Skip to main content
C
CaShimiz14-Alexandrite
14-Alexandrite
February 17, 2022
Solved

Apache Tomcat not Starting When SSO enabled in plartform-settings.json

  • February 17, 2022
  • 3 replies
  • 3891 views

Hi,

 

I'm trying to configure TWX SSO with Okta as IdP, I'm not using ping federate, since TWX can work with a SAML2.0 integration natively.

I have the metadata from Okta and configured the keystore to hold the metadata and certificate.

When I try to start the Apache service, i get the following errors in the application log:

 

2022-02-17 11:44:29.033+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Error initializing key store
2022-02-17 11:44:29.049+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] Context initialization failed
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** CRITICAL ERROR ON STARTUP: Error creating bean with name 'filterChainProxy' defined in class path resource [config/securityContext.xml]: Cannot create inner bean '(inner bean)#2332b018' of type [org.springframework.security.web.DefaultSecurityFilterChain] while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#2332b018': Cannot resolve reference to bean 'exceptionTranslator' while setting constructor argument with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'exceptionTranslator' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'samlEntryPoint' while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'samlEntryPoint': Unsatisfied dependency expressed through method 'setWebSSOprofile' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'webSSOprofile': Unsatisfied dependency expressed through method 'setProcessor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processor' defined in class path resource [config/securityContext.xml]: Cannot resolve reference to bean 'artifactBinding' while setting constructor argument with key [2]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'artifactBinding' defined in class path resource [config/securityContext.xml]: Cannot create inner bean 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211' of type [org.springframework.security.saml.websso.ArtifactResolutionProfileImpl] while setting constructor argument; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.saml.websso.ArtifactResolutionProfileImpl#b9da211': Unsatisfied dependency expressed through method 'setMetadata' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'metadata': Unsatisfied dependency expressed through method 'setKeyManager' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [config/securityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.thingworx.security.authentication.sso.SSOJKSKeyManager]: Constructor threw exception; nested exception is java.lang.RuntimeException: Error initializing keystore
2022-02-17 11:44:29.064+0000 [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S: ] [P: ] [T: main] *** Web Application STATE is being set to ERROR! ***

 

 

I've searched the support and community and the one thing I found similar says that either I have a typo in the sso-settings.json or the path to the keystore is wrong. 

Both of them I've checked multiple times and it doesn't seem to be wrong.


Any ideas of what could be?

 

Thanks and regards,


Caio

Best answer by slangley

Hi @CaShimiz.

 

Per the case, the following was the solution you found:

 

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings.  It was not required to create a user with alias Administrator in the AD/Okta.

 

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

 

Regards.

 

--Sharon

3 replies

V
24-Ruby III
VladimirN24-Ruby III
24-Ruby III
February 17, 2022

 Hi,

 

Read this article (where is the same Error) - "ThingWorx 9.x active-active High Availability(HA) clustering setup does not start if IGNITE_WORK_DIR is not set on ThingWorx servers": https://www.ptc.com/en/support/article/cs331246 

C
CaShimiz14-AlexandriteAuthor
14-Alexandrite
February 17, 2022

HI @VladimirN, not sure what the relation between my issue and the article?

I'm not using HA clustering.

 

S
slangleyCommunity Manager
Support
February 24, 2022

Hi @CaShimiz.

 

Are you sure the keystore is valid?  I'm not sure we can troubleshoot this issue via the community, so I recommend opening a case.  I'm happy to open one on your behalf with your approval to do so.

 

Regards.

 

--Sharon

 

C
CaShimiz14-AlexandriteAuthor
14-Alexandrite
February 25, 2022

Hi @slangley one thing I noticed is I wasn't using the fqdn to open TWX, and I believe without fqdn it won't work. So I'm going to retry that, and confirm if it worked or not here, before opening a case. 

 

Thanks anyway,

 

Caio

C
CaShimiz14-AlexandriteAuthor
14-Alexandrite
March 3, 2022

Hi @slangley it didn't work. I re-did the process and got the same error. 

 

What do you mean by valid keystore? I created one and added the appropriate certificates to it.

 

Regards,

 

Caio

S
slangleyCommunity ManagerAnswer
Support
April 22, 2022

Hi @CaShimiz.

 

Per the case, the following was the solution you found:

 

Changed the group mapping in the SSO Authenticator, and also gave Admin rights to a user by adding it to the user provision exclusion list--effectively bypassing the group mappings.  It was not required to create a user with alias Administrator in the AD/Okta.

 

If you agree that this is the correct solution, please mark this response as the Accepted Solution for the benefit of others with the same issue.

 

Regards.

 

--Sharon

    Terms & ConditionsAccessibility statement