after 2.4.3 upgrade, 'Request for Permission' endless loop during login

By: shawn reuland user 17 May 2016 at 12:02 p.m. CDT

14 Responses
shawn reuland gravatar
We upgreaded from a working 2.4.1 install to 2.4.3, afterwards, we are not able to login to Gluu server directly such as https://<gluu_host>/identity/home, we get initial login screen, we enter credentials, and the screen thengoes into an endless loop of showing the login screen with a layer on top prompting for 'Request for Permission', and shows: **oxTrust Admin GUI is requesting permission to do the following:** _A persistent but non-identifiable correlation key released by your OpenID Provider. This information includes: name, family_name, given_name, middle_name, nickname, preferred username, picture, website, gender, birthdate, zoneinfo, locale and when the profile was last updated. Your email address and whether its verified. Your local username in the Gluu Server_ It seems to be an issue with just the gluu admin gui OIDC client, we have another OpenIDConnect client that works with a remote apache OIDC RP and the login screen works correctly through that OIDC client, no permissions loop. THis seems to be a config issue maybe that cropped up for the GUI Admin OIDC client after the upgrade to 2.4.3, like it's doesn't support '/identity/home' as a login point or redirect path or something? How can we disable this for now just to login, we have an ldap browser connected that we can make config changes directly to ldap if needed.
U1404
closed

Answers

By shawn reuland user 17 May 2016 at 4:36 p.m. CDT

Copy
shawn reuland gravatar
Hello, I was first trying to find where in the installation I can find the current version number, is there a file that you can refer which would specify the string such as 2.4.3-1-4? We're running on Ubuntu and It looks like we ran 'apt-get install gluu-server-2.4.3' on 05/09/2016. thanks again for your help

By Arunmozhi P user 18 May 2016 at 2:12 a.m. CDT

Copy
Arunmozhi P gravatar
Hi, 1. **Version** You can use dpkg to show the package information `dpkg -p gluu-server-2.4.3`. Version is mentioned in the information. 2. **Infinite Redirection after upgrade** The reason for this is the server cannot create a SSL connection due to certificate mismatch. If you have used the upgrade scripts (export24.py, import24.py) to do the upgrade, then the new certificates would have been replace by the script with the backup, but they wouldn't have been updated in the Java keystore; hence the mismatch. The import24.py script has been improved to perform the keystore updation as well. You can retry the upgrade process. I hope this solves your issue. Regards, Arun

By shawn reuland user 20 May 2016 at 10:23 a.m. CDT

Copy
shawn reuland gravatar
Unfortunately, not yet. To recap, we have installed latest 2.4.3 on Ubuntu and ran the import/export python scripts you mentioned: $ dpkg -p gluu-server-2.4.3 Package: gluu-server-2.4.3 Priority: optional Section: java Installed-Size: 1314284 Maintainer: Gluu Developers <support@gluu.org> Architecture: amd64 Version: 1-4~trusty+Ub14.04 Depends: bash (>= 2.05a-11), sed (>= 3.02-8), grep (>= 2.4.2-3), coreutils (>= 5.0-5) Size: 542739276 Description: Gluu Server Community Edition Homepage: http://www.gluu.org Original-Maintainer: Adrian Alves <support@gluu.org> We point browser at: https://<our_gluu_host>/identity/home We enter user credentials, they can be users we've previously added or 'admin', after we submit, we then get the login page again but with the warning dialog window on top stating 'Request for Permission' and whether we click "agree" or "Don't Allow", it returns to same view. The only activity shown in oxauth.log related to this flow is after credentials are submitted: ``` 2016-05-20 15:06:02,872 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. SessionUser: SessionState, dn='uniqueIdentifier=c29b1ef1-1207-4a7c-91f6-0622307cec81,ou=session,o=@!0EEC.F661.FD8C.F399!0001!3F6F.B403,o=gluu', id='c29b1ef1-1207-4a7c-91f6-0622307cec81', lastUsedAt=Fri May 20 15:06:02 UTC 2016, userDn='inum=@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0000!02ED.F940,ou=people,o=@!0EEC.F661.FD8C.F399!0001!3F6F.B403,o=gluu', authenticationTime=Fri May 20 15:06:02 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={scope=openid profile email user_name, response_type=code id_token, nonce=nonce, redirect_uri=https://<our_gluu_host>/identity/authentication/authcode, auth_step=1, client_id=@!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!C4B1.FEB7, acr=internal}, persisted=true} 2016-05-20 15:06:02,873 INFO [org.xdi.oxauth.service.AuthenticationService] Attempting to redirect user. User: org.xdi.oxauth.model.common.User@540befe2 2016-05-20 15:06:02,878 INFO [org.xdi.oxauth.auth.Authenticator] Authentication success for User: 'xyz' ``` ~ Nothing further is logged after this. Are there any other log files we should look for related to the OIDC RP activity on gluu? What triggers the 'Request for Permission' dialog for '/identity' url path? It seems like we have a broken config in the area of trust settings for the Gluu Admin GUI OIDC client. I've trapped the network flow on browser, this is what happens when I click on the 'Allow' button of the Request For Permission dialog, each of these requests return a 302 response to trigger the next: 1. https://<gluu_host>/oxauth/authorize 2. https://<gluu_host>/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code+id_token&scope=openid+profile+email+user_name&redirect_uri=https%3A%2F%2Fgluu_host%2Fidentity%2Fauthentication%2Fauthcode&nonce=nonce&client_id=%40%210EEC.F661.FD8C.F399%210001%213F6F.B403%210008%21C4B1.FEB7&cid=305 3. https://<gluu_host>/identity/authentication/authcode 4. https://<gluu_host>/identity/authentication/getauthcode?session_state=c29b1ef1-1207-4a7c-91f6-0622307cec81&scope=user_name+email+openid+profile&state&code=4c3b8ae4-b488-4f0b-b82e-533126bc50a6&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lvdGRldjA1LmJpLmxvY2FsIiwiYXVkIjoiQCEwRUVDLkY2NjEuRkQ4Qy5GMzk5ITAwMDEhM0Y2Ri5CNDAzITAwMDghQzRCMS5GRUI3IiwiZXhwIjoxNDYzNzY0NTAyLCJpYXQiOjE0NjM3NjA5MDIsIm5vbmNlIjoibm9uY2UiLCJhdXRoX3RpbWUiOjE0NjM3NTY3NjIsImNfaGFzaCI6InFvTlJjUW1sakxobzdBSGMzUU5xdVEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2lvdGRldjA1LmJpLmxvY2FsL294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInVzZXJfbmFtZSI6ImJyYWl0dCIsImVtYWlsIjoiYnJhaXR0QHJpb3QuY29tIiwiaW51bSI6IkAhMEVFQy5GNjYxLkZEOEMuRjM5OSEwMDAxITNGNkYuQjQwMyEwMDAwITAyRUQuRjk0MCIsIm5hbWUiOiJicmFpdHQiLCJmYW1pbHlfbmFtZSI6InJhaXR0IiwiZ2l2ZW5fbmFtZSI6ImJvbm5pZSIsInN1YiI6ImJyYWl0dCJ9.TGVly2d14c8ni3JBhUk98dCUoBok8Ps9rZK2Rh6hzNw 5. https://<gluu_host>/identity/home?cid=17 6. https://<gluu_host>/identity/login?cid=17 7. https://<gluu_host>/oxauth/authorize?scope=openid+profile+email+user_name&response_type=code+id_token&nonce=nonce&redirect_uri=https%3A%2F%2Fgluu_host%2Fidentity%2Fauthentication%2Fauthcode&client_id=%40%210EEC.F661.FD8C.F399%210001%213F6F.B403%210008%21C4B1.FEB7 this was the last url, at this point, it loads html which redisplays the login page with same 'Request For Permission' dialog window

By Christopher Robbins user 20 May 2016 at 11:58 a.m. CDT

Copy
Christopher Robbins gravatar
It's worth noting, we've followed all steps per the "Upgrade from 2.4.x" document linked below. We've also repeated the upgrade process (per Arun, including the 'Import your old data' step) with no notable change. https://gluu.org/docs/deployment/upgrading/

By shawn reuland user 20 May 2016 at 12:07 p.m. CDT

Copy
shawn reuland gravatar
Ah, I found a bunch of log output in oxtrust.log, this gets dumped out each time we click on the 'Allow' button of Request For Permission: ``` 2016-05-20 17:00:10,683 INFO [org.gluu.oxtrust.action.Authenticator] authorizationCode : 59ffbcbd-3409-4871-8beb-c23c7928a459 2016-05-20 17:00:10,683 INFO [org.gluu.oxtrust.action.Authenticator] scopes : user_name email openid profile 2016-05-20 17:00:10,683 INFO [org.gluu.oxtrust.action.Authenticator] clientID : @!0EEC.F661.FD8C.F399!0001!3F6F.B403!0008!C4B1.FEB7 2016-05-20 17:00:10,684 INFO [org.gluu.oxtrust.action.Authenticator] getting accessToken 2016-05-20 17:00:10,684 INFO [org.gluu.oxtrust.action.Authenticator] tokenURL : https://iotdev05.bi.local/oxauth/seam/resource/restv1/oxauth/token 2016-05-20 17:00:10,684 INFO [org.gluu.oxtrust.action.Authenticator] Sending request to token endpoint 2016-05-20 17:00:10,684 INFO [org.gluu.oxtrust.action.Authenticator] redirectURI : https://iotdev05.bi.local/identity/authentication/authcode 2016-05-20 17:00:10,698 ERROR [org.xdi.oxauth.client.TokenClient] sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1472) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:577) at org.xdi.oxauth.client.TokenClient.exec(TokenClient.java:306) at org.xdi.oxauth.client.TokenClient.execAuthorizationCode(TokenClient.java:112) at org.gluu.oxtrust.action.Authenticator.oAuthGetAccessToken(Authenticator.java:538) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:79) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:35) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:196) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:114) at org.gluu.oxtrust.action.Authenticator_$$_javassist_seam_44.oAuthGetAccessToken(Authenticator_$$_javassist_seam_44.java) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348) at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58) at org.jboss.el.parser.AstValue.invoke(AstValue.java:96) at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:222) at org.jboss.seam.navigation.Page.preRender(Page.java:311) at org.jboss.seam.navigation.Pages.preRender(Pages.java:351) at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:565) at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:476) at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:147) at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:117) at com.sun.faces.lifecycle.Phase.handleBeforePhase(Phase.java:228) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:99) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:411) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98) at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1454) ... 105 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 111 more 2016-05-20 17:00:10,701 INFO [org.gluu.oxtrust.action.Authenticator] tokenResponse : null 2016-05-20 17:00:10,702 ERROR [org.jboss.seam.exception.Exceptions] handled and logged exception javax.el.ELException: java.lang.NullPointerException at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:339) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348) at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58) at org.jboss.el.parser.AstValue.invoke(AstValue.java:96) at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:222) at org.jboss.seam.navigation.Page.preRender(Page.java:311) at org.jboss.seam.navigation.Pages.preRender(Pages.java:351) at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:565) at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:476) at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:147) at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:117) at com.sun.faces.lifecycle.Phase.handleBeforePhase(Phase.java:228) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:99) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:411) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98) at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.gluu.oxtrust.action.Authenticator.oAuthGetAccessToken(Authenticator.java:541) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:79) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:35) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:196) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:114) at org.gluu.oxtrust.action.Authenticator_$$_javassist_seam_44.oAuthGetAccessToken(Authenticator_$$_javassist_seam_44.java) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335) ... 54 more ``` So, it looks like the java keystore is missing a ca cert, can you tell me the path to the java key store file that gluu is using and the .pem files that should be loaded in there? I can manually import those into it and try getting it going from there.

By shawn reuland user 20 May 2016 at 1:55 p.m. CDT

Copy
shawn reuland gravatar
I'll provide one solution that worked here for us, I'm not sure if it's the best way, but this worked for us: /etc/ssl/certs/java/cacerts is the active path to the java keystore file. I noticed oxtrust config json contained in 'oxTrustConfApplication' attribute on 'ou=oxtrust,ou=configuration,inum=<gluu_applicance_num>,ou=appliances,o=gluu' had a caCertsPath that was set to /usr/java/latest/jre/lib/security’, which didn’t exist. Used an ldap editor and changed oxTrustConfApplication to have caCertsPath=/etc/ssl/certs/java/cacerts and caCertsPassPhrase=“changeit”. Restarted gluu-server and am now able to login to https://<gluu_host>/identity/home, interestingly though, it still prompts for 'Request for Permission' every time we login, but at least when click on 'Allow' it works and goes to home page. Any thoughts on what's triggering the 'Request for Permission' still? That never came up when on 2.4.1.

By Michael Schwartz Account Admin 20 May 2016 at 3:20 p.m. CDT

Copy
Michael Schwartz gravatar
Arun, Is it possible that the location of `cacerts` changed between version 2.4.1 and 2.4.3? - Mike

By Michael Schwartz Account Admin 20 May 2016 at 3:20 p.m. CDT

Copy
Michael Schwartz gravatar
Shawn, is this issue resolved?

By shawn reuland user 20 May 2016 at 3:35 p.m. CDT

Copy
shawn reuland gravatar
Hello Michael, yes, for our installations that were upgraded from 2.4.1 to 2.4.3, we are able to login to /identity/home now. It would be nice to figure out why the 'Request For Permission' dialog window comes up after login every time still, but that is not a blocker. thanks!

By Michael Schwartz Account Admin 20 May 2016 at 3:42 p.m. CDT

Copy
Michael Schwartz gravatar
View the client in oxTrust and enable pre-authorization.

By shawn reuland user 20 May 2016 at 5:57 p.m. CDT

Copy
shawn reuland gravatar
Pre-authorization is set to 'enabled' for 'oxTrust Admin GUI' OIDC client, still seeing the 'Request For Permissions' dialog when going to http://<gluu_host>/identity/home

By Arunmozhi P user 22 May 2016 at 12:07 a.m. CDT

Copy
Arunmozhi P gravatar
Hi, First I am sorry for the late reply. The certificate's for the clients were upgraded during the previous message, but the OpenDJ certificate of the new installation needed to be imported. That was missing. I have updated the script to fix that now. We will have to restart gluu-server for the changes to take effect. I will try to do it from the script or add it as a step in the docs. Thank you.

By Arunmozhi P user 22 May 2016 at 12:22 a.m. CDT

Copy
Arunmozhi P gravatar
Update: 1. The export24.py script has been updated to backup the certificate credentials of the old installation, so that the new installation can reuse the old certificates. So rerun the export script if you are using the old export. 2. The import24.py script copies the old certificates from the backup, generates the new OpenDJ certificate, and imports all of them into the truststore. Hence you should be seeing PKIX path building failed status, anymore. 3. All this doesn't affect the current running processes and hence it is required to do a `service gluu-server-2.4.3 stop` and `start` after the import is completed.

Post an answer