4.1 oxauth certificate expiration..

By: Rhett Prichard user 28 Jul 2021 at 10:25 a.m. CDT

13 Responses
Rhett Prichard gravatar
So we are a year into our production system which runs 4.1. The certs in /etc/certs/oxauth-keys.jks have expired. The documentation for renewing these for 4.1 only cover SCIM, and not oxauth for some reason. The documentation for renewing these for 4.0 cover both oxauth and SCIM, but expect a oxauth json file which does not seem to exsist in my production system. Could someone explain if 4.1 does not need a renewal and im having a totally seperate issue, like an auto-renewal is not working, or if i'm supposed to use the 4.0 instructions and the missing file is a seperate issue to be resolved or a third option i have not thought about? Thanks, Rhett
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 28 Jul 2021 at 2:18 p.m. CDT

Copy
Michael Schwartz gravatar
oxAuth does not have certificates... it uses bare keys. So they don't expire. What makes you think the certificate has expired?

By Rhett Prichard user 28 Jul 2021 at 5:29 p.m. CDT

Copy
Rhett Prichard gravatar
The I auth log said the items in the oxauth-keys.jks expired and could not be used, I found a reference to this being something that happened every year in 4.0. Is this no longer true in 4.1.1? I’ll roll back and get you the exact error text.

By Rhett Prichard user 29 Jul 2021 at 10:55 a.m. CDT

Copy
Rhett Prichard gravatar
Here is the message i had in the oxauth logs. The situation with the server is that i can login, but all of our trust except the open ID one fails to login. A saml tracer shows that no infomation is being passed to the SP. 2021-07-27 23:54:42,816 ERROR [qtp1590550415-10264024] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:634) - Failed to get attributes from session 2021-07-27 23:57:13,997 WARN [qtp1590550415-10264104] [org.gluu.oxauth.model.crypto.AbstractCryptoProvider] (AbstractCryptoProvider.java:250) - WARNING! Key with alias: 0e8cc3d5-d366-43d6-a899-d7e18b7ebbdf_sig_rs256 Expires In: 1 days Expires On: 2021-07-29 01:53:56 Key Regeneration In: 2 days Today's Date: 2021-07-27 23:57:13

By Michael Schwartz Account Admin 29 Jul 2021 at 11:34 a.m. CDT

Copy
Michael Schwartz gravatar
@Mobarak Hosen.Shakil can you take a look at this and make sure how to deal with this is addressed in the Gluu docs?

By Rhett Prichard user 29 Jul 2021 at 11:40 a.m. CDT

Copy
Rhett Prichard gravatar
The key 0e8cc3d5-d366-43d6-a899-d7e18b7ebbdf_sig_rs256 exsists in the oxauth-keys.jks and only the oxauth log saw the error, so it was my assumption that the keys had expired.

By Rhett Prichard user 29 Jul 2021 at 11:46 a.m. CDT

Copy
Rhett Prichard gravatar
I have returned to my original oxauth-keys.jks and the LDAP settings to match it. I have deactivated and reactivated my test trust since previously i was not able to get any attributes to show up inside the request sent to that trust. I am still able to login via a request for openID, but when i use a link that requests a SAML login for tableau (local network service) or several of the external vendors services. The SAML responses seem well formed, with a audience and dates, but no attributes sent even though there are attributes assigned to the trust.

By Michael Schwartz Account Admin 29 Jul 2021 at 11:59 a.m. CDT

Copy
Michael Schwartz gravatar
BTW, did you check the docs regarding [generating cryptographic keys](https://gluu.org/docs/gluu-server/4.2/admin-guide/certificate/#generating-cryptographic-keys)?

By Rhett Prichard user 29 Jul 2021 at 12:08 p.m. CDT

Copy
Rhett Prichard gravatar
OK, so i do need to renew the keys? Assuming that i do update the oxauth-keys.jks according to the instructions you have sent, do i need to update the LDAP information to match similar to the 4.0 instructions or is updating the oxauth-keys.jks by itself enough?

By Michael Schwartz Account Admin 29 Jul 2021 at 12:11 p.m. CDT

Copy
Michael Schwartz gravatar
I'm not sure. I assigned the ticket to @Mobarak Hosen.Shakil. There is no SLA on community support. He'll look into it. If you need priority support, you should look into getting a VIP support contract.

By Rhett Prichard user 29 Jul 2021 at 12:18 p.m. CDT

Copy
Rhett Prichard gravatar
Thank you for the info, I was more trying to understand if you were asking a question or telling me that the document was the answer.

By Mobarak Hosen Shakil staff 29 Jul 2021 at 12:52 p.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi Rhett Prichard, I will look into it and will get back to you. Thanks & Regards ~ Shakil

By Rhett Prichard user 29 Jul 2021 at 1:21 p.m. CDT

Copy
Rhett Prichard gravatar
@Michael how do i find out about a VIP support contract? Can i pay for a one time issue to be helped or is it only a subscription?

By Davin Cooke staff 29 Jul 2021 at 4:51 p.m. CDT

Copy
Davin Cooke gravatar
Spoke to Rhett - having trouble pinpointing the cause of the error. referred him to a partner . who will reach out as School starts in a couple weeks. - Rhett needs a way to consolidate the logs and determine cause- Issue started after reboot of service.

Post an answer