J2EE agent 5.5.1.0 and WebSocket connection failure

This topic contains 8 replies, has 2 voices, and was last updated by  tschoeller 1 month, 1 week ago.

  • Author
    Posts
  • #24902
     tschoeller 
    Participant

    I’m running AM 5.5.1 with the j2ee agent 3.5.1 and am trying
    to upgrade the agent to 5.5.1.0 and the agent is getting an
    error upgrading to a WebSocket during an idp-initiated SSO.
    The logs indicate the SSO portion was successful, but the
    agent log is getting:

    WARNING: Failed to create new WebSocket connection, backing off
    org.forgerock.agents.notifications.websocket.WebSocketConnectionException: Failed to create connection
    at org.forgerock.agents.notifications.websocket.WebSocketConnectionImpl.<init>(WebSocketConnectionImpl.java:101)

    Caused by: javax.websocket.DeploymentException: The HTTP response from the server [404] did not permit the HTTP upgrade to WebSocket
    at org.apache.tomcat.websocket.WsWebSocketContainer.connectToServerRecursive(WsWebSocketContainer.java:435)

    The request looks like:

    <entry method=”GET” url=”http://foo.bar.com:8081/openam/notifications”>

    <result>404 </result>

    <headers>
    <requestheaders>
    <header>GET /openam/notifications HTTP/1.1</header>
    <header>Sec-WebSocket-Key: c30…yVLw==</header>
    <header>Connection: upgrade</header>
    <header>Sec-WebSocket-Version: 13</header>
    <header>Host: foo.bar.com:8081</header>
    <header>Upgrade: websocket</header>
    <header>iPlanetDirectoryPro2: GoMM_WFTzNgvLp3bwUjoKslXYkA.*AAJTSQA…*</header>
    <header>Sec-WebSocket-Protocol: v1.notifications.forgerock.org</header>
    </requestheaders>

    </entry>

    8081 is the port for the Tomcat with AM.
    8080 is the port for the Tomcat with the j2ee agent.

    Using the older agent, 3.5.1, allowed the SSO to complete without
    running into this error.

    Windows 10 (amd64)
    AM 5.5.1
    j2ee agent 5.5.1.0
    Apache Tomcat 8.5.35.0
    JVM Version 1.8.0_60-b27

    #25019
     william.hepler 
    Participant

    The Websocket connection for J2ee isn’t as important as it is to WPA, but it should still be allowed.

    Is your agent pointing to a LB infront of AM? Check if websocket connections can be enabled and supported or as a test point the agent directly at one AM instance.

    https://backstage.forgerock.com/docs/openam-jee-policy-agents/5.5/java-agents-guide/#proc-configure-reverse-proxy

    But in my experience J2EE agent just gets Configuration updates through websockets, I’ve broken Tomcat before and had general login function, WPA though uses websockets more extensively.

    The other big difference with Agent 3.5x and 5.x is the new agent will try to send you back to the global realm. You maybe failing if you are trying to authenticate to a specific realm.

    https://backstage.forgerock.com/docs/openam-jee-policy-agents/5.5/java-agents-guide/#j2ee-agent-login-url-properties

    As an example:
    org.forgerock.openam.agents.config.conditional.login.url[1]=myapp.domain.com|https://openam2.example.com/openam/oauth2/authorize?realm=sales

    Can you provide more details on the example, or the behavior to understand where this is failing?

    #25020
     tschoeller 
    Participant

    Thanks. Guess I got some more reading to do. I do not have an LB. From what I can tell from the logs, the idp does send over the sso and the logs on the sp says that the sso is successful. I’m just trying to align all the log files, time-stamp-wise, to get the full picture as to when things stop working. I’ve tried curl to get a token and poke directly at AM notifications endpoint and still get the 404. I’ll keep reading.

    #25023
     tschoeller 
    Participant

    I’m not seeing what I need in the Redirection and Conditional Redirection chapter. The situation I have is that I have already logged at the idp (another maching in my COT) and I’m being set to my sp, so I should already be “logged in.” So, I don’t think I need redirections to a login page. With the 3.5 agent, I was dropped into my application as already having been authenticated.

    #25029
     william.hepler 
    Participant

    Are you expecting to go to a specific realm or the global realm? Agent 5.x will by default try the global realm, the older agents would follow the realm defined.

    A HAR of the client flow would help to see what URL the Agent is directing you to. There should be an oauth authorize call (oauth2/authorize). Agent 5.x is an OAUTH agent, so if you have a token already you would still need to be upgraded to an OAUTH Token. This maybe where your getting redirected to a different realm and then failing.

    As a test you could also try with the Custom login since this would use a session cookie.

    #25069
     tschoeller 
    Participant

    My agent is configured to the global realm. Don’t know what HAR is, but here is a trace around the 404:

    “GET /openam/Consumer/metaAlias/subRealm/sp…
    “GET /openam/isAlive.jsp HTTP/1.1” 200 113
    “GET /openam/json/serverinfo/* HTTP/1.1” 200 482
    “POST /openam/json/realms/root/authenticate… HTTP/1.1” 200 151
    “GET /openam/json/serverinfo/version HTTP/1.1” 200 176
    “GET /openam/json/realms/root/agents/j2eeAgent HTTP/1.1” 200 10859
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/isAlive.jsp HTTP/1.1” 200 113
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/notifications HTTP/1.1” 404 1098
    “GET /openam/oauth2/authorize… HTTP/1.1” 302 –

    #25073
     william.hepler 
    Participant

    The concern is not where the agent exist, it’s where your user will authenticate.

    Will your user authenticate to a specific realm? We can’t see the full IDP call to see if it’s to a specific realm.

    By default the Agent will send the user to the global realm for the oauth2/authorize call. If you want the user to authenticate to a specific realm you would need As an example:
    org.forgerock.openam.agents.config.conditional.login.url[1]=myapp.domain.com|https://openam2.example.com/openam/oauth2/authorize?realm=sales

    #25075
     tschoeller 
    Participant

    At the idp, I do log into a specific realm:

    GET http://idp.example.com/openam-bapp/saml2/jsp/idpSSOInit.jsp
    ?metaAlias=/subRealm/idp
    &spEntityID=http%3A%2F%2Fsp.example.com%3A8081%2Fopenam
    &RelayState=http%3A%2F%2Fsp.example.com%3A80%2FmyAppLogin%2F
    GET http://idp.example.com/openam-bapp/UI/Login
    ?realm=/subRealm
    &spEntityID=http://sp.example.com:8081/openam
    &goto=http://idp.example.com/openam-bapp/saml2/jsp/idpSSOInit.jsp
    ?metaAlias%3D/subRealm/idp%26spEntityID%3Dhttp%253A%252F%252Fsp.example.com%253A8081%252Fopenam%26RelayState%3Dhttp%253A%252F%252Fsp.example.com%253A80%252FmyAppLogin%252F%26redirected%3Dtrue

    POST http://idp.example.com/openam-bapp/json/realms/root/realms/subRealm/authenticate
    ?spEntityID=http://sp.example.com:8081/openam
    &goto=http://idp.example.com/openam-bapp/saml2/jsp/idpSSOInit.jsp
    ?metaAlias%3D/subRealm/idp%26spEntityID%3Dhttp%253A%252F%252Fsp.example.com%253A8081%252Fopenam%26RelayState%3Dhttp%253A%252F%252Fsp.example.com%253A80%252FmyAppLogin%252F%26redirected%3Dtrue

    GET http://sp.example.com/openam/Consumer/metaAlias/subRealm/sp
    ?SAMLart=AAQAAChOBxQSTh5H/i5BYiColedpuBvNeTVF2zo9eriO9wT2Bkqu9g3lMDE%3D
    &RelayState=http://sp.example.com:80/myAppLogin/
    GET http://sp.example.com/myAppLogin/
    GET http://sp.example.com:8081/openam/isAlive.jsp
    GET http://sp.example.com:8081/openam/json/serverinfo/*
    POST http://sp.example.com:8081/openam/json/realms/root/authenticate
    ?authIndexValue=Application
    &authIndexType=module
    GET http://sp.example.com:8081/openam/json/serverinfo/version
    GET http://sp.example.com:8081/openam/json/realms/root/agents/j2eeAgent
    GET http://sp.example.com:8081/openam/notifications
    <404 returned here>
    GET http://sp.example.com:8081/openam/isAlive.jsp
    GET http://sp.example.com:8081/openam/oauth2/authorize
    ?scope=openid
    &response_type=id_token
    &redirect_uri=http%3A%2F%2Fsp.example.com%3A80%2Fagentapp%2FsunwCDSSORedirectURI
    &nonce=sf0505df156062441c93910617d4a31b0b4ab6cec
    &client_id=j2eeAgent
    &agent_realm=%2F
    &response_mode=form_post

    Would I need a conditional url for each sub-realm?

    #25076
     tschoeller 
    Participant

    The agent’s user guide says that the conditional redirection is available for login and logout requests — but I’ve already authenticated at the idp and the sp has stated (in the federation log) that my SSO was successful. Are we thinking different meanings of “login request?”

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?