Invalid cryptographic segment creating a new user

By: Hernan Quevedo user 16 Oct 2017 at 11:18 p.m. CDT

7 Responses
Hernan Quevedo gravatar
Hi. After a restart of the Gluu server, I get this invalid criptographic segment message when creating a new user through ``` InvalidJwtException: Cannot verify the JWT scim2client.createUser(oxtrust.model.scim2.User) Invalid cryptographic segment ```;. The installation of Gluu is from scratch, and the user trying to create this other user, was authenticated through the same gluu server and created through the server's web console. UPDATE: after correcting the clientId which is used by the connecting party of Gluu, different messages appeared: - can't identify DSA private key - Invalid JWT format.
CentOS 6.7
closed

Answers

By Hernan Quevedo user 17 Oct 2017 at 10:20 a.m. CDT

Copy
Hernan Quevedo gravatar
UPDATE: I just fresh-installed in a different machine, same errors. Could it has to do with the fact that the java keystore has several gluu certificates? UPDATE2: it wasn't the case, as expected. Deleted all keys and added the last one, erros persist.

By Michael Schwartz Account Admin 17 Oct 2017 at 12:41 p.m. CDT

Copy
Michael Schwartz gravatar
Jose, can you take a look?

By Jose Gonzalez staff 17 Oct 2017 at 3:34 p.m. CDT

Copy
Jose Gonzalez gravatar
Hi Hernán, From what I see, it looks like you are trying to use the SCIM service protected by UMA. You definitely need to better describe your problem, errors obtained, and attach contextual information to give you the best assistance. I suspect your .jks file is corrupted (or you are pointing to a wrong scim-rp.jks file). So far I can suggest you to follow what we state [in this guide](https://gluu.org/docs/ce/3.0.2/admin-guide/scim-uma/#requisites) (if you are using 3.0.2). The JKS file that you grab from the server (`/install/community-edition-setup/output/scim-rp.jks`) needs to be copied to a location your application can have read access to (as your dev machine). See in the code sample the variable `umaAatClientJksPath`. The certificate file is what needs to be imported into your java key store. So it should be `/opt/gluu-server-version/etc/certs/httpd.crt` if you are not protecting your server with a different cert. You can have n certs there, there should be no problem.

By Hernan Quevedo user 17 Oct 2017 at 5:52 p.m. CDT

Copy
Hernan Quevedo gravatar
Hi, Jose, thank you for your answers. Now, the problem dissappeared when I, for the fifth time, installed Gluu with the JCE option; I got used to not having it installed and, for some reason, it worked, until last friday when I attempted to set up a two node cluster of Gluu. Apparently, without it, the oxauth library was no able to validate the key. Another question would be, if for 3.0.2 version, you guys maybe apply patches, and, inadvertently, I yum installed some patch that uses JCE objects.

By Jose Gonzalez staff 18 Oct 2017 at 9:27 a.m. CDT

Copy
Jose Gonzalez gravatar
Hernán, The linux package administrator confirmed no recent changes in 3.0.2 binaries.

By Hernan Quevedo user 18 Oct 2017 at 9:46 a.m. CDT

Copy
Hernan Quevedo gravatar
All right, thanks. So, maybe without the JCE package worked for a while, but it is better to always install it, is that right? I mean, the JCE is mandatory.

By Jose Gonzalez staff 19 Oct 2017 at 7:19 a.m. CDT

Copy
Jose Gonzalez gravatar
Not mandatory but recommended to be included in installation. It enables using big keys in RSA algorithms, for instance.

Post an answer