Generated files by oxTrust not copied to oxSibboleth

By: Levente Kintzel user 03 Dec 2020 at 3:36 a.m. CST

4 Responses
Levente Kintzel gravatar
Hello, I'm using `Gluu Server 4.2`, dockerized version on `Ubuntu 20.04 LTS`. I activated `Sibboleth IDP` in my `settings.py` as I need `SAML`. I configured a `Trust Relationship` as described in the docs, however when I was calling an SP link I landed on Gluu Sibboleth Idp error page. Checking the `idp_process.log` file I turned out that the SP metadata was not found by the IdP. I checked the Idp container and the log was right: no SP metadata copied there and also the `metadata-provider.xml` was unchanged. I checked the `oxTrust` logs and container, the logs said that the config files were succesfully generated and I also found them in the container. I found a documentation about Gluu 4.0 dockerized version, where I found that the migration of config files from `oxTrust` to `oxShibboleth`was done through some volumes configured for the containers plus a `shibwatch` script. Starting from 4.2 version this script is missing and it was replaced by `jca_sync.py` script. I did not found similar documentation for dockerized version as it was for 4.0 for version 4.2 but checking the script source I realized that my Jackrabbit container was not started. So I went back and add it to my `setttings.py`. After `Jackrabbit` has succesfully started I turned `GLUU_DOCUMENT_STORE_TYPE` to be `JCA`. After that I have seen in the logs that a synchronization process is happening. However as far as I see the òxShibboleth`container is syncing `/opt/shibbolet-ipd` but `oxTrust`is syncing `opt/gluu/jetty/identity/custom` so I can't see how the generated configs are transfered to `oxShibboleth`. Did I need to configure something else or are these steps described somewhere? Or maybe you can help me to understand what I'm doing wrong. Many thanks. Best regards, Levi
Ubuntu 20.04
closed

Answers

By Isman Firmansyah staff 03 Dec 2020 at 11:19 a.m. CST

Copy
Isman Firmansyah gravatar
Hi Levente, > So I went back and add it to my setttings.py. After Jackrabbit has succesfully started I turned GLUU_DOCUMENT_STORE_TYPE to be JCA. After that I have seen in the logs that a synchronization process is happening. I see that you're modifying `settings.py` with the following addition: ``` SVC_JACKRABBIT = True DOCUMENT_STORE_TYPE = "JCA" ``` Once `jackrabbit` container is up, you need to modify Store Provider Configuration via oxTrust UI: - visit `Configuration > JSON Configuration > Store Provider Configuration` page on oxTrust. - change Document store Type from `LOCAL` to `JCA` - change Password to the Jackrabbit password defined in `jackrabbit_admin_password` file (if this file empty, by default it is set to `admin`) - hit Save Configuration button - restart oxTrust container After oxTrust container restarted, you can check whether IDP files are saved in Jackrabbit by visiting `http://$JACKRABBIT_CONTAINER_IP:8080/repository/default/opt/shibboleth-idp/` (username `admin` and password `admin`). Wait for about 5 minutes and double check files are pulled into oxshibboleth container by running `docker exec oxshibboleth ls /opt/shibboleth-idp/metadata`. > However as far as I see the òxShibboleth container is syncing /opt/shibbolet-ipd but oxTrust is syncingopt/gluu/jetty/identity/custom so I can't see how the generated configs are transfered to oxShibboleth` Starting v4.2, oxtrust and oxshibboleth container doesn't sync files directly. The workflow is: - oxtrust generate files and save them into jackrabbit - oxshibboleth pulls files from jackrabbit Hope this answers your questions. Thanks,

By Levente Kintzel user 04 Dec 2020 at 3:42 p.m. CST

Copy
Levente Kintzel gravatar
Thank you very much for the quick answer and support. According to your guidance now I have the metadata present in the Shibboleth IDP container. In the oxTrust web UI just the jackarabbit admin password had to be reset to `admin`. Is there any way during install to adjust this without need to do this explicitely on UI? Ok, so the metadata is present in the `oxshibboleth` but the existing files in the `conf` directory are still the old ones. Because the `metadata-providers.xml` is still the old one, the new metadata is not taken in consideration. I played a bit with it and figured out that at the end of the day `rclone copy jackrabbit:opt/shibboleth-idp opt/shibboleth-idp --create-empty-src-dirs --ignore-size` command is run in `oxshibboleth` container. That command creates the new files that are not present at destination but existing files are ignored, not sure why. I checked the file details in `jackrabbit` using the command: `rclone lsl jackrabbit:opt/shibboleth-idp` Basically that should display the modified date of the files, but for `metadata-providers.xml` it displays the creation date, maybe that's the reason it does not get updated? By using the copy command without the `--ignore-size` flag for a `metadata-providers.xml` file the copy command updated the `metadata-providers.xml` if the file size is different. Probably the situation is the same with other files from the `conf` directory: `attributes-filter.xml`, `attribute-resolver.xml` etc. Can we achieve somehow to have these also correctly synced? Thanks in advance, Regards, Levi

By Isman Firmansyah staff 07 Dec 2020 at 9:21 a.m. CST

Copy
Isman Firmansyah gravatar
> Is there any way during install to adjust this without need to do this explicitely on UI? Yes, configure them from fresh deployment. > Can we achieve somehow to have these also correctly synced? We will take a look. Thanks,

By Isman Firmansyah staff 15 Dec 2020 at 11:28 p.m. CST

Copy
Isman Firmansyah gravatar
We have identified the issue and patches will be available in upcoming 4.2.2 official release. Thanks.

Post an answer