OpenAM 13 – Login page not loading after setup

This topic contains 12 replies, has 4 voices, and was last updated by  DhilipSwaminathan 5 months ago.

  • Author
    Posts
  • #24407
     DhilipSwaminathan 
    Participant

    Hi,

    I have installed OpenAM 13 configured with Opendj 3 as external config and identity store. But Openam Login page https://xyz.abcservices.com:8443/openam/XUI/#login/ doesn’t seems to load. It hangs up with “Loading…” message.

    Chrome browser console error:
    Failed to load resource: the server responded with a status of 401 () https://xyz.abcservices.com:8443/openam/json/users?_action=idFromSession

    Failed to load resource: the server responded with a status of 500 ()https://xyz.abcservices.com:8443/openam/json/authenticate?

    Uncaught SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Function.Z.parseJSON (jquery-2.1.1-min.js:4)
    at Object.<anonymous> (AuthNDelegate.js:74)
    at Object.<anonymous> (jquery-2.1.1-min.js:2)
    at c (jquery-2.1.1-min.js:2)
    at Object.fireWith [as rejectWith] (jquery-2.1.1-min.js:2)
    at n (jquery-2.1.1-min.js:4)
    at XMLHttpRequest.<anonymous> (jquery-2.1.1-min.js:4)
    https://xyz.abcservices.com:8443/openam/XUI/#login/

    Error from /openam/debug/Session:

    amSession:01/13/2019 06:48:54:631 AM UTC: Thread[https-jsse-nio-8443-exec-5,5,main]: TransactionId[43559efe-f42d-4da7-9904-b0acec9d97f3-14]
    ERROR: Invalid value for com.iplanet.am.session.failover.cluster.stateCheck.timeout defaulting to 1000
    amSession:01/13/2019 06:48:54:631 AM UTC: Thread[https-jsse-nio-8443-exec-5,5,main]: TransactionId[43559efe-f42d-4da7-9904-b0acec9d97f3-14]
    ERROR: Invalid value for com.iplanet.am.session.failover.cluster.stateCheck.period defaulting to 1000

    Error from /openam/debug/CoreSystem

    amMonitoring:01/13/2019 06:48:58:841 AM UTC: Thread[https-jsse-nio-8443-exec-5,5,main]: TransactionId[43559efe-f42d-4da7-9904-b0acec9d97f3-14]
    ERROR: ConfigMonitoring.configureMonitoring: getMonServiceAttrs returns -1, monitoring disabled

    Error from /openam/debug/IdRepo:
    amSDK:01/13/2019 06:48:53:045 AM UTC: Thread[https-jsse-nio-8443-exec-5,5,main]: TransactionId[43559efe-f42d-4da7-9904-b0acec9d97f3-14]
    ERROR: JCEEncryption:: Unsupported version: 9

    Error from /openam/debug/Entitlement:

    Entitlement:01/13/2019 06:48:58:958 AM UTC: Thread[entitlementThreadPool2,5,main]: TransactionId[43559efe-f42d-4da7-9904-b0acec9d97f3-46]
    ERROR: Notifier.notifyChanges
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching openam.myworthservices.com found
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
    at com.sun.identity.entitlement.opensso.Notifier.postRequest(Notifier.java:145)
    at com.sun.identity.entitlement.opensso.Notifier.run(Notifier.java:113)
    at com.sun.identity.entitlement.ThreadPool$WorkerThread.run(ThreadPool.java:166)
    Caused by: java.security.cert.CertificateException: No name matching openam.myworthservices.com found
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)

    Please help out on this. I am struck for nearly a week.

    #24474
     xinlian 
    Participant

    Couples thing you might need to check.

    1. Did you use compatible version of tomcat and jdk?
    2. Did you setup java heap size and space?
    3. i guess you tried reinstall, but did you delete the .openamconfig file before reinstall?

    Regards,
    Xin

    #24475
     DhilipSwaminathan 
    Participant

    Did you use compatible version of tomcat and jdk?
    I am using OpenAM 13
    Java 1.8.0
    Tomcat 8

    2. Did you setup java heap size and space?
    Yes I did

    3. i guess you tried reinstall, but did you delete the .openamconfig file before reinstall?
    Before reinstalling , i removed OpenAM folder from tomcat root directory.

    #24477
     xinlian 
    Participant

    Check your cookie domain then.. did you use fqdn?

    #24484
     DhilipSwaminathan 
    Participant

    Yes i use fqdn. and i have configured the cookie domain to match last two dots of fqdn. like .xxxx.com.
    Even i reinstalled the opendj and openam . No luck.

    #24485
     Dusty 
    Participant

    Hi,

    I assume you use a secure connection to connect with OpenDJ with self-signed certificate. Did you add the public key of the certificate to trust store on the OpenAM machine? Probably it is not trusted yet or the keystore itself is missing.

    Regards
    Dusty

    #24486
     grk 
    Participant

    @dhilipswaminathan, Tomcat8 does not support cookie domain starting with dot(.). Change cookie domain to “xyz.abcservices.com” to fix the issue. Alternatively, if you have any dependency to use cookie domain starting with dot(.), update tomcat context.xml to use LegacyCookieProcessor which supports cookie domain starting with dot.
    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

    Thanks,
    Ravikumar Geejula

    #24487
     DhilipSwaminathan 
    Participant

    @grk, When you mean cookie domain as the field below Server url in Step 2 of Openam Custom Configuration screen. Right?

    I specified

    Server Url: http://xyz.abcservices.com:8080
    Cookie Domain: .abcservices.com

    So, based on your suggestion, the cookie domain also has to be xyz.abcservices.com. Is that a right understanding.

    But just curious, i have another aws linux machine which has openam configured with cookie domain starting with dot. it has tomcat8 and it is running fine.

    Thanks,
    Dhilip

    #24488
     xinlian 
    Participant

    you can use “abcservices.com” but not “.abcservices.com”

    Regards,
    Xin

    #24489
     DhilipSwaminathan 
    Participant

    @dusty,
    I have just enabled SSL in tomcat8 after generating self signed certificate through java keytool.
    But wrt opendj , i did not enable ssl connection.

    And to your question “Did you add the public key of the certificate to trust store on the OpenAM machine? ”

    No i did not add the public key to trust store.
    Can you share any link on how to do that.

    #24491
     grk 
    Participant

    xyz.abcservices.com or abcservices.com but no leading dot. Is your AWS tomcat and current tomcat running exact same minor versios? Not sure if some of the tomcat8 minor versions still support leading dot.

    https://bugster.forgerock.org/jira/browse/OPENAM-8668

    Thanks,
    Ravikumar Geejula

    #24493
     Dusty 
    Participant

    Is this domain running on SSL?
    openam.myworthservices.com

    It looks like Java tries (IDRepo – OpenAM) to do a call to ‘openam.myworthservices.com’ but it doesn’t find the key for the domain or sometimes the keystore itself is missing.

    Here you can find an old tutorial.

    But I think the problem is something else. How did you set up OpenAM? Did you use the web interface or SSOAdmin? I think the setup URI is not the same as the URL from where you try to log in. If this is the case you need to add OpenAM in a Site: https://backstage.forgerock.com/docs/openam/13/install-guide/#configure-sites.

    Regards
    Dusty

    #24500
     DhilipSwaminathan 
    Participant

    Guys,

    The issue is resolved as soon as i changed the cookie domain from “.abcservices.com” to “xyz.abcservices.com”.

    Thanks @grk, @dusty, @xinlian. You guys made my day.

    @dusty,
    Previously i have tested by enabling ssl in tomcat and also without ssl. both was not working. And to setup openam i used web interface.

    Thanks,
    Dhilip

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?