Cannot login into with amadmin after site configuration

This topic has 16 replies, 2 voices, and was last updated 4 years, 7 months ago by indira.

  • Author
    Posts
  • #16225
     indira
    Participant

    Hi Guys,

    Im trying to add a second instance of Openam configuartion to the already configured Openam instance. I give the cookie domain scope for my instance as .compute-1.amazonaws.com. Configuration works fine with no errors and get into infinite loop. It always throws invalid username/password. I tried giving full FQDB, host domains but nothing works.

    Thanks,
    Indira P

    #16226
     indira
    Participant

    Im configuring my openam instances on amazon aws and installing separate instances work fine, i get into issue only when i try to add second instance to existing deployment

    #16227
     indira
    Participant

    Can we setup session failover after configuring two separate Openam standalone instances? I mean after configuration of two separate instances?

    #16228
     Scott Heger
    Participant

    The issue is that you are using the amazonaws.com domain name which is a Top Level Domain(TLD). Per https://backstage.forgerock.com/docs/openam/13.5/install-guide#chap-prepare-install:

    Do not configure a top-level domain as your cookie domain as browsers will reject them.
    Top-level domains are browser-specific. Some browsers, like Firefox, also consider special domains like Amazon’s web service (for example, ap-southeast-2.compute.amazonaws.com) to be a top-level domain.
    Check the effective top-level domain list at https://publicsuffix.org/list/effective_tld_names.dat to ensure that you do not set your cookie to a domain in the list.

    For AWS I will create CNAMEs with my own DNS domain name for my instances and configure OpenAM with those.

    #16232
     indira
    Participant

    Thanks @shegergmail-com.

    But how do i configure the CNAME for the aws. AWS has a public DNS and private DNS(ie the hostname).I can change the persistent hostname but how can i change the public DNS?

    #16241
     Scott Heger
    Participant

    You won’t change the AWS public DNS, you will just create a CNAME in your own DNS domain that points to the AWS public DNS name.

    #16267
     indira
    Participant

    Thanks @shegergmail-com,

    Is there any other way to get around this problem?

    #16280
     Scott Heger
    Participant

    What is the cookie domain of the already configured instance?

    #16281
     indira
    Participant

    .compute-1.amazonaws.com

    #16282
     Scott Heger
    Participant

    And you are able to log in with no issue to that instance?

    #16283
     indira
    Participant

    Yes

    #16284
     Scott Heger
    Participant

    That doesn’t seem right. The “.compute-1.amazonaws.com” is a top level domain and as such many browsers prevent cookies being set in those domains. I just verified this with an instance I just created in an EC2-Classic instance.

    Can you do a header trace (with something like LiveHTTPHeaders) of a login process to the instance that is working? I’d like to see the cookies that are being created.

    #16285
     Scott Heger
    Participant

    Paste the relevant header trace in here please.

    #16286
     indira
    Participant

    Hi,

    I configured with defaults:

    GET /openam/XUI/templates/admin/views/realms/RealmsTableTemplate.html?v=13.5.0 HTTP/1.1
    Host: ec2-34-193-116-161.compute-1.amazonaws.com:8080
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Referer: http://ec2-34-193-116-161.compute-1.amazonaws.com:8080/openam/XUI/
    Cookie: i18next=en-US; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4Sfcx_1TGQBCuUhWjeFNGBhqvCeZ0Aw-34xbI.*AAJTSQACMDMAAlNLABQtMjgxMDEzNzc4OTIxMTEzOTIwNQACUzEAAjAx*
    Connection: keep-alive

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Cache-Control: public, max-age=2592000
    Accept-Ranges: bytes
    Etag: W/”2047-1468414490000″
    Last-Modified: Wed, 13 Jul 2016 12:54:50 GMT
    Content-Type: text/html
    Content-Length: 2047
    Date: Wed, 15 Mar 2017 20:05:08 GMT
    ———————————————————-
    http://detectportal.firefox.com/success.txt

    GET /success.txt HTTP/1.1
    Host: detectportal.firefox.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: */*

    #16298
     Scott Heger
    Participant

    When I set mine up the default cookie domain that OpenAM chose was the full FQDN (host based). If you look at the cookies in your browser (or if you paste the header trace of the login response where the cookie is being set) you will probably find that your cookie domain on your first instance is ec2-34-193-116-161.compute-1.amazonaws.com and not .compute-1.amazonaws.com.

    What you could try is before you set up your second instance, go into the first and add the second host FQDN as a cookie domain to your config. See if that allows the second instance to work.

    But, given that you are setting up multiple instances, did you choose to configure a site? If so, what is the FQDN of your site URL? You would also want to add the domain of that URL as a valid cookie domain as well. With all that then you would have three cookie domains, one for each individual host, and one for the site URL.

    As mentioned earlier in this thread, I wouldn’t do things this way but rather configure my own DNS names for my AWS instances and set my cookie domains in my own domain. That prevents having to jump through these hoops when using the compute-1.amazonaws.com domain in your configuration.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?