Scenerio:
Upgraded Spinnaker to 1.12.0. No other config changes that would impact this integration (we had to modify an s3 IAM because it quit working). Okta integration stopped working. Public key was reissued during install process for the ingress, may be relevant?
SAML-TRACE shows payload getting to okta and back
Spinnaker throws two different errors depending on browser and how I get there.
Direct link to deck url: (500) No IDP was configured, please update included metadata with at least one IDP (seen in browser and gate)
Okta "chicklet" in okta dashboard: (401) Authentication Failed: Incoming SAML message is invalid
Config details (again none of this changed):
Downloading metadata directly
JKS is being leveraged and is valid
service url is confirmed
alias for JKS is confirmed
I had this issue as well when upgrading from 1.10.13 to 1.12.2. I found lots of these error messages in Gate's logs:
2019-02-19 05:31:30.421 ERROR 1 --- [.0-8084-exec-10] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw e
xception [org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP] with root cause
org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
at org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:795) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157) ~[spring-security-saml2-core-1.0.2.RELEASE.jar
:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127) ~[spring-security-saml2-core-1.0.2.RELEASE.ja
r:1.0.2.RELEASE]
at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:203) ~[spring-security-web-4.2.9.RELEASE.jar
:4.2.9.RELEASE]
...
After downgrading back to 1.10.13, I upgraded to the next version, 1.11.0, and found that's when the issue started. Eventually, I looked at Gate's logs from the launch of the Container and found:
2019-02-20 22:31:40.132 ERROR 1 --- [0.0-8084-exec-3] o.o.s.m.provider.HTTPMetadataProvider : Error retrieving metadata from https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
javax.net.ssl.SSLException: Error in hostname verification
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:241) ~[openws-1.5.4.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
...
This lead me to realize that the TLS Certificate was being rejected by Gate. Not sure why it suddenly started failing the check. Up to this point, I had it configured as:
$ hal config security authn saml edit --metadata https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
I ended up downloading the metadata file and redeploying with halyard.
$ wget https://000000000000.okta.com/app/00000000000000000/sso/saml/metadata
$ hal config security authn saml edit --metadata "${PWD}/metadata"
$ hal config version edit --version 1.12.2
$ hal deploy apply
Opened up a private browser window as suggested by the Spinnaker documentation and Gate started redirecting to Okta correctly again.
Issue filed, https://github.com/spinnaker/spinnaker/issues/4017.
So I ended up finding the answer. The tomcat config changed apparently in spinnaker in later versions for gate.
I created this snippet in ~/.hal/default/profiles/gate-local.yml
server:
tomcat:
protocolHeader: X-Forwarded-Proto
remoteIpHeader: X-Forwarded-For
internalProxies: .*
Deployed spinnaker and it was back to working.
Related
I'm setting up Shibboleth to use SAML 2.0. This setup contains reverse proxy using Nginx to Jetty 9.49 which points to shibboleth idp.war file.
For testing, I'm using the django Service provider from this example here.
I'm using self-sign certificates.
I can access both https://idp.localhost/idp/shibboleth and https://idp.localhost/idp/status, but not https://idp.localhost/idp/profile/SAML2/POST/SSO. From shibboleth log file, I'm getting this error each time I browse https://idp.localhost/idp/profile/SAML2/POST/SSO:
2018-04-25 18:20:47,746 - ERROR
[org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
- Message Handler: SAML message intended destination endpoint 'https://idp.localhost/idp/profile/SAML2/POST/SSO' did not match the
recipient endpoint 'http://idp.localhost/idp/profile/SAML2/POST/SSO'
==> idp-warn.log <== 2018-04-25 18:20:47,746 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
- Message Handler: SAML message intended destination endpoint 'https://idp.localhost/idp/profile/SAML2/POST/SSO' did not match the
recipient endpoint 'http://idp.localhost/idp/profile/SAML2/POST/SSO'
==> idp-process.log <== 2018-04-25 18:20:47,748 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] -
Profile Action WebFlowMessageHandlerAdaptor: Exception handling
message org.opensaml.messaging.handler.MessageHandlerException: SAML
message failed received endpoint check at
org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler.checkEndpointURI(ReceivedEndpointSecurityHandler.java:202)
==> idp-warn.log <== 2018-04-25 18:20:47,748 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] -
Profile Action WebFlowMessageHandlerAdaptor: Exception handling
message org.opensaml.messaging.handler.MessageHandlerException: SAML
message failed received endpoint check at
org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler.checkEndpointURI(ReceivedEndpointSecurityHandler.java:202)
==> idp-process.log <== 2018-04-25 18:20:47,749 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: MessageAuthenticationError
==> idp-warn.log <== 2018-04-25 18:20:47,749 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: MessageAuthenticationError
Where did I go wrong?
I think that a request was done in HTTPS and a response returned in clear HTTP.
This kind of problem sometimes happen when jetty was non installed from source or with other corrupted packages. It's difficult to diagnose in this situation.
Try to compile jetty from source, clean first your old installation.
I've also build up a complete IDP/SP setup procedure with apache2 or nginx/ tomcat or jetty setup here, with ansible:
https://github.com/peppelinux/Ansible-Shibboleth-IDP-SP-Debian9
It takes 4 minutes to give you what you expect, It needs an existing LDAP installation.
I have upgraded a SonarQube server from 6.0 to 6.7.2. Everything is fine, except that, after logging in as user "admin" and navigating to tab Administration, clicking on subtab System yields an error message
An error has occurred: please contact your administrator.
In file web.log:
2018.03.06 11:38:24 ERROR web[AWH6436/ICo3FeIjAAAz][o.s.s.w.WebServiceEngine] Fail to process request http://<HOST NAME>:20295/sonarqube/api/system/info
java.lang.IllegalStateException: Failed to call HTTP server of process [key='ce', ipcIndex=3, logFilenamePrefix=ce]
at org.sonar.ce.http.CeHttpClientImpl.call(CeHttpClientImpl.java:171)
at org.sonar.ce.http.CeHttpClientImpl.retrieveSystemInfo(CeHttpClientImpl.java:60)
at org.sonar.server.platform.ws.StandaloneSystemInfoWriter.write(StandaloneSystemInfoWriter.java:53)
at org.sonar.server.platform.ws.InfoAction.handle(InfoAction.java:64)
at org.sonar.server.ws.WebServiceEngine.execute(WebServiceEngine.java:103)
at org.sonar.server.ws.WebServiceFilter.doFilter(WebServiceFilter.java:86)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126)
...
Caused by: java.io.IOException: Server returned HTTP response code: 503 for URL: http://10.145.61.55
The IP address is that of the server. There is no mention of any port in the error message, I don't know if this has any relation with the error.
It seems that the Web component cannot access the Compute Engine component. However nothing particular was found in file ce.log which ends with a trace Compute Engine is operational.
I followed the short migration guide in https://docs.sonarqube.org/display/SONAR/Upgrading.
Environment: Linux, JDK 8, Oracle DB
Does anyone as a clue? Many thanks in advance.
For whoever who might stumble on the same issue: it was an error in my proxy configuration. Increasing the logging level by setting sonar.log.level=DEBUG in file sonar.properties yielded the following new traces in file web.log:
2018.03.07 11:52:04 DEBUG web[AWIAFTpArQRjrTzMAAAg][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader#668ee27b5 pairs: {GET http://127.0.0.1:40413/systemInfo HTTP/1.1: null}{User-Agent: SonarQube 6.7.2.37468 # AWHmcYEU8aGLjZ5sPfjj Java/1.8.0_60}{Host: 127.0.0.1:40413}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Proxy-Connection: keep-alive}
2018.03.07 11:52:04 DEBUG web[AWIAFTpArQRjrTzMAAAg][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader#527214044 pairs: {null: HTTP/1.1 301 Moved Permanently}{Server: BlueCoat-Security-Appliance}{Location: http://10.145.61.55}{Connection: Close}
2018.03.07 11:52:04 DEBUG web[AWIAFTpArQRjrTzMAAAg][s.n.w.p.h.HttpURLConnection] Redirected from http://127.0.0.1:40413/systemInfo to http://10.145.61.55
2018.03.07 11:52:04 ERROR web[AWIAFTpArQRjrTzMAAAg][o.s.s.w.WebServiceEngine] Fail to process request http://<HOST NAME>:20295/sonarqube/api/system/info
The proxy was redirecting the Compute engine URL http://127.0.0.1:40413/systemInfo to http://10.145.61.55.
The solution was to add 127.0.0.1 to http.nonProxyHosts in file sonar.properties.
I placed plugin manager in "lib\ext" folder and tried to open it showed error:
java.io.IOException: Repository responded with wrong status code: 407
Jmeter version - 3.3
Plugin version - 0.16
Jmeter is invoked from command line by using the following parameters:
C:\Users\princen\Performance Testing\Software\apache-jmeter-3.3\bin\jmeter.bat -H Proxyserver -P 1234 -u princen -a ***
Parameters modified as suggested here
JVM_ARGS="-Dhttps.proxyHost=Proxyserver -Dhttps.proxyPort=1234 -Dhttp.proxyUser=princen -Dhttp.proxyPass=***" C:\Users\princen\Performance Testing\Software\apache-jmeter-3.3\bin\jmeter.bat
Above try gives the following error message
Windows cannot find "JVM_ARGS="-Dhttps.proxyHost=Proxyserver -Dhttps.proxyPort=1234 -Dhttp.proxyUser=princen -Dhttp.proxyPass=***
When I tried to changes command to the following:
C:\Users\princen\Performance Testing\Software\apache-jmeter-3.3\bin\jmeter.bat -Dhttps.proxyHost=Proxyserver -Dhttps.proxyPort=1234 -Dhttp.proxyUser=princen -Dhttp.proxyPass=***
I received an error:
java.io.IOException: Repository responded with wrong status code: 407
Can someone please correct parameters required to load the plugin manager?
Ensure you use last version of jmeter-plugins download manager.
Regarding your parameters, you're mixing different configurations, just set (for both http and https):
JVM_ARGS="-Dhttps.proxyHost=myproxy.com -Dhttps.proxyPort=8080 -Dhttps.proxyUser=john -Dhttps.proxyPass=password -Dhttp.proxyHost=myproxy.com -Dhttp.proxyPort=8080 -Dhttp.proxyUser=john -Dhttp.proxyPass=password"
Where password is your real password.
None of above methods working for me. Its really tough to work with Java(due to Loadrunner background). I added Ultimate thread alone and its working fine.
Thank you all for your inputs..
JMeter is using the official proxy configuration from Oracle (like here: https://memorynotfound.com/configure-http-proxy-settings-java/)
The problem is that the jmeter documentation is wrong about the password parameter: it should be http.proxyPassword not http.proxyPass.
Also you must use the https. properties for secured urls you want to access using the proxy. And the http. properties for non secured.
Using the update center behind a proxy with an associated context gives me this known error:
Fail to download the plugin (css, version 3.1) from https://github.com/racodond/sonar-css-plugin/releases/download/3.1/sonar-css-plugin-3.1.jar
Error is : Fail to download: https://github.com/racodond/sonar-css-plugin/releases/download/3.1/sonar-css-plugin-3.1.jar (no proxy)
I've seen I must provide http.proxyHost/Port in the sonar.properties configuration file, but I've got problems with web context (assigned by sonar.web.context=/mycontext).
Two cases:
http.proxyHost=myhost/mycontext => fails because tries connection with myhost/mycontext:port
Fail to download the plugin (css, version 3.1) from https://github.com/racodond/sonar-css-plugin/releases/download/3.1/sonar-css-plugin-3.1.jar
Error is : Fail to download: https://github.com/racodond/sonar-css-plugin/releases/download/3.1/sonar-css-plugin-3.1.jar (HTTP proxy: <myhost>/<mycontext>:443)
http.proxyHost=myhost => fails and sonarqube don't show any plugin
Note: Ports are 80 y 443 (standard), https uses same host.
Any help is much appreciated.
I am trying to have my application authenticate using AD credentials. I am using kinit to test after creating the krb5.ini file. I believe all the realm information is correct in the ini file but continue to receive the below error when testing with kinit.
Exception: krb_error 0 Cannot find any provider supporting ARCFOUR No error
KrbException: Cannot find any provider supporting ARCFOUR
at
sun.security.krb5.internal.crypto.ArcFourHmacEType.encrypt(ArcFourHm
cEType.java:68)
at
sun.security.krb5.internal.crypto.ArcFourHmacEType.encrypt(ArcFourHm
cEType.java:60)
at sun.security.krb5.EncryptedData.<init>(EncryptedData.java:122)
at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:355)
at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:180)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:253)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider
suporting ARCFOUR
at javax.crypto.Cipher.getInstance(DashoA13*..)
at
sun.security.krb5.internal.crypto.dk.ArcFourCrypto.encrypt(ArcFourCrpto.java:279)
You need to enable RC4-HMAC in both your krb5.ini config and the conf/security/java.security
I think RC4 got blacklisted in Oracle JDK (>= 1.8.u060) for known insecurities together with MD5, but it is strictly required for key exchange by the MS Active Directory Kerberos implementation.
Maybe you have to re-enable it by removing RC4 from jdk.tls.disabledAlgorithms and jdk.certpath.disabledAlgorithms of your JDKs conf/security/java.security.
See https://www.java.com/en/configure_crypto.html for more information.