Could anyone help talk me through how to implement SSO for an application on Bluemix please?
I have a liberty for java application that within the application there is an IBM Admin link within the tool that can be selected and used to have SSO working here, but the version had expired and the creator of this app has since left so I am having to maintain this app and now fix/upgrade the SSO connection for the Admin user. I have re-binded SSO (the newer version) to the app, using SAML. I have been boarded/registered and have completed the details/uploaded the metadata file. Now I really need some advice/help in what can be done to actually get this working so when the IBM Admin selects the link to login, it takes them to the admin version of the tool rather than an error where the SSO is not present currently.
If any details are needed please let me know and will provide.
Server.xmal details:-
enter code here<server>
<featureManager>
<feature>jsf-2.0</feature>
<feature>jsp-2.2</feature>
<feature>servlet-3.0</feature>
<feature>ejbLite-3.1</feature>
<feature>cdi-1.0</feature>
<feature>jpa-2.0</feature>
<feature>jdbc-4.0</feature>
<feature>jndi-1.0</feature>
<feature>managedBeans-1.0</feature>
<feature>jaxrs-1.1</feature>
<feature>icap:managementConnector-1.0</feature>
<feature>appstate-1.0</feature>
<feature>cloudAutowiring-1.0</feature>
<feature>openidConnectClient-1.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<application name='myapp' location='myapp.war' type='war' context-root='/'/>
<httpEndpoint id='defaultHttpEndpoint' host='*' httpPort='${port}'/>
<webContainer trustHostHeaderPort='true' extractHostHeaderPort='true'/>
<include location='runtime-vars.xml'/>
<logging logDirectory='${application.log.dir}' consoleLogLevel='INFO'/>
<httpDispatcher enableWelcomePage='false'/>
<applicationMonitor dropinsEnabled='false' updateTrigger='mbean'/>
<config updateTrigger='mbean'/>
<appstate appName='myapp' markerPath='${home}/../.liberty.state'/>
<dataSource id='mysql-ClearDB MySQL Database-assessments' jdbcDriverRef='mysql-driver' jndiName='jdbc/ClearDB MySQL Database-assessments' transactional='true' type='javax.sql.ConnectionPoolDataSource'>
<properties id='mysql-ClearDB MySQL Database-assessments-props' databaseName='${cloud.services.ClearDB MySQL Database-assessments.connection.name}' user='${cloud.services.ClearDB MySQL Database-assessments.connection.user}' password='${cloud.services.ClearDB MySQL Database-assessments.connection.password}' portNumber='${cloud.services.ClearDB MySQL Database-assessments.connection.port}' serverName='${cloud.services.ClearDB MySQL Database-assessments.connection.host}'/>
<connectionManager id='mysql-ClearDB MySQL Database-assessments-conMgr' maxPoolSize='10'/>
</dataSource>
<jdbcDriver id='mysql-driver' javax.sql.XADataSource='org.mariadb.jdbc.MySQLDataSource' javax.sql.ConnectionPoolDataSource='org.mariadb.jdbc.MySQLDataSource' libraryRef='mysql-library'/>
<library id='mysql-library'>
<fileset id='mysql-fileset' dir='${server.config.dir}/lib'/>
</library>
<openidConnectClient id='${cloud.services.SSO-Assessments.connection.clientId}' clientId='${cloud.services.SSO-Assessments.connection.clientId}' clientSecret='${cloud.services.SSO-Assessments.connection.secret}' authorizationEndpointUrl='${cloud.services.SSO-Assessments.connection.authorizationEndpointUrl}' tokenEndpointUrl='${cloud.services.SSO-Assessments.connection.tokenEndpointUrl}' redirectToRPHostAndPort='https://AssessmentsSolution-Network.mybluemix.net:443' issuerIdentifier='${cloud.services.SSO-Assessments.connection.issuerIdentifier}' scope='${cloud.services.SSO-Assessments.connection.serverSupportedScope}' httpsRequired='true'/>
<keyStore id='defaultKeyStore' password='changeit' type='jks' location='${java.home}/lib/security/cacerts'/>
Related
I'm trying to connect to a Sql Server database from a liberty server.
Doesn't work as I'm getting a 500 from the liberty server and the logs give me this error message: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SQL Server did not return a response.
My xml:
<library id="sqlServerLib2" apiTypeVisibility="spec,ibm-api,api,third-party"
<fileset dir="${server.config.dir}/lib/global" includes="mssql-jdbc-6.1.0.jre8.jar"/>
</library>
<dataSource id="myDataSource" jndiName="jdbc/myDataSource">
<jdbcDriver libraryRef="sqlServerLib2"/>
<properties.microsoft.sqlserver
serverName="localhost"
portNumber="8080"
databaseName="my_db"
user="user"
password="password"/>
<connectionManager maxPoolSize="100" minPoolSize="0"/>
</dataSource>
I've looked at IBM's pages. Didn't give much help.
I've also googled the error message but people usually say that I should just update my driver to at least 4.2. I'm using 6.1, so that doesn't really apply.
What am I missing here?
Thanks.
EDIT:
I took a look at Microsoft's pages and found that i was using an incompatible jdbc-api version. I changed this from 4.0 to 4.1.
<featureManager>
<feature>jdbc-4.1</feature>
</featureManager>
I also defined the dataSource and connection pool classes in my datasource.
<jdbcDriver libraryRef="sqlserverLib2"
javax.sql.DataSource="com.microsoft.sqlserver.jdbc.SQLServerDataSource"
javax.sql.ConnectionPoolDataSource="com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource"/>
Now I'm getting a java.lang.ClassNotFoundException: com.microsoft.sqlserver.jdbc.SQLServerDataSource.
I tried using the mssql-jdbc-6.1.0.jre7.jar(java 7) instead. Then all of a sudden i worked. What am I doing wrong with the jre8 version of the driver?
The main error was that I used a version of the jdbc-api that was incompatible with the mssql-jdbc-6.1.0.jre8.jar driver. Changing to version 4.1 fixed it.
The classNotFoundException was just a blunder on my part(forgot to update the pom.xml)
In your example code snippet, you have incorrect syntax for specifying the JNDI name of the data source,
<dataSource id="myDataSource" jndi="jdbc/myDataSource">
This should instead be:
<dataSource id="myDataSource" jndiName="jdbc/myDataSource">
I have two JMS-Servers which are linked together as a JMS-Cluster in a standalone-full-ha environment. These servers are hosting my JMS-Destinations (let’s call them JMS-Master).
Additionally there is a server which is configured as standalone-full server (let’s name it JMS-Slave). This server has a JMS-Bridge to a JMS-Topic.
For this configuration I created at the JMS-Slave two socket bindings to the remote servers:
<outbound-socket-binding name="remote-server-1">
<remote-destination host="a.b.c.d" port="8080"/>
</outbound-socket-binding>
<outbound-socket-binding name="remote-server-2">
<remote-destination host="a.b.c.d" port="18080"/>
</outbound-socket-binding>
I use them at two http-connectors at the messaging subsystem configuration:
<http-connector name="remote-1-http-connector" socket-binding="remote-server-1" endpoint="http-acceptor"/>
<http-connector name="remote-2-http-connector" socket-binding="remote-server-2" endpoint="http-acceptor"/>
And I created a pooled-connection-factory:
<pooled-connection-factory name="remote-connection" entries="java:/jms/remoteCF" connectors="remote-1-http-connector remote-2-http-connector" user="testuser" password="testpassword" failover-on-initial-connection="true"/>
Finally I configure the JMS-Bridge:
<jms-bridge name="HelloWorldQueue-jms-bridge" quality-of-service="DUPLICATES_OK" failure-retry-interval="5000" max-retries="-1" max-batch-size="10" max-batch-time="100">
<source connection-factory="ConnectionFactory" destination="queue/HelloWorldQueue"/>
<target connection-factory="jms/RemoteConnectionFactory" destination="queue/HelloWorldQueue" user="heinz" password="becker" >
<target-context>
<property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/>
<property name="java.naming.provider.url" value="http-remoting://a.b.c.d:8080, http-remoting://a.b.c.d:18080"/>
</target-context>
</target>
</jms-bridge>
The result:
If both JMS-Master servers are up and I start the JMS-Slave,
everything works.
If one of JMS-Master servers is down and I start the JMS-Slave, it
works as well. The jms-bridge connects to the available node.
But if I shutdown the node to which the JMS Bridge of the JMS-Slave
is connected there is no failover.
I am looking for a configuration where the JMS-Bridge is “reconnecting” after a crash to the available node without having it into the same cluster than the JMS-Master.
How can I achieve this? Are there other possibilities to get a similar behavior? Or is there a proposal for a complete different setup?
I think I found two possible solutions for the problem myself. But they have both some disadvantages.
The first one is to use a JMS-Core-Bridge. See Configuring Core Bridges at the Red Hat JBoss docs:
Do not confuse a core bridge with a JMS bridge. A core bridge is used
to bridge any two JBoss EAP messaging instances and uses the core API.
A JMS bridge can be used to bridge any two JMS 1.1 compliant JMS
providers and uses the JMS API. It is preferable to use a core bridge
instead of a JMS bridge whenever possible.
The Core-Bridge does a fail-over more or less out of the box. Already with one connector it would do a failover automatically. It retrieves the cluster topology during the first connect and uses it during its lifetime. And to be able to start the bridge if a JMS-Master is down, we can add additional connectors:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
<server name="default">
....
<bridge name="my-core-bridge" static-connectors="remote-1-http-connector remote-2-http-connector" queue-name="jms.queue.HelloWorldQueue" user="username" password="pwd"/>
</server>
...
</subsystem>
The disadvantage of a core-bridge seems to be that it does not support JMS-Topics out of the box. Only JMS-Queues seem to work without overhead.
But it is possible as well to configure a JMS-Bridge that it reconnects to another server. To establish a connection, the JMS-Bridge proceeds a JNDI-lookup at one of the servers configured by the property "java.naming.provider.url". This lookup is just executed during startup and once it is done, it uses the retrieved remote connection-factory (here named RemoteConnectionFactory) to connect and reconnect. But it is using the RemoteConnectionFactory of the JMS-Master! Therfore it is necessary to
configure the this connection factory there:
<connection-factory name="RemoteConnectionFactory" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="master-1-http-connector master-2-http-connector" ha="true" block-on-acknowledge="true" reconnect-attempts="-1"/>
If this RemoteConnectionFactory has a connector to each JMS-Master, the JMS-Bridge retrieves all necessary information to do a reconnect to another server, if necessary. The bridge configuration of my question is working now without modification:
<jms-bridge name="HelloWorldQueue-jms-bridge" quality-of-service="DUPLICATES_OK" failure-retry-interval="5000" max-retries="-1" max-batch-size="10" max-batch-time="100">
<source connection-factory="ConnectionFactory" destination="queue/HelloWorldQueue"/>
<target connection-factory="jms/RemoteConnectionFactory" destination="queue/HelloWorldQueue" user="username" password="pwd" >
<target-context>
<property name="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/>
<property name="java.naming.provider.url" value="http-remoting://a.b.c.d:8080, http-remoting://a.b.c.d:18080"/>
</target-context>
</target>
</jms-bridge>
The disadvantage of my "jms-bridge configuration" is its complexity.
I'm facing a difficult setup where I have to configure single sign on, based on the logged in used on my tomcat application.
I already took some steps which allow me to login via single sign on directly on my tomcat application by using waffle.
I have 1 server where I have a tomcat running and a IIS running (but this IIS will move to another server in the same domain in the future).
I have the Tomcat running on port 8205 and the IIS configure to accept url's from authpoc.company.com. IIS does a redirect to localhost:8025 via URL Rewrite.
My web.xml from IIS
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8205/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
What works
When opening the application directly on localhost:8205 on the server. I get a nice single sign on based on my domain user.
When opening the application directly on the ip of the server. 192.168.1.1:8205. I can log in but single sign on does not work anymore. This I don't understand. (edit: solved, this is a setting in Internet explorer, see SSO waffle asking username and password for more information)
What doesn't work
When redirecting from IIS, I don't get to login into my tomcat application. I have windows authentication enabled, with Negotiate and NTML enabled (in this sequence).
I read a lot on the internet but I can't find anyone with this particular setup. I don't really have the impression I'm doing something exotic.
One possiblity is that I should connect IIS via AJP instead of a much simpeler URL rewrite.
any help is welcome! Thanks
I got an answer on the google groups saying this is not possible because of the reverse proxy counting as a hop.
https://groups.google.com/forum/#!topic/waffle-users/VCaawJMD0Mw
I'm going to try another approach
first time poster here. I'm setting up a new Tomcat 8 instance and I'm trying to utilize tomcat 8 manager from my build.xml script (via IntelliJ). I'm using the list command to test the connection, but want I really want is stop/start/redeploy/etc. I've tested both manager/text/ and manager/html succesfully.
[Windows 7 box]
Code snippets incoming
tomcat-users.xml:
<role rolename="admin-gui"/>
<role rolename="manager-script" />
<role rolename="manager-gui" />
<user username="script" password="test" roles="admin-gui,manager-script"/>
<user username="manager" password="test" roles="admin-gui,manager-gui"/>
build.xml:
<target name="list"
description="List installed applications on servlet container">
<echo>List Using:(${manager.url}) [${manager.username}|${manager.password}]</echo>
<list url="${manager.url}"
username="${manager.username}"
password="${manager.password}"/>
</target>
Output from 'list' task from IntelliJ:
List Using:(http://localhost:8080/manager/text) [script|test]
Task: list
C:\apps\myapp\build.xml:478: java.net.ConnectException: Connection refused: connect
at org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:269)
...etc
Every tutorial I go to talks about setting up Tomcat-Users.xml or opening port 8443 for the manager, but I haven't seen an answer for what to do if you have confirmed manager is running (it is) but build.xml/ANT seem have trouble getting authorized.
Things to check:
Have you actually confirmed that manager app is deployed to the /manager context? It's only deployed by default on the default host. For other virtual hosts, this is something you must do manually. Try visiting http://localhost:8080/manager with your web browser. Try logging in with the manager-gui user.
Does your tomcat instance run more than one virtual host? If so, it's possible that your ant task is hitting a different virtual host than one you want. Check your $CATALINA_HOME/conf/server.xml file's <Engine> and <Host> elements. Does <Engine> contain just one <Host>? If it contains multiple hosts, whate are the name attributes set to? What is the defaultHost attribute of <Engine> set to?
We have deployed a flex application on Tomcat and it uses Blaze-DS to communicate with the Java side. However when using the deployed application we constantly get the error:
Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly. url:
'http://XX.XX.XXX.XXX:80/CB3/SdmxSandbox/messagebroker/amf;jsessionid=2A71A4A58872C757B9064D20C9E876D9''
I don't understand what is causing this or what this error really means? Can anyone help?
Further detail:
Within our Apache httpd.conf we have set up a proxy lookup so that rather than using particular ports (e.g 8082) we want to use port 80 (some of our customers operate in a locked-down environment). So the httpd.conf file looks like:
ProxyPass /CB3/ http://XX.XX.XXX.XXX:8082/
ProxyPassReverse /CB3/ http://XX.XX.XXX.XXX:8082/
Now we didn't get the Duplicate Session issue until we introduced the proxy redirect. My services-config is fairly straightforward:
<?xml version="1.0" encoding="UTF-8"?>
<services-config>
<factories>
<factory id="spring" class="flex.messaging.factory.SpringFactory" />
</factories>
<services>
<service-include file-path="remoting-config.xml" />
<default-channels>
<channel ref="my-amf" />
</default-channels>
</services>
<channels>
<channel-definition id="my-amf"
class="mx.messaging.channels.AMFChannel">
<endpoint
url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf"
class="flex.messaging.endpoints.AMFEndpoint" />
</channel-definition>
</channels>
Any help greatly appreciated.
Thanks,
Phil
The duplicate session message is a known problem, and it can appear from several reasons. I'm not able to tell you what is the reason in your case, but I'll wrote down the best articles dealing with this issue.
http://www.alexglosband.com/?p=3
http://meteatamel.wordpress.com/2011/01/26/duplicate-session-errors-in-lcdsblazeds/
http://blogs.adobe.com/lin/2011/05/duplication-session-error.html