cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X

Apache Tomcat not Starting When SSO enabled in plartform-settings.json

CaShimiz
12-Amethyst

Apache Tomcat not Starting When SSO enabled in plartform-settings.json

Hi,

 

I'm trying to configure TWX SSO with Okta as IdP, I'm not using ping federate, since TWX can work with a SAML2.0 integration natively.

I have the metadata from Okta and configured the keystore to hold the metadata and certificate.

When I try to start the Apache service, i get the following errors in the application log:

 

2022-02-17 11:44:29.033+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Error initializing key store
2022-02-17 11:44:29.049+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Context initialization failed
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** CRITICAL ERROR ON STARTUP: Error creating bean with name 'filterChainProxy' defined in class path resource [config/securityContext.xml]: Cannot create inner bean '(inner bean)#2332b018' of type [org.springframework.security.web.DefaultSecurityFilterChain] while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2332b018': Cannot resolve reference to bean 'exceptionTranslator' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'exceptionTranslator' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'samlEntryPoint': Unsatisfied dependency expressed through method 'setWebSSOprofile' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'webSSOprofile': Unsatisfied dependency expressed through method 'setProcessor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processor' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'artifactBinding' while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'artifactBinding' defined in class path resource [config/securityContext.xml]: Cannot create inner bean 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211' of type [org.springframework.security.saml.websso.ArtifactResolutionProfileImpl] while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211': Unsatisfied dependency expressed through method 'setMetadata' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'metadata': Unsatisfied dependency expressed through method 'setKeyManager' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [config/securityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.thingworx.security.authentication.sso.SSOJKSKeyManager]: Constructor threw exception; nested exception is java.lang.RuntimeException: Error initializing keystore
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** Web Application STATE is being set to ERROR! ***

 

 

I've searched the support and community and the one thing I found similar says that either I have a typo in the sso-settings.json or the path to the keystore is wrong. 

Both of them I've checked multiple times and it doesn't seem to be wrong.


Any ideas of what could be?

 

Thanks and regards,


Caio

1 ACCEPTED SOLUTION

Accepted Solutions
slangley
23-Emerald II
(To:CaShimiz)

Hi @CaShimiz.

 

Per the case, the following was the solution you found:

 

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings.  It was not required to create a user with alias Administrator in the AD/Okta.

 

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

 

Regards.

 

--Sharon

View solution in original post

9 REPLIES 9

 Hi,

 

Read this article (where is the same Error) - "ThingWorx 9.x active-active High Availability(HA) clustering setup does not start if IGNITE_WORK_DIR is not set on ThingWorx servers": https://www.ptc.com/en/support/article/cs331246 

CaShimiz
12-Amethyst
(To:VladimirN)

HI @VladimirN, not sure what the relation between my issue and the article?

I'm not using HA clustering.

 

slangley
23-Emerald II
(To:CaShimiz)

Hi @CaShimiz.

 

Are you sure the keystore is valid?  I'm not sure we can troubleshoot this issue via the community, so I recommend opening a case.  I'm happy to open one on your behalf with your approval to do so.

 

Regards.

 

--Sharon

 

CaShimiz
12-Amethyst
(To:slangley)

Hi @slangley one thing I noticed is I wasn't using the fqdn to open TWX, and I believe without fqdn it won't work. So I'm going to retry that, and confirm if it worked or not here, before opening a case. 

 

Thanks anyway,

 

Caio

CaShimiz
12-Amethyst
(To:CaShimiz)

Hi @slangley it didn't work. I re-did the process and got the same error. 

 

What do you mean by valid keystore? I created one and added the appropriate certificates to it.

 

Regards,

 

Caio

slangley
23-Emerald II
(To:CaShimiz)

Hi @CaShimiz.

 

Did you follow these instructions for creating the keystore?  This article references using a self-signed certificate, but there is a link for importing a CA-signed certificate once the keystore has been created.

 

If you continue to have issues, we will need to open a case.

 

Regards.

 

--Sharon

 

 

CaShimiz
12-Amethyst
(To:slangley)

Hi @slangley yes, I followed that procedure and imported the Okta certificate that the customer sent me.

 

I think it'd be good to open a case now.

 

Regards,

Caio

slangley
23-Emerald II
(To:CaShimiz)

Hi @CaShimiz.

 

The case has been opened.  You should have received an email containing the case number.

 

Regards.

 

--Sharon

slangley
23-Emerald II
(To:CaShimiz)

Hi @CaShimiz.

 

Per the case, the following was the solution you found:

 

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings.  It was not required to create a user with alias Administrator in the AD/Okta.

 

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

 

Regards.

 

--Sharon

Top Tags