Error enabling UMA protection for SCIM API endpoint

By: Chris Lumpkin user 25 Aug 2020 at 3:43 p.m. CDT

5 Responses
Chris Lumpkin gravatar
I am attempting to enable UMA protection for the SCIM API endpoint per [these instructions](https://gluu.org/docs/gluu-server/user-management/scim2/#scim-protected-by-uma). I also updated the SCIM RP and RS keystores per [these instructions](https://gluu.org/docs/gluu-server/4.2/operation/replace-expired-jks-scim/#scim). When I run the example code for testing SCIM with UMA protection, I get the following error: ``` 2020-08-25 20:24:10,542 ERROR [qtp1818402158-16] [org.gluu.oxtrust.service.uma.BaseUmaProtectionService] (BaseUmaProtectionService.java:81) - Failed to check UMA PAT token status org.gluu.oxtrust.exception.UmaProtectionException: Failed to obtain valid UMA PAT token at org.gluu.oxtrust.service.uma.BaseUmaProtectionService.retrievePatToken(BaseUmaProtectionService.java:127) ~[classes/:?] at org.gluu.oxtrust.service.uma.BaseUmaProtectionService.getPatToken(BaseUmaProtectionService.java:65) ~[classes/:?] at org.gluu.oxtrust.service.uma.BaseUmaProtectionService.isExistPatToken(BaseUmaProtectionService.java:79) ~[classes/:?] at org.gluu.oxtrust.service.uma.BaseUmaProtectionService.isEnabledUmaAuthentication(BaseUmaProtectionService.java:74) ~[classes/:?] at org.gluu.oxtrust.service.uma.ScimUmaProtectionService.isEnabled(ScimUmaProtectionService.java:79) ~[classes/:?] at org.gluu.oxtrust.service.uma.ScimUmaProtectionService.processAuthorization(ScimUmaProtectionService.java:112) ~[classes/:?] ``` Did I miss something in the instructions?
Docker 2.4
closed

Answers

By Jose Gonzalez staff 25 Aug 2020 at 6:58 p.m. CDT

Copy
Jose Gonzalez gravatar
Hi Chris, It is unclear why you attempted to renew keys if your interest is just enabling UMA protection for SCIM. Actually there is an imprecision in the instructions for renewal of SCIM keys in 4.2 docs. If you followed those steps it would have resulted in errors impeding the completion of the task, but you didn't mentioned that fact... it's strange. I'll update this ticket tomorrow once the docs have been fixed.

By Jose Gonzalez staff 26 Aug 2020 at 7:42 a.m. CDT

Copy
Jose Gonzalez gravatar
I updated the [instructions](https://www.gluu.org/docs/gluu-server/operation/replace-expired-jks-scim/?) (the `-cp` param changed).

By Mohammad Abudayyeh staff 26 Aug 2020 at 7:49 a.m. CDT

Copy
Mohammad Abudayyeh gravatar
Hey Chris, Please follow the instructions [here](https://gluu.org/docs/gluu-server/4.2/admin-guide/certificate/) to rotate in kubernetes. Same operation in docker ``` docker run \ --rm \ --network container:consul \ -e GLUU_CONFIG_ADAPTER=consul \ -e GLUU_CONFIG_CONSUL_HOST=consul \ -e GLUU_SECRET_ADAPTER=vault \ -e GLUU_SECRET_VAULT_HOST=vault \ -v $PWD/vault_role_id.txt:/etc/certs/vault_role_id \ -v $PWD/vault_secret_id.txt:/etc/certs/vault_secret_id \ -v $PWD/ssl.crt:/etc/certs/gluu_https.crt \ -v $PWD/ssl.key:/etc/certs/gluu_https.key \ -v /var/run/docker.sock:/var/run/docker.sock \ gluufederation/certmanager:4.2.0_01 patch scim ```

By Chris Lumpkin user 27 Aug 2020 at 10:56 a.m. CDT

Copy
Chris Lumpkin gravatar
I was able to execute the command provided by @Mohammad.Abudayyeh to update the certificates, thanks for that! However, this only updated the keys/keystores and not the SCIM configuration, so now I need to update `scimUmaClientKeyStoreFile` and `scimUmaClientKeyStorePassword` to reflect the new values. What is the default used by Certificate Manager for the SCIM keystore password that I can replace in this script? ``` import base64 from pyDes import * data = '<password>' engine = triple_des('<salt>', ECB, pad=None, padmode=PAD_PKCS5) data = data.encode('ascii') en_data = engine.encrypt(data) print base64.b64encode(en_data) ``` (and also `umaAatClientJksPassword` in `TestScimClient.java`?)

By Jose Gonzalez staff 31 Aug 2020 at 11 a.m. CDT

Copy
Jose Gonzalez gravatar
I think @Mohammad.Abudayyeh can comment, however if you are using test mode you don't really need anything about [this](https://www.gluu.org/docs/gluu-server/operation/replace-expired-jks-scim/), as mentioned there, it is targeted for UMA protection.

Post an answer