Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Nikolai Denissov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleInvalid CSV file contents


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty or contains an error message, when each CSV file should have at least a header row

  • Error example:

    Code Block
    languagexml
    <html>
  <head>
    <title>404 Not Found</title>
  </head>
  <body>
    <div>
      <h2>404 Not Found</h2>
    </div>
  </body>
</html>


Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails

How to fix:

...

Info
titleEmpty CSV file contents because Accounting certificate not in place


When:

  • Accounting Service authorised user tries to access the browser end-points like https://accounting.example.com/accounting/report (example URL)

What:

  • Authentication succeeds and a CSV file is returned but it is empty, when each CSV file should have at least a header row

  • There is a following kind of error message in the Accounting Service application log:

    Code Block
    languagetext
    2019-11-08 14:26:27.719 ERROR 24737 --- [http-nio-8442-exec-4] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1329)
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1224)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794)
    at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416)
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1499)
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1513)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1397)
    ... 21 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching accounting.ids-centos7.localdomain found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:462)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:428)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
    ... 30 common frames omitted


Why:

  • Accounting Service uses its own API to provide the actual result but accessing the API through the public address fails because of certificate with Accounting DNS name is not present: "No subject alternative DNS name matching accounting.ids-centos7.localdomain found"

How to fix:

...

  1. Check from the Accounting Service audit log if there are these kind of lines with error "Access token is not active":

    Code Block
    languagetext
    "2019-09-18 12:59:05.131" "Resource access" "cn=Administrator,ou=System,cn=Ubilogin,dc=ucentos7allsingle" "GET /accounting/verify/events/2019-09-17" "SUCCESS" ""
"2019-09-18 12:59:05.429" "Auth event" "" "GET /api/v1/accounting/verify/events/2019-09-17" "AUTHORIZATION_FAILURE" "OAuth2AuthenticationException: Access token is not active."


  2. SUCCESS in getting the resource indicates that there is a valid OAuth2 session but the AUTHORIZATION_FAILURE in token introspection indicates that OAuth2 client authentication fails.

  3. Client authentication settings in the browser cookie or Accounting Service settings do not match with the LDAP settings. Restart your browser and try again.

  4. If this does not help update SSO again
    in Linux:

    Code Block
    languagebash
    cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/update.sh

    in Windows:

    Code Block
    languagepowershell
    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
config\tomcat\update.cmd


Sample health check response in an error case

NOTE that the detailed information is by default shown only to the authenticated users, see Accounting Service management / Health endpoint detailed information.

The following screen snapshot of Accounting Service health check is captured in a situation when the Accounting Service has first succesfully started but then PostgreSQL server has stopped. Processing the health check request takes 30 seconds which is the connection timeout length. HTTP response code 503 is returned with the following kind of JSON data:

The default output for unauthenticated users simply shows the main level status:

Image Added