Info
titleHostname changes during OAuth2 flowOAuth2 client authentication fails


When:

  • Accounting Service authorised Authorised user tries to access the browser end-points like https://manageaccounting.example.com/accounting/report (example URL)
    Browser redirects to the

What:

  • SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

Authentication succeeds but the report is not downloaded, there is this kind of [invalid_redirect_uri_parameter] error page:

Image Removed

Info
titleHostname changes during OAuth2 flow

Image Removed

Info
titleInvalid CSV file contents

When:

What:

  • Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

  • Error example:

Code Block
languagexml
Info
titleHostname changes during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_redirect_uri_parameter] error page:

    Image Added

Why:

  • Behind a proxy OAuth2 redirection requires a link to the proxy and not to the physical address of the machine hosting your application
  • Account Service redirect URI needs to be exactly the same in the browser and in the configuration
  • Browsers tend to change an uppercase hostname to lowercase and checking on Spring framework side is case sensitive

How to fix:

  • In case of proxy check that you have not overridden server.use-forward-headers to false in Accounting Service additional configuration and configured your reverse proxy / load balancer to send X-Forwarded-For and X-Forwarded-Proto headers
  • Check that access URL (in lowercase) matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly


Info
titleHostname changes during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [authorization_request_not_found] error page:

    Image Added

Why:

  • Account Service can not complete the authentication flow as the session cookie (JSESSIONID) has expired or does not have a matching hostname
  • Spring framework creates the session cookie with the hostname from the original request URL and tries to find the cookie with the hostname in the redirect URL and if they differ the problem occurs

How to fix:

  • Session expires by default in 10 minutes, try again if the error persists
  • Check that access URL matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly


Info
titleSSO server changes during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_grant] "Authorization code is not valid" error page:

    Image Added

Why:

  • In a clustered environment OAuth2 flow starts with one SSO server node but once SSO session is created the flow continues on another SSO server node which is not aware of the existing SSO session and rejects the authorization code
  • You must configure either active-passive setup or use Redis as session storage for your cluster

How to fix:

  • Fix clustered SSO configuration like explained here SSO Cluster installation
  • With IIS, check the SSO server load balancing and server affinity for sticky sessions, you need to have different client cookie name for different server farms, it is a good idea to restart your site after the configuration has been changed
  • As a temporary solution you can try several times and may succeed, or you can disable all but one SSO node in order to get the report you need. However, note that incorrect cluster configuration may also affect your customers in regular SSO usage.


Info
titleInvalid CSV file contents


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

  • Error example:

    Code Block
    languagexml
    <html>
  <head>
    <title>404 Not Found</title>
  </head>
  <body>
    <div>
      <h2>404 Not Found</h2>
    </div>
  </body>
</html>

Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails

How to fix:

Info
titleEmpty CSV file contents because Accounting certificate not in place


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty, when each CSV file should have at least a header row

  • There is a following kind of error message in the Accounting Service application log:

    Code Block
    languagetext
    2019-11-08 14:26:27.719 ERROR 24737 --- [http-nio-8442-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1329)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1224)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794)
    at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416)
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1499)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1513)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1397)
    ... 21 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching accounting.ids-centos7.localdomain found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
    ... 30 common frames omitted

Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address failsaccessing the API through the public address fails because of certificate with Accounting DNS name is not present: "No subject alternative DNS name matching accounting.ids-centos7.localdomain found"

How to fix:


Info
titleRefreshing secret key fails


When:

  • Accounting Service is trying to initialise the secret key for pseudonymisation by reading it from the given location on the first 15 minutes of each month

What:

  • Refreshing secret key (HMAC key) fails, the following kind of error messages in the Accounting Service application log:

    Code Block
    languagetext
    2019-08-01 00:00:00.242 ERROR 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
HMAC key could not be read from the key file and events cannot be stored. Service is not stopped but the system setup and 
key file in location: <secret key location> should be checked and fixed. 
java.nio.file.NoSuchFileException: <secret key file name>


2019-08-01 00:00:00.691 ERROR 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
Invalid HMAC key in the key file and events cannot be stored. Service is not stopped but the key file in 
location: <secret key location> should be checked and fixed.
java.lang.IllegalArgumentException: Empty key

Why:

  • The Accounting Service would not have started if you had a faulty key location or contents after the installation

  • You have accidentally either prevented access to the network resource or file, removed the file in the given location, or corrupted (emptied) its contents later, which is notified when the service tries to read the key again in the turn of the month

How to fix:

  • If the configured accounting.secret-key-location-uri is correct make the location available and have a random key present

  • The system will use the previous valid key up to the next time slot it tries to refresh the key

  • If you realise that accounting.secret-key-location-uri should be changed, fix setting in the win32.config/unix.config file

  • In normal case the job writes to the application log:

    Code Block
    languagetext
    2019-08-01 00:00:01.684  INFO 416 --- [scheduling-1] c.u.i.a.collector.DataProtector          : 
Successfully initialised MAC provider with algorithm: HmacSHA256 and key of length: 32.

...

  1. Check from diagnostics logs if there are any warnings or errors, in particular the following ones. If you have followed the installation / upgrade process the broker URL host name should always be localhost and the port number should match with the one configured on the Accounting Service side.

    Code Block
    languagetext
    2019-05-03 16:48:18,707 init WARN Error in opening Accounting Service JMS connection in SSO startup. Accounting Service is a required component of SSO that needs to be functioning when running SSO.
javax.jms.JMSException: Could not connect to broker URL: tcp://localhost:61616?connectionTimeout=10. Reason: java.net.SocketTimeoutException: connect timed out

2019-05-03 17:00:08,112 tech WARN Error in opening Accounting Service JMS connection, event cannot be sent. Accounting Service is a required component of SSO that needs to be functioning when running SSO.
javax.jms.JMSException: Could not connect to broker URL: tcp://localhost:61616?connectionTimeout=10. Reason: java.net.SocketTimeoutException: connect timed out

  2. Check from diagnostics logs if there is the following warning. It implies that you have not properly installed / upgraded SSO or the respective LDAP entry has been manually modified.

    Code Block
    languagetext
    2019-05-03 18:09:46,030 tech WARN MessageQueueSender missing Accounting Service broker URL. Accounting Service is a required component of SSO that needs to be functioning when running SSO.

  3. If the connection is in tact and the Accounting Service is running SSO diagnostics log shows in the startup

    Code Block
    languagetext
    2019-05-03 13:00:03,998 init MessageQueueSender initialised with connection to Accounting Service broker URL: tcp://localhost:36161?connectionTimeout
=10

  4. If Accounting Service is not running start it.

  5. If connection timeout is too short on your server change the respective Accounting Service setting in win32.config/unix.config file, follow instructions in here. Remember to update LDAP.

  6. If the connection seems to be in tact change log level of uas/tech to DEBUG (see Management UI logging configuration) and check for the following messages in the diagnostics log. If the events are sent normally then the problem is on the Accounting Service receiving side.

    Code Block
    languagetext
    2019-08-14 12:43:35,969 tech DEBUG Going to send JMS message to the queue: SSOEventQueue
2019-08-14 12:43:35,970 tech DEBUG Elapsed time in MessageQueueSender: 3377300 nanos (3 ms), enabled: true, message sent: true

  7. In the end remember to set the SSO log level back to INFO

...