Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Wenjing Liu
@betterliuwj

Hey, with the latest and 14.5.1 OpenAM docker running, I always encounter this ERROR message when following the quickstart guide to setup basic openAM.

ERROR: created internalAppSSOToken:WnEwa1lRRzhMakdvVzg1N3JCRUFBZz09MTabcdefgh==, authInitialized: false, SystemProperties.isServerMode(): true,  SystemProperties.get(AMADMIN_MODE): null
amSecurity:04/24/2020 04:10:24:823 AM UTC: Thread[http-nio-8080-exec-3,5,main]: TransactionId[7ac18dc5-ac86-41cb-b1f7-c29f500fd4d4-14]
ERROR: created internalAppSSOToken:YkVBNFphUXRUU2lkZ3FzNHJCRUabcdefghicyNA==, authInitialized: false, SystemProperties.isServerMode(): true,  SystemProperties.get(AMADMIN_MODE): null

Tho the UI browser page shows configuration successful created....But when I press Proceed to login, I got invalid token and the page just empty.....Checked the docker log, showing

ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /usr/local/tomcat/ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
ESAPI: Not found in 'user.home' (/home/openam) directory: /home/openam/esapi/ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: /usr/local/tomcat/validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
ESAPI: Not found in 'user.home' (/home/openam) directory: /home/openam/esapi/validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: validation.properties could not be loaded by any means. fail.. Caught java.lang.IllegalArgumentException; exception message was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
log4j:WARN No appenders could be found for logger (IntrusionDetector).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

Any idea? Im using Docker for Mac...I noticed on the forcerock doc, it is said for macos, the web policy agent is not built for apache http server on macos. Is it related? Thanks

Maxim Thomas
@maximthomas
@betterliuwj Hi, it is not a critical message, it just notion for creating admin access token and does not affect functionality. You can see it in the source code:
https://github.com/OpenIdentityPlatform/OpenAM/blob/797192ba86247198fe512aad0e3095b1d1b62b2a/openam-core/src/main/java/com/sun/identity/security/AdminTokenAction.java#L306
Wenjing Liu
@betterliuwj
@maximthomas Thanks for your reply! I have sorted my issue out. It turned out that I needed to clear the browser session to fix the invalid token/session error message problem when trying to Proceed to login page. All good now :)
openam2020
@openam2020
Hello, I just deployed OpenAM-14.5.1.war into Tomcat on my Mac and went through the initial configuration setup (create new configuration). The setup completed successfully. I was then led to the login page. I provided the same username/password as I did during the setup but getting the Authentication Failed message. Any idea why?
openam2020
@openam2020
Figured it out. The issue was - I was using a browser window that disabled cookies.
Nicholas Sushkin
@nsushkin
Hi, everyone. What's the recommended version of Tomcat for OpenAM and JEE Agents? Would it work in the latest Tomcat 9, Tomcat 8.5? I think the latest FR version before fork was validated with 8.0, but that's getting old. Thanks.
Nicholas Sushkin
@nsushkin
Anybody running OpenAM in Tomcat 9, 8.5?
Maxim Thomas
@maximthomas
@nsushkin Hi, tested with Tomcat 8.5. Works great
1 reply
Aurelien
@CanalWood
Hello All,
I would like to upgrade our old release of OpenAM from 13.0 to the last release of OpenAM.
I've question about how to manage agent with our Docker Container App.
Could you explain how you use it?
Maxim Thomas
@maximthomas
@CanalWood
Hello, what do you mean about manage? What problem are you trying to solve?
Aurelien
@CanalWood
Hello @maximthomas,
My question is : How to configure the containers to add the Agent?
On my swarm I've many containers. What's the best solution to add Agent on my containers?
Use a proxy or add a container with httpd with the Agent conf or another solution?
Aurelien
@CanalWood
Oh! thanks @maximthomas , I will look this articles.
Rijndaal
@Rijndaal

Hi all!

I would like to use some REST api to perform simple tasks like getting session info from a cookie value, let say I would like to know if a cookie is valid or not.
I'm not sure which API to use since I have found 2 APIs and both seems to be broken; for example:

curl --request POST --header "Content-Type: application/json" --header "iPlanetDirectoryPro: AQIC5wM2LY4Sf...EAAjAz" https://oamsrv01.intranet.net:8443/oam/json/sessions/?_action=isActive&tokenId=AQIC5wM2...4MQACUzEAAjAz

and

curl --request POST --header "Content-Type: application/json" https://oamsrv01.intranet.net:8443/oam/json/sessions/AQIC5w...g4NzI3MjE4MQACUzEAAjAz*?_action=validate

returns code: 501, Not Implemented

instead, this call:

curl -X POST -H "Content-Type: application/json" -H "Accept-API-Version: protocol=1.0,resource=2.0" -H "iPlanetDirectoryPro: AQIC5wM2LY4S...QACUzEAAjAz" -d '{"tokenId" : "AQIC5wM2LY4S...QACUzEAAjAz"}' https://oamsrv01.intranet.net:8443/oam/json/realms/root/sessions?_action=getSessionProperties

return an empty json {}

We have OpenAM 14.5.1.

Can you help me? Is there a working api to do so in this version?
Moreover https://oamsrv01.intranet.net:8443/oam/XUI/#api/explorer/applications return a 404 and from the gui, clicking on "API explorer"
(this url: https://oamsrv01.intranet.net:8443/oam/#api/explorer) we get a page with a list API categories I suppose, but on the right, where I think should be some documentation, theres only a white box...
Is it a known problem or does it have to do with our theme modifications? I admit I have not tried a "vanilla" version of the 14.5.1 yet.

Thank you so much,
Marco

Jose Luis Villaverde Balsa
@josecho
Hello. I have created a standalone application, it is a rest service created with Spring boot (embedded tomcat server). Right now I have the jar and Postman's requests are working fine. This is part of a frontend migration, the front end that we must migrate (java applets) performs the authentication against the openAM server (ldap) with the intervention of an Apache server. Any idea how I can protect my rest service with openAM?
Jose Luis Villaverde Balsa
@josecho
Thanks Maxim, thanks to your previous post I've been reading the documentation about OpenIG for a while.
Jose Luis Villaverde Balsa
@josecho
Hi @maximthomas, Currently the application that I have to migrate makes a request to openAM passing the username and password to receive the token. Nothing is federated (saml, oauth, etc). I guess with OpenIG I can keep this behavior of not federating. Is it necessary to federate?
Maxim Thomas
@maximthomas
It is not safe to allow third-party applications to access users credentials. OpenIG controls if token is valid and controls access to protected resources, OpenAM is responsible for authentication.
Jose Luis Villaverde Balsa
@josecho
@maximthomas I have followed this example https://github.com/OpenIdentityPlatform/OpenIG/wiki/How-To-Protect-Web-Services-with-OpenIG but I get this error : .OpenIGInitializer - /usr/local/tomcat/openig-config/config/config.json not readable, using OpenIG's default-config.json . I understand that this does not read the configuration defined in the example, Is that so?
Maxim Thomas
@maximthomas
@josecho I'll check the doc as soon as possible, there must be a typo. I'll let you know
Jose Luis Villaverde Balsa
@josecho
@maximthomas 58/5000
I think it's a known issue but I can't resolve it: https://backstage.forgerock.com/knowledge/kb/article/a68889719?book=b84090677
Maxim Thomas
@maximthomas
@josecho are you running OpenIG in container? What operating system are you using?
Jose Luis Villaverde Balsa
@josecho
@maximthomas I run OpenIG container ( docker-compose up --build), I use Windows 10 as a operating system.
Maxim Thomas
@maximthomas
@josecho there must be an issue with Windows 10 user rights and Docker user rights. Try to copy OpenIG config files instead of mounting as a volume. Or you can execute ls -lah inside Docker container to figure out file persmission
Jose Luis Villaverde Balsa
@josecho
@maximthomas The volume is created but without the files, I have found a work around. There is a graphical interface tool called Kitematic, it allows me to access the volume and I can copy the files. Now read the config files, thanks.
mssso
@mssso
Hi, is there a link which details how to build latest OpenAM on Unix ? Also any pointers to get a docker build ?
I mean to build a docker image :)
Maxim Thomas
@maximthomas
@josecho, great glad to know that!
@mssso hi, do you see any problems while building on Unix? There must be nothing special to build OpenAM on Unix
mssso
@mssso
@maximthomas Surre, will try and get back if I face issues. Was trying my luck, if there is a ready reference. Also, if you could help me with the pointers on the Dockerfile used to build the openam docker image, that would help.
Jose Luis Villaverde Balsa
@josecho
@maximthomas Hi, authentication process works perfectly, but there is a problem: Spring RestController endpoints all redirected to '/' root route. The proxy intercepts and recognizes the routes but the sample-service always redirects to the endpoint "/" root, I always get the same response: "hello world". Any idea?
mssso
@mssso
@maximthomas : this the error i get:
[WARNING] Unable to autodetect 'javac' path, using 'javac' from the environment.
[DEBUG] incrementalBuildHelper#afterRebuildExecution
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for OpenAM Project 14.5.4-SNAPSHOT:
[INFO]
[INFO] OpenAM Project ..................................... SUCCESS [ 5.030 s]
[INFO] OpenAM Audit ....................................... SUCCESS [ 0.720 s]
[INFO] OpenAM Audit Context ............................... FAILURE [ 1.123 s]
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project openam-audit-context: Compilation failure -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project openam-audit-context: Compilation failure
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
mvn -version
Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 11.0.8, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "4.19.128-microsoft-standard", arch: "amd64", family: "unix"
java -version
openjdk version "11.0.8" 2020-07-14
OpenJDK Runtime Environment (build 11.0.8+10-post-Ubuntu-0ubuntu120.04)
OpenJDK 64-Bit Server VM (build 11.0.8+10-post-Ubuntu-0ubuntu120.04, mixed mode, sharing)
Jose Luis Villaverde Balsa
@josecho
@maximthomas Regarding this link: https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Add-Authorization-and-Protect-Your-Application-With-OpenAM-and-OpenIG-Stack I have followed the indicated steps and everything works correctly. It works correctly for the endpoint named "secured". The problem is if I make requests to the other endpoints ("/" and "/ secure"), I get the response: {"error": "Something went wrong, please contact your system administrator."} I think this problem may be related with the one indicated above.
Maxim Thomas
@maximthomas
@mssso hi, could you please attach detailed log?
@josecho please look at OpenIG start log, are there any errors? Does OpenIG read routes?
mssso
@mssso
@maximthomas , I am facing a lot of difficulty getting one clean build. It keeps getting stuck at one place or the other.Can you please help me with a clean build steps process.
DELL@DESKTOP-C0TO0V6 MINGW64 ~/OpenAM/openam-distribution/openam-distribution-ssoconfiguratortools (master)
$ mvn -DskipTests -Dmaven.javadoc.skip=true install
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.openidentityplatform.openam:openam-distribution-sso
[WARNING] 'build.plugins.plugin.version' for org.openidentityplatform.commons:maven-external-dependency-plugin is missing. @ org.openid line 1802, column 10
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO] ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO]
[INFO] --< org.openidentityplatform.openam:openam-distribution-ssoconfiguratortools >--
[INFO] Building OpenAM Distribution ssoConfiguratorTools 14.5.4-SNAPSHOT
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- buildnumber-maven-plugin:1.3:create (default) @ openam-distribution-ssoconfiguratortools ---
[INFO] ShortRevision tag detected. The value is '10'.
[INFO] Executing: cmd.exe /X /C "git rev-parse --verify --short=10 HEAD"
[INFO] Working directory: C:\Users\DELL\OpenAM\openam-distribution\openam-distribution-ssoconfiguratortools
[INFO] Storing buildNumber: 78b5de5d9f at timestamp: 1603375596699
[INFO] Storing buildScmBranch: master
[INFO]
[INFO] --- maven-dependency-plugin:3.1.0:copy (Copy license) @ openam-distribution-ssoconfiguratortools ---
[INFO] Configured Artifact: org.openidentityplatform:cddl-license:1.0.0:txt
[INFO] Copying cddl-license-1.0.0.txt to C:\Users\DELL\OpenAM\openam-distribution\openam-distribution-ssoconfiguratortools\target\legal
[INFO]
[INFO] >>> maven-source-plugin:3.2.0:jar (default) > generate-sources @ openam-distribution-ssoconfiguratortools >>>
[INFO]
[INFO] --- buildnumber-maven-plugin:1.3:create (default) @ openam-distribution-ssoconfiguratortools ---
[INFO]
[INFO] <<< maven-source-plugin:3.2.0:jar (default) < generate-sources @ openam-distribution-ssoconfiguratortools <<<
[INFO]
[INFO]
[INFO] --- maven-source-plugin:3.2.0:jar (default) @ openam-distribution-ssoconfiguratortools ---
[INFO]
[INFO] --- maven-javadoc-plugin:3.1.1:jar (attach-javadocs) @ openam-distribution-ssoconfiguratortools ---
[INFO] Skipping javadoc generation
[INFO]
[INFO] --- maven-assembly-plugin:3.2.0:single (openam-ssoconfiguratortools) @ openam-distribution-ssoconfiguratortools ---
[INFO] Reading assembly descriptor: src/main/assembly/openAMToolsAssembly_Descriptor.xml
[WARNING] Cannot include project artifact: org.openidentityplatform.openam:openam-distribution-ssoconfiguratortools:pom:14.5.4-SNAPSHOT
[WARNING] The POM for org.openidentityplatform.openam:openam-configurator-tool:jar:14.5.4-SNAPSHOT is missing, no dependency informatio
[WARNING] The POM for org.openidentityplatform.openam:openam-upgrade-tool:jar:14.5.4-SNAPSHOT is missing, no dependency information ava
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.652 s
[INFO] Finished at: 2020-10-22T19:36:38+05:30
[INFO] ------------------------------------------------------------------------
I switched to a windows build and i am right now stuck at this place
Maxim Thomas
@maximthomas
@josecho seems there is a lack for setting up unprotected endpoint in OpenIG for the application, I will add it soon and let you know.
@mssso checkout 14.5.3 revision, and try again https://github.com/OpenIdentityPlatform/OpenAM/tree/14.5.3
2 replies
Jose Luis Villaverde Balsa
@josecho
@maximthomas I have posted the question to the openIG forum https://gitter.im/OpenIdentityPlatform/OpenIG but you finally give an answer. If the client has no problem with the openIG license, we will use it as a solution to the integration with openAM. Thanks for looking for a solution, when you tell me that the solution is implemented I will do the proof of concept again.
Jose Luis Villaverde Balsa
@josecho
@maximthomas Thanks, we keep moving forward.
mssso
@mssso
@maximthomas , Is the Google Authenticator supported on OpenAM ? If yes, is there a reference document I can follow to configure it ?
Maxim Thomas
@maximthomas
@mssso yes, OATH Authentication module support Google Authenticator. Unforunately, we don't have a manual how to setup Google Authenticator with OpenAM yet. We'll create the manual as soon as possible.