Apache Tomcat not Starting When SSO enabled in plartform-settings.json
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Apache Tomcat not Starting When SSO enabled in plartform-settings.json
Hi,
I'm trying to configure TWX SSO with Okta as IdP, I'm not using ping federate, since TWX can work with a SAML2.0 integration natively.
I have the metadata from Okta and configured the keystore to hold the metadata and certificate.
When I try to start the Apache service, i get the following errors in the application log:
2022-02-17 11:44:29.033+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Error initializing key store
2022-02-17 11:44:29.049+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Context initialization failed
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** CRITICAL ERROR ON STARTUP: Error creating bean with name 'filterChainProxy' defined in class path resource [config/securityContext.xml]: Cannot create inner bean '(inner bean)#2332b018' of type [org.springframework.security.web.DefaultSecurityFilterChain] while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2332b018': Cannot resolve reference to bean 'exceptionTranslator' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'exceptionTranslator' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'samlEntryPoint': Unsatisfied dependency expressed through method 'setWebSSOprofile' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'webSSOprofile': Unsatisfied dependency expressed through method 'setProcessor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processor' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'artifactBinding' while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'artifactBinding' defined in class path resource [config/securityContext.xml]: Cannot create inner bean 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211' of type [org.springframework.security.saml.websso.ArtifactResolutionProfileImpl] while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211': Unsatisfied dependency expressed through method 'setMetadata' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'metadata': Unsatisfied dependency expressed through method 'setKeyManager' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [config/securityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.thingworx.security.authentication.sso.SSOJKSKeyManager]: Constructor threw exception; nested exception is java.lang.RuntimeException: Error initializing keystore
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** Web Application STATE is being set to ERROR! ***
I've searched the support and community and the one thing I found similar says that either I have a typo in the sso-settings.json or the path to the keystore is wrong.
Both of them I've checked multiple times and it doesn't seem to be wrong.
Any ideas of what could be?
Thanks and regards,
Caio
Solved! Go to Solution.
- Labels:
-
Connectivity
-
Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @CaShimiz.
Per the case, the following was the solution you found:
Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings. It was not required to create a user with alias Administrator in the AD/Okta.
If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.
Regards.
--Sharon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi,
Read this article (where is the same Error) - "ThingWorx 9.x active-active High Availability(HA) clustering setup does not start if IGNITE_WORK_DIR is not set on ThingWorx servers": https://www.ptc.com/en/support/article/cs331246
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
HI @VladimirN, not sure what the relation between my issue and the article?
I'm not using HA clustering.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @CaShimiz.
Are you sure the keystore is valid? I'm not sure we can troubleshoot this issue via the community, so I recommend opening a case. I'm happy to open one on your behalf with your approval to do so.
Regards.
--Sharon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @slangley one thing I noticed is I wasn't using the fqdn to open TWX, and I believe without fqdn it won't work. So I'm going to retry that, and confirm if it worked or not here, before opening a case.
Thanks anyway,
Caio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @slangley it didn't work. I re-did the process and got the same error.
What do you mean by valid keystore? I created one and added the appropriate certificates to it.
Regards,
Caio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @CaShimiz.
Did you follow these instructions for creating the keystore? This article references using a self-signed certificate, but there is a link for importing a CA-signed certificate once the keystore has been created.
If you continue to have issues, we will need to open a case.
Regards.
--Sharon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @slangley yes, I followed that procedure and imported the Okta certificate that the customer sent me.
I think it'd be good to open a case now.
Regards,
Caio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @CaShimiz.
The case has been opened. You should have received an email containing the case number.
Regards.
--Sharon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Notify Moderator
Hi @CaShimiz.
Per the case, the following was the solution you found:
Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings. It was not required to create a user with alias Administrator in the AD/Okta.
If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.
Regards.
--Sharon