Hi Chris, Going through the [documentation](https://gluu.org/docs/ce/3.1.2/user-management/scim2/#scim-protected-by-uma), the process works well. Please test the simple case describe in the documentation and let us know the outcome. Also provide the *oxauth.log* and *oxauth_script.log*. Thanks, Gasmyr.

Hi Chris, Still need assistance on this ticket?

I was just trying to follow your advice to run the example code, but I'm not a Java programmer and I'm struggling to get it to compile.

We can help you but we have to make sure you have basic java skill and some basic tool like eclipse and maven installed. Do you have maven/java/eclipse installed?

Okay, I have Eclipse for Java installed (I'm familiar with Eclipse for PHP although I haven't used it since it became abandonware). I've created a Maven project, added the TestScimClient class, entered the credentials, etc., copied scim-rp.jks from the server, added the httpd.crt to it and created an App.java as follows: ``` package com.clickingmad; import gluu.scim2.client.TestScimClient; public class App { public static void main(String[] args) { // TODO Auto-generated method stub try { TestScimClient TestScimClient = new TestScimClient(); TestScimClient.simpleSearch(); } catch (Exception e) { System.out.println("Caught exception"); System.out.println(e.toString()); } } } ``` It compiles, but I get the following exception: ``` ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Set system property 'org.apache.logging.log4j.simplelog.StatusLogger.level' to TRACE to show Log4j2 internal initialization logging. Caught exception org.jboss.resteasy.client.exception.ResteasyIOException: IOException at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.mapIOException(ApacheHttpClient4ExceptionMapper.java:109) at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.toException(ApacheHttpClient4ExceptionMapper.java:66) at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.toException(ApacheHttpClient4ExceptionMapper.java:58) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:117) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy30.searchUsers(Unknown Source) at gluu.scim2.client.AbstractScimClient.searchUsers(AbstractScimClient.java:360) at gluu.scim2.client.TestScimClient.simpleSearch(TestScimClient.java:22) at com.clickingmad.App.main(App.java:13) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:199) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:46) at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:52) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:685) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:110) ... 5 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 29 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 35 more ``` So it looks like it's failing to find a file, but I'm not sure what file it's looking for.

Hi, That error mean that the certificate file `httpd.crt` was not add to java keystore. On linux you can use this command to add `httpd.crt` to java key store ``` sudo keytool -importcert -file pathToCertFile -alias yourAlias -keystore pathToJavaCaCert -storepass changeit ``` Example: ``` sudo keytool -importcert -file httpd.crt -alias gluu -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -storepass changeit ``` Thanks, Gasmyr.

Okay, looks like I added httpd.crt to the wrong keystore file! So now I'm getting the following: ``` ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Set system property 'org.apache.logging.log4j.simplelog.StatusLogger.level' to TRACE to show Log4j2 internal initialization logging. 10:52:36.724 [main] ERROR org.xdi.oxauth.client.TokenRequest - null java.lang.NullPointerException: null at org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.sign(OxAuthCryptoProvider.java:161) ~[oxauth-model-3.1.2.Final.jar:?] at org.xdi.oxauth.client.TokenRequest.getClientAssertion(TokenRequest.java:338) [oxauth-client-3.1.2.Final.jar:?] at gluu.scim2.client.UmaScimClient.getAuthorizedRpt(UmaScimClient.java:156) [SCIM-Client-3.1.2.Final.jar:?] at gluu.scim2.client.UmaScimClient.obtainAuthorizedRpt(UmaScimClient.java:177) [SCIM-Client-3.1.2.Final.jar:?] at gluu.scim2.client.UmaScimClient.authorize(UmaScimClient.java:101) [SCIM-Client-3.1.2.Final.jar:?] at gluu.scim2.client.AbstractScimClient.isNeededToAuthorize(AbstractScimClient.java:55) [SCIM-Client-3.1.2.Final.jar:?] at gluu.scim2.client.AbstractScimClient.searchUsers(AbstractScimClient.java:361) [SCIM-Client-3.1.2.Final.jar:?] at gluu.scim2.client.TestScimClient.simpleSearch(TestScimClient.java:22) [classes/:?] at com.clickingmad.App.main(App.java:13) [classes/:?] Caught exception gluu.scim2.client.exception.ScimInitializationException: Error status 401 Unauthorized returned at gluu.scim2.client.UmaScimClient.obtainAuthorizedRpt(UmaScimClient.java:179) at gluu.scim2.client.UmaScimClient.authorize(UmaScimClient.java:101) at gluu.scim2.client.AbstractScimClient.isNeededToAuthorize(AbstractScimClient.java:55) at gluu.scim2.client.AbstractScimClient.searchUsers(AbstractScimClient.java:361) at gluu.scim2.client.TestScimClient.simpleSearch(TestScimClient.java:22) at com.clickingmad.App.main(App.java:13) Caused by: gluu.scim2.client.exception.ScimInitializationException: Error status 401 Unauthorized returned at gluu.scim2.client.UmaScimClient.getAuthorizedRpt(UmaScimClient.java:171) at gluu.scim2.client.UmaScimClient.obtainAuthorizedRpt(UmaScimClient.java:177) ... 5 more Caused by: org.jboss.resteasy.client.ClientResponseFailure: Error status 401 Unauthorized returned at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:570) at org.jboss.resteasy.client.core.BaseClientResponse.createResponseFailure(BaseClientResponse.java:561) at org.jboss.resteasy.client.core.BaseClientResponse.checkFailureStatus(BaseClientResponse.java:555) at org.jboss.resteasy.client.core.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:37) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:125) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:88) at com.sun.proxy.$Proxy42.requestJwtAuthorizationRpt(Unknown Source) at gluu.scim2.client.UmaScimClient.getAuthorizedRpt(UmaScimClient.java:156) ... 6 more ``` That looks a lot like the problem I was getting with my code, which suggests that I haven't configured something right on the server.

Make sure SCIM support is enable and Uma policy is enable. https://gluu.org/docs/ce/user-management/scim2/#protection-using-uma

Yes, SCIM support is enabled and uma_client_authz_rpt_policy is enabled with the allowed_clients variable set to the same client id as umaAatClientId in the TestScimClient class. The umaAatClientId is set to that of the "SCIM Requesting Party Client" that is installed by default. I'm not sure what value umaAatClientKeyId should take so I left it empty.

This is from the oxauth.log: ``` 2018-05-17 15:20:47,272 TRACE [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:91) - Get request to: 'https://openid.ncvo.org.uk/oxauth/restv1/token' 2018-05-17 15:20:47,272 DEBUG [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:98) - Starting token endpoint authentication 2018-05-17 15:20:47,272 DEBUG [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:108) - Starting JWT token endpoint authentication 2018-05-17 15:20:47,274 DEBUG [qtp2008017533-17] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!9A8A.B50F.22F0.BF8E!0001!8F26.D74F!0008!3F6B.33D8 2018-05-17 15:20:47,275 INFO [qtp2008017533-17] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:395) - JWT authentication failed: {} org.xdi.oxauth.model.exception.InvalidJwtException: Cannot verify the JWT at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:50) ~[classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.processJwtAuth(AuthenticationFilter.java:371) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:109) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.gluu.oxserver.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:343) [oxcore-server-3.1.2.Final.jar:?] at org.gluu.oxserver.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:120) [oxcore-server-3.1.2.Final.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.xdi.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:55) [classes/:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112] Caused by: org.xdi.oxauth.model.exception.InvalidJwtException: Invalid cryptographic segment at org.xdi.oxauth.model.token.ClientAssertion.load(ClientAssertion.java:121) ~[classes/:?] at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:44) ~[classes/:?] ... 32 more 2018-05-17 15:20:47,275 DEBUG [qtp2008017533-17] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:70) - Looking for the error with id: invalid_client 2018-05-17 15:20:47,275 DEBUG [qtp2008017533-17] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:75) - Found error, id: invalid_client ```

The parameter should look like this: ``` private String umaAatClientId = "@!7603.C985.FD9C.92C5!0001!5AE6.926D!0008!341A.DAB6"; private String umaAatClientJksPath = "/home/gasmyr/Desktop/scim-rp.jks"; private String umaAatClientJksPassword = "secret"; private String umaAatClientKeyId = ""; ``` In your case make sure all these parameter are set correctly. Mainly the **umaAatClientJksPath** should be a valid and accessible path.

Yes, all correct. I'm going to run the migration again. Maybe something got screwed up along the way.

okay

Okay, I've migrated from 2.4.4 to 3.1.3 on a fresh clone now, but I seem to have taken a step backwards as the SCIM endpoint no longer even gives me a ticket! SCIM-Client just gives me a null pointer exception: ``` ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Set system property 'org.apache.logging.log4j.simplelog.StatusLogger.level' to TRACE to show Log4j2 internal initialization logging. java.lang.NullPointerException at gluu.scim2.client.UmaScimClient.authorize(UmaScimClient.java:87) at gluu.scim2.client.AbstractScimClient.isNeededToAuthorize(AbstractScimClient.java:55) at gluu.scim2.client.AbstractScimClient.searchUsers(AbstractScimClient.java:361) at gluu.scim2.client.TestScimClient.simpleSearch(TestScimClient.java:22) at com.clickingmad.App.main(App.java:13) ``` I'm sure I must be missing something obvious, but I have no idea what it is.

I forgot to upgrade SCIM-Client. I've now upgraded to SCIM-Client 3.1.3 and I get the following exception: ``` 16:03:29 DEBUG TestModeScimClient.java:121 - Got token: 8661ba45-cb61-42e4-87d2-c11201438d7f 16:03:29 DEBUG TestModeScimClient.java:121 - Got token: ed9b82e0-8304-48be-845e-cbdf33027960 javax.ws.rs.ProcessingException: org.codehaus.jackson.JsonParseException: Unexpected character ('S' (code 83)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') at [Source: java.io.InputStreamReader@42e3ede4; line: 1, column: 2] at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:282) at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:178) at org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:218) at gluu.scim2.client.TestScimClient.simpleSearch(TestScimClient.java:27) at com.clickingmad.App.main(App.java:13) Caused by: org.codehaus.jackson.JsonParseException: Unexpected character ('S' (code 83)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') at [Source: java.io.InputStreamReader@42e3ede4; line: 1, column: 2] at org.codehaus.jackson.JsonParser._constructError(JsonParser.java:1433) at org.codehaus.jackson.impl.JsonParserMinimalBase._reportError(JsonParserMinimalBase.java:521) at org.codehaus.jackson.impl.JsonParserMinimalBase._reportUnexpectedChar(JsonParserMinimalBase.java:442) at org.codehaus.jackson.impl.ReaderBasedParser._handleUnexpectedValue(ReaderBasedParser.java:1198) at org.codehaus.jackson.impl.ReaderBasedParser.nextToken(ReaderBasedParser.java:485) at org.codehaus.jackson.map.ObjectMapper._initForReading(ObjectMapper.java:2770) at org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2718) at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1893) at gluu.scim2.client.rest.provider.ListResponseProvider.readFrom(ListResponseProvider.java:65) at gluu.scim2.client.rest.provider.ListResponseProvider.readFrom(ListResponseProvider.java:46) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:248) ... 4 more ``` Any ideas?

Hi Chris, The actual error is due to the fact that somewhere in your code you are expecting a list of value and the actual response contains an error message. So the best practice should is to check the response code first and if it not and error code, the process the response. Example: Create a new user ``` Response response = client.createUser(user, null, null); if (response.getStatus() == 201) { user = response.readEntity(UserResource.class); } else { System.out.println("Something wrong happen" + response.getStatus()); } ``` The error code shoulb be print in the console. You can also check the oxtrust.log file. Thanks, Gasmyr.

Hi, Closing this ticket for inactivity.

Sorry, I was on holiday for a few days. I've gone right back to basics now and installed a fresh copy of Gluu 3.1.3 without the old 2.4.4 installation on it. I got the SCIM-Client working, so I'm now trying to understand the code and essentially replicate the relevant parts in PHP. The problem I'm stuck on now is that I don't know how to obtain the key to sign the JWT when requesting a token from the token endpoint. Presumably it comes from scim-rp.jks, but I can't quite see how it does it (probably because I'm not a Java programmer). I'd be very grateful for any pointers. Thanks, Chris.