Solved: Apache Tomcat not Starting When SSO enabled in pla...

CaShimiz · ‎Feb 17, 2022

Hi,

I'm trying to configure TWX SSO with Okta as IdP, I'm not using ping federate, since TWX can work with a SAML2.0 integration natively.

I have the metadata from Okta and configured the keystore to hold the metadata and certificate.

When I try to start the Apache service, i get the following errors in the application log:

2022-02-17 11:44:29.033+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Error initializing key store
2022-02-17 11:44:29.049+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Context initialization failed
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** CRITICAL ERROR ON STARTUP: Error creating bean with name 'filterChainProxy' defined in class path resource [config/securityContext.xml]: Cannot create inner bean '(inner bean)#2332b018' of type [org.springframework.security.web.DefaultSecurityFilterChain] while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2332b018': Cannot resolve reference to bean 'exceptionTranslator' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'exceptionTranslator' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'samlEntryPoint': Unsatisfied dependency expressed through method 'setWebSSOprofile' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'webSSOprofile': Unsatisfied dependency expressed through method 'setProcessor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processor' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'artifactBinding' while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'artifactBinding' defined in class path resource [config/securityContext.xml]: Cannot create inner bean 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211' of type [org.springframework.security.saml.websso.ArtifactResolutionProfileImpl] while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211': Unsatisfied dependency expressed through method 'setMetadata' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'metadata': Unsatisfied dependency expressed through method 'setKeyManager' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [config/securityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.thingworx.security.authentication.sso.SSOJKSKeyManager]: Constructor threw exception; nested exception is java.lang.RuntimeException: Error initializing keystore
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** Web Application STATE is being set to ERROR! ***

I've searched the support and community and the one thing I found similar says that either I have a typo in the sso-settings.json or the path to the keystore is wrong.

Both of them I've checked multiple times and it doesn't seem to be wrong.

Any ideas of what could be?

Thanks and regards,

Caio

slangley · ‎Apr 22, 2022

Hi @CaShimiz.

Per the case, the following was the solution you found:

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings. It was not required to create a user with alias Administrator in the AD/Okta.

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

Regards.

--Sharon

View solution in original post

VladimirN · ‎Feb 17, 2022

Hi,

Read this article (where is the same Error) - "ThingWorx 9.x active-active High Availability(HA) clustering setup does not start if IGNITE_WORK_DIR is not set on ThingWorx servers": https://www.ptc.com/en/support/article/cs331246

CaShimiz · ‎Feb 17, 2022

HI @VladimirN, not sure what the relation between my issue and the article?

I'm not using HA clustering.

slangley · ‎Feb 24, 2022

Hi @CaShimiz.

Are you sure the keystore is valid? I'm not sure we can troubleshoot this issue via the community, so I recommend opening a case. I'm happy to open one on your behalf with your approval to do so.

Regards.

--Sharon

CaShimiz · ‎Feb 25, 2022

Hi @slangley one thing I noticed is I wasn't using the fqdn to open TWX, and I believe without fqdn it won't work. So I'm going to retry that, and confirm if it worked or not here, before opening a case.

Thanks anyway,

Caio

CaShimiz · ‎Mar 03, 2022

Hi @slangley it didn't work. I re-did the process and got the same error.

What do you mean by valid keystore? I created one and added the appropriate certificates to it.

Regards,

Caio

slangley · ‎Mar 04, 2022

Hi @CaShimiz.

Did you follow these instructions for creating the keystore? This article references using a self-signed certificate, but there is a link for importing a CA-signed certificate once the keystore has been created.

If you continue to have issues, we will need to open a case.

Regards.

--Sharon

CaShimiz · ‎Mar 07, 2022

Hi @slangley yes, I followed that procedure and imported the Okta certificate that the customer sent me.

I think it'd be good to open a case now.

Regards,

Caio

slangley · ‎Mar 07, 2022

Hi @CaShimiz.

The case has been opened. You should have received an email containing the case number.

Regards.

--Sharon

slangley · ‎Apr 22, 2022

Hi @CaShimiz.

Per the case, the following was the solution you found:

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings. It was not required to create a user with alias Administrator in the AD/Okta.

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

Regards.

--Sharon

Apache Tomcat not Starting When SSO enabled in plartform-settings.json

Apache Tomcat not Starting When SSO enabled in plartform-settings.json