Configure portal with secure access manager
Hi!
I just tried to configure portal with an access manager deployed in a secure webcontainer with a selfsigned certificate.
But the server validation fails with:
com.iplanet.sso.SSOException: Failed to create new Authentication Context: Naming Service is not available.
In amNaming I found:
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I already tried to set
com.iplanet.am.jssproxy.trustAllServerCerts=true
but that doesn't help. How do I force the installer to trust the certificate?
[742 byte] By [
CRabela] at [2007-11-27 6:02:04]
# 1
Ok, got it to work, I did it the following way:
1) Get the certificate e.g. with openssl:
openssl s_client -connect AccessManagerHost:443
Copy the block from
--BEGIN CERTIFICATE--
...
--END CERTIFICATE--
into a file "amcert".
2) Use keytool to creat a keystore:
/usr/jdk/entsys-j2se/bin/keytool -import -alias am7 -file amcert
The keystore is placed by default in the user home directory, since I did this as root on RedHat the file is: /root/.keystore
This location is assumed in the next steps.
3) Add the following java option to psconfig
-Djavax.net.ssl.trustStore=/root/.keystore
There are two lines (110 & 115 in my file) which have to be changed, simply insert the option in between:
$JAVA_HOME/bin/java -Xms64m -Djavax.net.ssl.trustStore=/root/.keystore ...
4) cacaoadm needs to trust AM too
Since I could not get it to work with "cacaoadm add-trusted-cert .." I resorted to a more brutal approach and added the above option to cacao startup:
Edit (path is for RedHat)
/etc/opt/sun/cacao/instances/default/private/cacao.properties
Add the option to the java flags:
java.flags=-Xms128M -Xmx256M -Dcom.sun.portal.log.config.file=/etc/opt/sun/portal/PSAdminLogConfig.propertie s -Djava.awt.headless=true -Djava.awt.headless=true -Djavax.net.ssl.trustStore=/root/.keystore
hth
Chris
# 2
Hi,
I am now facing the similar problem, I try to config the gateway with self-generated cert from portal, it seem config succesfully. But when I try to access the portal through gateway, it always display error. And when i check gateway logs, it show the cookie already expire. Do you have any idea about it.
Regards
# 3
Hmm, just to clarify what your setup is, I assume a few things and you correct me if it is wrong. So you have a portal with https:
https://portal.internalorg.com
And a gateway with:
https://gateway.externalorg.com/
When you try to access
https://gateway.externalorg.com/https://portal.internalorg.com/portal/dt
you get a display error. Of which kind? Server Error? Access denied?
A wild guess: Please check in your gateway configuration "URLs to which User Session Cookie is Forwarded : " Is https://portal.internalorg.com in there or maybe just http://.. ?
Have you tried to set the gateway logging level to message?
hth Chris
# 4
For my installation, my portal link is like that
http://sunportal.<domain>:8081/portal
And I configure the gateway using the script <xxx.properties.template>, and the gateway URL like that:
https://sunportal.<domain>
When I try to access, the portal through gateway, the URL will become like that:
htts://sunporta.<domain>/http://sunportal.<domain>:8081/portal
Due to I am using firefox to access it, it display firefox error page with error "* This problem can sometimes be caused by disabling or refusing to accept
cookies."
And when i check gateway log, it show
"Response
HTTP/1.0 302 Moved Temporarily^M
Server: Sun-ONE-Web-Server/6.1^M
Date: Fri, 08 Jun 2007 09:22:32 GMT^M
Content-length: 0^M
Content-type: text/html^M
Cache-control: private^M
Pragma: no-cache^M
Connection: close^M
X-dsameversion: 7 2005Q4^M
X-autherrorcode: 0^M
Location: http://sunportal<domain>:8081/portal/dt^M
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcxRcpdWkaV%2B9%2BWBH%2BYo5%2FAq0YRXcge%2FbQs%3 D%40AAJTSQACMDE%3D%23;Domain=sunportal<domain>;Path=/^M
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcxRcpdWkaV%2B9%2BWBH%2BYo5%2FAq0YRXcge%2FbQs%3 D%40AAJTSQACMDE%3D%23;Domain=<domain>;Path=/^M
Set-Cookie: %2Fsunportal<domain>_AMAuthCookie=LOGOUT|sunportal<domain>|/|iplane t; Expires=Thu, 01-Jan-1970 00:00:10 GMT; domain=<domain>; path=/^M
Set-Cookie: %2F<domain>_AMAuthCookie=LOGOUT|<domain>|/|iplanet; Expires=Thu, 01-Jan-1970 00:00:10 GMT; domain=<domain>; path=/^M
"
Do you have any hint for the error. For the gateway, how can i set the log level to message?
# 5
Hmm, it looks as if your problem has nothing to do with certificates.
The configuration for gateway is located in /etc/opt/SUNWportal/ (on Solaris).
platform.conf.default
GWConfig-default.properties
are probably the relevant files for you, if you renamed the configuration, replace default by the correct name.
In platform.conf.default set:
gateway.debug=message
Please check the time/date on both machines, maybe they are out of sync.
Also, please check in psconsole "Secure Remote Access" -> Profiles -> default
Cookie Management : Enabled
"URLs to which User Session Cookie is Forwarded : http://sunportal.<domain>:8081"
You write: "When you try to access the portal through the gateway", just to clarify: Do you get the error at once or do you get an access manager login page first and after login you get the error?
hth Chris
# 6
Hi Chris,
Since my project are still testing for the portal, so we are only install whole SUN Java ES into one server only. And I am only using the SUN JavaES selfed gen. cert.
For yr question about "When you try to access the portal through the gateway", I get those error when i get access manager login page first and after login I get the error.
