By: Theodore Sands user 06 Nov 2016 at 11:11 p.m. CST

5 Responses
Theodore Sands gravatar
I've installed Gluu Server 2.4.4 on Ubuntu 14.04. We use our own SSL certificate and have added it to the cacerts file as well as replaced the httpd.crt, httpd.csr, and httpd.key that Apache uses. We intended to use SCIM for user provisioning and password changes. We were trying to develop our own SCIM client because we weren't using Java. With repeated failure, I decided to test using a java app in order to ensure the SCIM-Client developed by GluuFederation worked. When I tried to connect using the SCIM-Client, I got an exception with no AAT returned. ``` Exception in thread "main" gluu.scim.client.exception.ScimInitializationException: Could not get accessToken at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication( at gluu.scim.client.auth.UmaScimClientImpl.init( at gluu.scim.client.BaseScimClientImpl.personSearch( at gluu.scim.client.auth.UmaScimClientImpl.personSearch( at gluu.scim.client.ScimClient.personSearch( at com.ckgsolutions.uma.TestUma.testScim1Uma( at com.ckgsolutions.uma.TestUma.main( Caused by: gluu.scim.client.exception.ScimInitializationException: Failed to get UMA AAT token at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt( at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication( ... 6 more ``` On the Gluu server in the OxAuth.log, I get: ``` Caused by: org.xdi.oxauth.model.exception.InvalidJwtException: Invalid cryptographic segment at org.xdi.oxauth.model.token.ClientAssertion.load( at org.xdi.oxauth.model.token.ClientAssertion.<init>( ... 31 more ``` My JRE is 1.8. I have the proper client ID defined, downloaded the scim_rp.jks file from the Gluu installation. I even reinstalled 2.4.4 to make sure it wasn't anything with the initial setup. If I have not provided enough detail, let me know.

By Theodore Sands user 06 Nov 2016 at 11:31 p.m. CST

Theodore Sands gravatar
When I uninstalled, I did apt-get gluu-server-2.4.4 uninstall which renamed the previous installation. It kept the file in the /etc/init.d directory so I manually removed that. When I reinstalled, it didn't create the file in the /etc/init.d directory so I moved the file back in. These were the selections: ``` GLUU.root@localhost:/install/community-edition-setup# ./ Installing Gluu Server... Detected OS : ubuntu Detected init: init Detected Apache: 2.4 Detected OpenDJ: 3.0 Installing Gluu Server... For more info see: ./setup.log ./setup_error.log ** All clear text passwords contained in ./ Enter IP Address [] : Enter hostname [localhost] : Enter your city or locality : Minneapolis Enter your state or province two letter code : MN Enter two letter Country Code : US Enter Organization Name : CKGSolutions Enter email address for support at your organization : Enter maximum RAM for tomcat in MB [3072] : Optional: enter password for oxTrust and LDAP superuser [sDPz0nQpsxKc] : Install oxAuth OAuth2 Authorization Server? [Yes] : Install oxTrust Admin UI? [Yes] : Install Gluu OpenDJ LDAP Server? [Yes] : Install Apache HTTPD Server [Yes] : Install Shibboleth SAML IDP? [No] : Yes Install Asimba SAML Proxy? [No] : Yes Install CAS? [No] : Install oxAuth RP? [No] : Yes hostname orgName CKGSolutions os ubuntu city Minneapolis state MN countryCode US support email tomcat max ram 3072 Admin Pass sDPz0nQpsxKc Install oxAuth True Install oxTrust True Install LDAP True Install Apache 2 web server True Install Shibboleth SAML IDP True Install Asimba SAML Proxy True Install CAS False Install oxAuth RP True Proceed with these values [Y|n] Y ``` One reason I reinstalled was because a ticket I saw seemed to indicate Asimba wasn't initially installed and that it was required for UMA to work. Not recalling what I selected, I reinstalled. Could something be missing in this service startup file?

By Mohib Zico staff 07 Nov 2016 at 1:09 a.m. CST

Mohib Zico gravatar
Theodore, I think your two comments are presenting two issues. Can you please open two new tickets ( if two required )?

By Theodore Sands user 07 Nov 2016 at 8:34 a.m. CST

Theodore Sands gravatar
Actually, my second post I thought would provide insight into the primary issue of this ticket. I am not, at present, interested in a resolution to that, per se. To re-state: the SCIM-Client, when trying to connect to the UMA endpoint for an AAT gets an "invalid cryptographic segment" exception. I believe I have everything set up appropriately. The second post was to suggest (if it bears any weight) that some service may not be started that should be started.

By Michael Schwartz Account Admin 10 Nov 2016 at 9:32 a.m. CST

Michael Schwartz gravatar
Its possible that your JRE is using different cryptographic libraries. We tested 2.4.4 under OpenJDK, using bouncy castle. Can you provide more info about the cypto providers in Java?

By Theodore Sands user 10 Nov 2016 at 9:44 p.m. CST

Theodore Sands gravatar
I have Java 1.8.0_111 on my Mac OS. To test, though, I just set up a Maven project in Eclipse with a main() that mimicked your example at []( referencing the SCIMClient 2.4.4. So, it should be using whatever jar/war file - running against the 1.8. Did I answer your question? I'll look at the OpenJDK.