oxTrust wasn't allow to access user data

By: anish narang user 27 Oct 2016 at 2:14 a.m. CDT

9 Responses
anish narang gravatar
Im looking to setup Gluu IdP for SAML SSO with my own SSL certificate. I replaced the default httpd.crt and httpd.key and imported the cert into the keystore but end up with the error: ``` 2016-10-27 06:50:31,568 INFO [org.gluu.oxtrust.action.Authenticator] authorizationCode : 013133bb-8198-4e78-83ed-d9c5ca77d4d8 2016-10-27 06:50:31,568 INFO [org.gluu.oxtrust.action.Authenticator] scopes : user_name email openid profile 2016-10-27 06:50:31,568 INFO [org.gluu.oxtrust.action.Authenticator] clientID : @!1E4F.24F4.89E1.A9C4!0001!78F6.E964!0008!6301.C22B 2016-10-27 06:50:31,568 INFO [org.gluu.oxtrust.action.Authenticator] getting accessToken 2016-10-27 06:50:31,568 INFO [org.gluu.oxtrust.action.Authenticator] tokenURL : https://sso.idp.co/oxauth/seam/resource/restv1/oxauth/token 2016-10-27 06:50:31,572 INFO [org.gluu.oxtrust.action.Authenticator] Sending request to token endpoint 2016-10-27 06:50:31,573 INFO [org.gluu.oxtrust.action.Authenticator] redirectURI : https://sso.idp.co/identity/authentication/authcode 2016-10-27 06:50:31,665 ERROR [org.xdi.oxauth.client.TokenClient] Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:198) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:579) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:637) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:524) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:577) at org.xdi.oxauth.client.TokenClient.exec(TokenClient.java:306) at org.xdi.oxauth.client.TokenClient.execAuthorizationCode(TokenClient.java:112) at org.gluu.oxtrust.action.Authenticator.requestAccessToken(Authenticator.java:548) at org.gluu.oxtrust.action.Authenticator.oAuthGetAccessToken(Authenticator.java:536) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:79) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:35) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:196) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:114) at org.gluu.oxtrust.action.Authenticator_$$_javassist_seam_45.oAuthGetAccessToken(Authenticator_$$_javassist_seam_45.java) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348) at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58) at org.jboss.el.parser.AstValue.invoke(AstValue.java:96) at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:222) at org.jboss.seam.navigation.Page.preRender(Page.java:311) at org.jboss.seam.navigation.Pages.preRender(Pages.java:351) at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:565) at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:476) at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:147) at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:117) at com.sun.faces.lifecycle.Phase.handleBeforePhase(Phase.java:228) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:99) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:411) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98) at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2016-10-27 06:50:31,670 ERROR [org.gluu.oxtrust.action.Authenticator] Get empty token response. User rcan't log into application ``` I get redirected to the login page but get this error on the frontend: 'Oops Something wrong happened. Login failed, oxTrust wasn't allow to access user data'. Is there anything else that needs to be changed for this apart from the httpd certs?
CentOS72
closed

Answers

By Mohib Zico Account Admin 27 Oct 2016 at 3:22 a.m. CDT

Copy
Mohib Zico gravatar
Please feel free to use our searching option available in support portal. This issue has been answered couple of time already. I believe you will be able to find out your answer there. If not let us know.

By anish narang user 27 Oct 2016 at 5:21 a.m. CDT

Copy
anish narang gravatar
I looked at the instructions given [here](https://support.gluu.org/outages/3175/oxtrust-wasnt-allow-to-access-user-data/)But this was for a SSL Handshake error. I followed the same steps of deleting self signed key and then importing the new key with the same alias. The error im getting is 'Connection Refused', so im unsure of how to proceed.

By Mohib Zico Account Admin 27 Oct 2016 at 5:36 a.m. CDT

Copy
Mohib Zico gravatar
Thanks, Anish. Someone will get back to you with more suggestion.

By Mohib Zico Account Admin 27 Oct 2016 at 6:12 a.m. CDT

Copy
Mohib Zico gravatar
Ok... Question time! - Have you restarted all services after applying new cert and key? - Have you imported your *HTTPD.DER* into cacerts?

By anish narang user 27 Oct 2016 at 7:16 a.m. CDT

Copy
anish narang gravatar
Yes to both. These are the steps I followed: ``` # Replaced the contents of httpd.crt and httpd.key with the new values # openssl x509 -in httpd.crt -outform der -out httpd.der # keytool -list -v -keystore /usr/java/latest/lib/security/cacerts -storepass changeit | grep -i '_httpd' # keytool -delete -alias your-instance-hostname_httpd -keystore /usr/java/latest/lib/security/cacerts \ -storepass changeit # keytool -import -alias your-instance-hostname_httpd --trustcacerts -file /etc/certs/httpd.der \ -keystore /usr/java/latest/lib/security/cacerts -storepass changeit # /sbin/gluu-server-2.4.4 restart ```

By Mohib Zico Account Admin 27 Oct 2016 at 7:50 a.m. CDT

Copy
Mohib Zico gravatar
Okay... Can you please paste _exactly_ commands and outputs from your terminal? Please do not change anything; I want to see how they are running. Also instead of "Replaced the contents of httpd.crt and httpd.key with the new values"; just rename your new key and cert as httpd.key and httpd.crt respectively and put them inside /etc/certs/ and move forward with others.

By Aliaksandr Samuseu staff 27 Oct 2016 at 8:19 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Anish. 1. Did you actually check that your instance was in operational state right after installation, or you proceeded to changing certificate right away? Could you log in to web UI before you changed certificate? 2. Could you provide the certificate you try to use for us to check? 3. Have you disabled SElinux on this machine?

By anish narang user 27 Oct 2016 at 11:17 p.m. CDT

Copy
anish narang gravatar
Hi guys. Ive got it working now. There was an issue with my .crt file. I had not added the intermediate certificate and the root CA'a certificate into a single file. Once I did that and followed the usual import steps, it worked. Thanks for the help - Anish

By Mohib Zico Account Admin 28 Oct 2016 at 3:46 a.m. CDT

Copy
Mohib Zico gravatar
>> I had not added the intermediate certificate and the root CA'a certificate into a single file. Primary installation of webserver cert basically do not depend on inter/root cert and there shouldn't be any problem installing primary certificate without interm/root cert. Interm/Root cert has separate section for installation.

Post an answer