Versions Compared

Old Version 4

changes.mady.by.user Nikolai Denissov

Saved on

compared with

New Version Current

changes.mady.by.user Nikolai Denissov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleProper SSO certificate not in place


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_token_response] error page:

    Image Modified


  • If the respective API end-point like https://accounting.example.com/api/v1/accounting/report is requested directly 401 is returned without any response data, the following kind of error message in the Accounting Service application log:
Code Block
languagetext
2019-11-13 15:06:47.677 ERROR 4100 --- [http-nio-8084-exec-10] c.u.i.a.oauth2.IntrospectingJwtDecoder   : 
Token: eyJjdHkiOiJKV1QiLCJhb...6Gfpp6GF877syj7OIo8oA introspection failed: ResourceAccessException:I/O error on 
POST request for "https://sso.example.com/uas/oauth2/introspection": sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path 
to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path 
to requested target

Why:

  • Account Service can not complete the authentication flow as it does not trust SSO server when accessing it from server side
  • SSO server is not added to the Java trust store or the owner of the certificate is not correct
  • In the case above IP address has been used instead of the host name, which is not possible for the certificate subject

How to fix:

  • If the certificate is missing from the Java trust store, add it by following the instructions in here, and restart Accounting Service
  • If the host name in the certificate is not correct, fix settings in win32.config/unix.config file, remove the already created certificate from the installation directory before continuing with the installation

...

Info
titleRedirect URI mismatch during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_redirect_uri_parameter] error page:

    Image Modified

    or this kind of [Invalid credentials] error page:

    Image Modified


Why:

  • Behind a proxy OAuth2 redirection requires a link to the proxy and not to the physical address of the machine hosting your application
    • The property name to define the log file location changed in SSO 8.7 and is now server.forward-headers-strategy which you may have missed when doing upgrade
  • Account Service redirect URI needs to be exactly the same in the browser and in the configuration
  • Browsers tend to change an uppercase hostname to lowercase and checking on Spring framework side is case sensitive

How to fix:

  • In case of proxy check that you have not overridden or removed server.forward-headers-strategy (earlier server.use-forward-headers) setting in Accounting Service additional configuration and configured your reverse proxy / load balancer to send X-Forwarded-For and X-Forwarded-Proto headers
    • Fix the custom configuration file in this location: ubilogin/custom/accounting/config/application.yaml and update service by running ubilogin/config/tomcat/update script.
  • Check that access URL (in lowercase) matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly

...

Info
titleHostname changes during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [authorization_request_not_found] error page:

    Image Modified


Why:

  • Account Service can not complete the authentication flow as the session cookie (JSESSIONID) has expired or does not have a matching hostname
  • Spring framework creates the session cookie with the hostname from the original request URL and tries to find the cookie with the hostname in the redirect URL and if they differ the problem occurs

How to fix:

  • Session expires by default in 10 minutes, try again if the error persists
  • Check that access URL matches with accounting.url setting in win32.config/unix.config file, and that the network configuration supports this properly

...

Info
titleSSO server changes during OAuth2 flow


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)
  • Browser redirects to the SSO login page where user is supposed to authenticate with the configured authentication method to the OAuth2 application created during the installation process

What:

  • Authentication succeeds but the report is not downloaded, there is this kind of [invalid_grant] "Authorization code is not valid" error page:

    Image Modified


Why:

  • In a clustered environment OAuth2 flow starts with one SSO server node but once SSO session is created the flow continues on another SSO server node which is not aware of the existing SSO session and rejects the authorization code
  • You must configure either active-passive setup or use Redis as session storage for your cluster

How to fix:

  • Fix clustered SSO configuration like explained here SSO Cluster installation
  • With IIS, check the SSO server load balancing and server affinity for sticky sessions, you need to have different client cookie name for different server farms, it is a good idea to restart your site after the configuration has been changed
  • As a temporary solution you can try several times and may succeed, or you can disable all but one SSO node in order to get the report you need. However, note that incorrect cluster configuration may also affect your customers in regular SSO usage.

...

Info
titleInvalid CSV file contents


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

  • Error example:

    Code Block
    languagexml
    <html>
  <head>
    <title>404 Not Found</title>
  </head>
  <body>
    <div>
      <h2>404 Not Found</h2>
    </div>
  </body>
</html>


Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails

How to fix:

...

Info
titleEmpty CSV file contents because Accounting certificate not in place


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty, when each CSV file should have at least a header row

  • There is a following kind of error message in the Accounting Service application log:

    Code Block
    languagetext
    2019-11-08 14:26:27.719 ERROR 24737 --- [http-nio-8442-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1329)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1224)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794)
    at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416)
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1499)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1513)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1397)
    ... 21 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching accounting.ids-centos7.localdomain found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
    ... 30 common frames omitted


Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails because of certificate with Accounting DNS name is not present: "No subject alternative DNS name matching accounting.ids-centos7.localdomain found"

How to fix:

...

  1. Check from the Accounting Service audit log if there are these kind of lines with error "Access token is not active":

    Code Block
    languagetext
    "2019-09-18 12:59:05.131" "Resource access" "cn=Administrator,ou=System,cn=Ubilogin,dc=ucentos7allsingle" "GET /accounting/verify/events/2019-09-17" "SUCCESS" ""
"2019-09-18 12:59:05.429" "Auth event" "" "GET /api/v1/accounting/verify/events/2019-09-17" "AUTHORIZATION_FAILURE" "OAuth2AuthenticationException: Access token is not active."


  2. SUCCESS in getting the resource indicates that there is a valid OAuth2 session but the AUTHORIZATION_FAILURE in token introspection indicates that OAuth2 client authentication fails.

  3. Client authentication settings in the browser cookie or Accounting Service settings do not match with the LDAP settings. Restart your browser and try again.

  4. If this does not help update SSO again
    in Linux:

    Code Block
    languagebash
    cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/update.sh

    in Windows:

    Code Block
    languagepowershell
    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
config\tomcat\update.cmd


Sample health check response in an error case

NOTE that the detailed information is by default shown only to the authenticated users, see Accounting Service management / Health endpoint detailed information.

The following screen snapshot of Accounting Service health check is captured in a situation when the Accounting Service has first succesfully started but then PostgreSQL server has stopped. Processing the health check request takes 30 seconds which is the connection timeout length. HTTP response code 503 is returned with the following kind of JSON data:

Image Modified

The default output for unauthenticated users simply shows the main level status:

Image Added