Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2017-08-04 07:54:03
|
Hi Shiraz, W dniu 03.08.2017 o 17:17, Shiraz Memon pisze: > Hi Krzysztof, all, > > I am trying to deploy v2.1.0 while reusing the configuration (the entire > config folder) from an existing configured v1.9.6 instance, however > adapted it according to the instructions provided under howto-update > page > (http://www.unity-idm.eu/documentation/unity-2.0.0-SNAPSHOT/update-howto-v2.html). > Main changes are the db settings & initialisers in unityServer.conf, > logger configuration in startup.properties and finally copied the > scripts directory from original config folder. I have also created a new > database and assigned appropriate rights to the mysql user that is being > configured inside the configuration. The content from both log files > follows. > > unity-server.log: > ############# > ### Cause: org.apache.ibatis.executor.BatchExecutorException: > pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index > #1) failed. Cause: jav > a.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already > exists I guess somehow your database is corrupted (schema creation failed in the middle). Try to drop the DB, and recreate it - should help. Best, Krzysztof |
|
From: Shiraz M. <a....@fz...> - 2017-08-03 15:28:15
|
Hi Krzysztof, all, I am trying to deploy v2.1.0 while reusing the configuration (the entire config folder) from an existing configured v1.9.6 instance, however adapted it according to the instructions provided under howto-update page (http://www.unity-idm.eu/documentation/unity-2.0.0-SNAPSHOT/update-howto-v2.html). Main changes are the db settings & initialisers in unityServer.conf, logger configuration in startup.properties and finally copied the scripts directory from original config folder. I have also created a new database and assigned appropriate rights to the mysql user that is being configured inside the configuration. The content from both log files follows. unity-server.log: ############# 2017-08-03T16:56:42,159 [main] INFO unity.server.db.InitDB: Initializing DB schema 2017-08-03T16:56:42,488 [main] WARN org.springframework.context.support.ClassPathXmlApplicationContext: Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'serverManagementImpl' define d in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-engine-2.1.0.jar!/pl/edu/icm/unity/engine/server/ServerManagementImpl.class] : Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Er ror creating bean with name 'storageCleanerImpl' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl /edu/icm/unity/store/StorageCleanerImpl.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.be<http://org.springframework.be> ans.factory.UnsatisfiedDependencyException: Error creating bean with name 'StoreLoaderhz': Unsatisfied dependency expressed through field 'initDB'; nested e xception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'StoreLoaderrdbms' defined in URL [jar:file:/home/eudat/u nity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/rdbms/DB.class]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [pl.edu.icm.unity.store.rdbms.DB]: Constructor threw exception; ne sted exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (bat ch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: jav a.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 unity-startup.log ################# ug 3, 2017 4:56:30 PM CEST: Starting UNITY Web Server Exception in thread "main" org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'serverManagementImpl' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-engine-2.1.0.jar!/pl/edu/icm/unity/engine/server/ServerManagementImpl.class]: Un satisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'storageCleanerImpl' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu /icm/unity/store/StorageCleanerImpl.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans. factory.UnsatisfiedDependencyException: Error creating bean with name 'StoreLoaderhz': Unsatisfied dependency expressed through field 'initDB'; nested excep tion is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'StoreLoaderrdbms' defined in URL [jar:file:/home/eudat/unity -server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/rdbms/DB.class]: Bean instantiation via constructor failed; nested exc eption is org.springframework.beans.BeanInstantiationException: Failed to instantiate [pl.edu.icm.unity.store.rdbms.DB]: Constructor threw exception; nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (bat ch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: jav a.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:189) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) at pl.edu.icm.unity.engine.server.UnityApplication.run(UnityApplication.java:60) at pl.edu.icm.unity.engine.server.UnityApplication.main(UnityApplication.java:69) Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'storageCleanerImpl' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/StorageCleanerImpl.class]: Unsatisfied dependency expressed t hrough constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'StoreLoaderhz': Unsatisfied dependency expressed through field 'initDB'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bea n with name 'StoreLoaderrdbms' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/rdbms/DB.class]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [p l.edu.icm.unity.store.rdbms.DB]: Constructor threw exception; nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:189) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:208) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1138) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1066) at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:835) at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:741) ... 14 more Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'StoreLoaderhz': Unsatisfied dependency expressed through field 'initDB'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'StoreLoaderrdbms' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/rdbms/DB.class]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [pl.edu.icm.unity.store.rdbms.DB]: Construc tor threw exception; nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:588) at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1264) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:208) at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1316) at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1282) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1205) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1096) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1066) at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:835) at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:741) ... 28 more Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'StoreLoaderrdbms' defined in URL [jar:file:/home/eudat/unity-server-distribution-2.1.0/lib/unity-server-storage-2.1.0.jar!/pl/edu/icm/unity/store/rdbms/DB.class]: Bean instantiation via constructor failed; nested excep tion is org.springframework.beans.BeanInstantiationException: Failed to instantiate [pl.edu.icm.unity.store.rdbms.DB]: Constructor threw exception; nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000 ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:279) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:208) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1138) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1066) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:585) ... 45 more Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [pl.edu.icm.unity.store.rdbms.DB]: Constructor threw exception; nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:122) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:271) ... 57 more Caused by: org.apache.ibatis.exceptions.PersistenceException: ### Error committing transaction. Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 ### Cause: org.apache.ibatis.executor.BatchExecutorException: pl.edu.icm.unity.store.rdbms.mapper.InitdbMapper.initdb-01 (batch index #1) failed. Cause: java.sql.BatchUpdateException: (conn:57029) Table 'IDENTITY_TYPES' already exists Query is : CREATE TABLE IDENTITY_TYPES( ID INTEGER PRIMARY KEY AUTO_INCREMENT, NAME VARCHAR(200), CONTENTS VARBINARY(60000) , UNIQUE(NAME) ) engine=InnoDB, character set utf8 at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:30) at org.apache.ibatis.session.defaults.DefaultSqlSession.commit(DefaultSqlSession.java:227) at org.apache.ibatis.session.defaults.DefaultSqlSession.commit(DefaultSqlSession.java:218) at pl.edu.icm.unity.store.rdbms.InitDB.performUpdate(InitDB.java:145) at pl.edu.icm.unity.store.rdbms.InitDB.initDB(InitDB.java:155) at pl.edu.icm.unity.store.rdbms.InitDB.initIfNeeded(InitDB.java:78) at pl.edu.icm.unity.store.rdbms.DB.initialize(DB.java:87) at pl.edu.icm.unity.store.rdbms.DB.<init>(DB.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142) ... 59 more .... Any ideas? Cheers, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Sander A. <sa....@fz...> - 2017-08-02 14:24:09
|
Hi Krzysztof, I got a report about using OIDC client. Unity seems to reserve a mandatory attribute if not all requested scopes are available. Please see the message below. In that case we did not define the scope profile. WaTTS is requesting the scope 'email profile openid' (double checked in the browser log) b2access displays the user that only 'email openid' was requested, which is wrong. User is returned to WaTTS without any 'scope' attribute (also double checked with browser log), which MUST be present if it is not as requested: "[..] If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted. " https://tools.ietf.org/html/rfc6749#section-3.3 Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2017-08-02 09:00:13
|
W dniu 02.08.2017 o 10:38, Sander Apweiler pisze: > Hi Krzysztof, > > I'm struggling on a new instance with oath clients. An user signs in to > the Oauth SP and the infromation to the SPs are not released. The SP > only says "Login Error! Your IdP returned you with the error > <<"server_error">>. Please contact your IdP.". In the response is > Unexpected server error. The unity log file shows the error below. > > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] DEBUG > unity.server.RoutingServlet - Routing request to DEFAULT destination > /oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.AuthenticationFilter - Request to not protected > address: /oauth2-as/oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Starting sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Releassing sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] DEBUG > unity.server.web.IdPPreferences - It was impossible to establish > preferences for 9 will use defaults > pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. > The operation getPreference requires 'read' capability > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorizationInternal(AuthorizationManagerImpl.java:252) > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorization(AuthorizationManagerImpl.java:179) > > The same error message is shown for the operation getGroups. If I sing > in to the SP with an unity admin account it works. But I don't know > which access rights are wrong. Do you have a hint for this problem? Yes. Basically every entity that is actively using unity (whether this is oauth client or a user that authenticates via oauth) requires at least the read capability which is provided by the "Regular user" role. Please see Authorization section in documentation for more details. HTH Krzyszotf |
|
From: Sander A. <sa....@fz...> - 2017-08-02 08:55:41
|
Hi Krzysztof, the problem is solved. I forgot to assign the regular user role. Best regards, Sander Am Mittwoch, den 02.08.2017, 10:38 +0200 schrieb Sander Apweiler: > Hi Krzysztof, > > I'm struggling on a new instance with oath clients. An user signs in > to the Oauth SP and the infromation to the SPs are not released. The > SP only says "Login Error! Your IdP returned you with the error > <<"server_error">>. Please contact your IdP.". In the response is > Unexpected server error. The unity log file shows the error below. > > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was > set for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was > set for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] DEBUG > unity.server.RoutingServlet - Routing request to DEFAULT destination > /oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.AuthenticationFilter - Request to not protected > address: /oauth2-as/oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was > set for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was > set for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Starting sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Releassing sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] DEBUG > unity.server.web.IdPPreferences - It was impossible to establish > preferences for 9 will use defaults > pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. > The operation getPreference requires 'read' capability > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthoriza > tionInternal(AuthorizationManagerImpl.java:252) > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthoriza > tion(AuthorizationManagerImpl.java:179) > > The same error message is shown for the operation getGroups. If I > sing in to the SP with an unity admin account it works. But I don't > know which access rights are wrong. Do you have a hint for this > problem? > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ------------------------------------------------------------------- > ---- > ------------------------------------------------------------------- > ---- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > ------------------------------------------------------------------- > ---- > ------------------------------------------------------------------- > ---- > ------------------------------------------------------------------- > ----------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2017-08-02 08:39:44
|
Hi Krzysztof,
I'm struggling on a new instance with oath clients. An user signs in to
the Oauth SP and the infromation to the SPs are not released. The SP
only says "Login Error! Your IdP returned you with the error
<<"server_error">>. Please contact your IdP.". In the response is
Unexpected server error. The unity log file shows the error below.
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - A new invocation
context was set
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - Login session was set
for the invocation context
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - Default locale was set
for the invocation context
2017-08-01 15:40:38,827 [qtp1441014857-149] DEBUG
unity.server.RoutingServlet - Routing request to DEFAULT destination
/oauth2-authz-consentdecider
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.AuthenticationFilter - Request to not protected
address: /oauth2-as/oauth2-authz-consentdecider
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - A new invocation
context was set
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - Login session was set
for the invocation context
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.web.InvocationContextSetupFilter - Default locale was set
for the invocation context
2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE
unity.server.TransactionalAspect - Starting sql session for
execution(PreferencesManagement.getPreference(..))
2017-08-01 15:40:38,832 [qtp1441014857-149] TRACE
unity.server.TransactionalAspect - Releassing sql session for
execution(PreferencesManagement.getPreference(..))
2017-08-01 15:40:38,832 [qtp1441014857-149] DEBUG
unity.server.web.IdPPreferences - It was impossible to establish
preferences for 9 will use defaults
pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied.
The operation getPreference requires 'read' capability
at
pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorizati
onInternal(AuthorizationManagerImpl.java:252)
at
pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorizati
on(AuthorizationManagerImpl.java:179)
The same error message is shown for the operation getGroups. If I sing
in to the SP with an unity admin account it works. But I don't know
which access rights are wrong. Do you have a hint for this problem?
Best regards,
Sander
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2017-07-31 14:04:00
|
Small correction: W dniu 29.07.2017 o 13:33, Krzysztof Benedyczak pisze: > Download links and detailed list of changes is available at: > http://www.unity-idm.eu/site/downloads The proper download link is: http://www.unity-idm.eu/downloads (no /site in the path) Sorry for the mistake! Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-07-29 11:33:48
|
Dear Subscribers, Subsequent Unity feature release v2.1.0 is available for download. This release brings important enhancements in the OAuth area. - The standard OAuth token refresh feature is now fully supported. - Unity supports now the OAuth token exchange protocol, allowing for simple multi-step delegation in OAuth environments. - REST API was enhanced with operations to manage all sorts of tokens maintained by Unity, including OAuth tokens. - Both AdminUI and HomeUI allows for managing OAuth tokens (all and owned respectively). It is therefore possible to revoke issued grants from UI. Naturally management of refresh tokens is also supported. - There were minor UX improvements on the login screen providing better focus behavior. Download links and detailed list of changes is available at: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-07-04 15:35:38
|
W dniu 04.07.2017 o 17:31, André Moreira pisze: > Hi Krzysztof, > > Just to clarify, the values I mentioned are in seconds. So the > strange boundary is actually 5 minutes 58 seconds! By what you wrote, > I assume your tests are covering update intervals far superior to > this boundary (“typically in a range of one hour”). This makes me > think that you are probably not able to reproduce the issue and that > it is most likely caused by some misconfiguration on our side. Do you > see anything wrong with the configuration bellow? Yes, you are correct. On our end: automated tests use a very short update interval (up to 10 seconds), but I run a deployment with one hour of update interval and it worked fine I believe. So bug is opened and I'll look into it. Your config looks fine. Best, Krzysztof |
|
From: André M. <an...@cl...> - 2017-07-04 15:31:45
|
Hi Krzysztof, Just to clarify, the values I mentioned are in seconds. So the strange boundary is actually 5 minutes 58 seconds! By what you wrote, I assume your tests are covering update intervals far superior to this boundary (“typically in a range of one hour”). This makes me think that you are probably not able to reproduce the issue and that it is most likely caused by some misconfiguration on our side. Do you see anything wrong with the configuration bellow? Full conf/endpoints/saml-webidp.properties file ####################################### # SAML web IdP SAML endpoint settings ####################################### unity.saml.issuerURI=https://idm.clarin.eu unity.saml.credential=IDP unity.saml.defaultGroup=/clarin unity.saml.spAcceptPolicy=validRequester unity.saml.signResponses=asRequest unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml unity.saml.acceptedSPMetadataSource.3.url=file:///opt/b2access.eudat.eu.xml unity.saml.refreshInterval=3600 # <== works if this is set to unity.saml.refreshInterval=358 or less unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Regards, André > On 4 Jul 2017, at 16:33, Krzysztof Benedyczak <kb...@un...> wrote: > > Hi, > > W dniu 30.06.2017 o 17:53, André Moreira pisze: >> Hi Krzysztof, thank you very much for your answer. Based on the >> suggestions I ran some tests while setting the logging to TRACE but >> the results puzzled me even further. So when I set >> unity.saml.refreshInterval to a value <=358 , the auto refresh works >> just fine. If I set it to anything >358 it stops working. The logs >> still show the refresh action and the various entityIDs being updated >> but it behaves as if no changes were made to the metadata source. > > Indeed that's very strange. We test and use smaller values (typically in a range of one hour) so it is quite likely that > this is untested. Still the 378 boundary is very puzzling. I'll look into it. > > At least it seems you have a decent workaround for now ;-) > > Best > Krzysztof > |
|
From: Krzysztof B. <kb...@un...> - 2017-07-04 14:41:46
|
Hi Sander, W dniu 04.07.2017 o 15:28, Sander Apweiler pisze: > Hi Krzysztof, > > today we had some problems with SQL Session. The logfile output is > appended below. Nothing in logfile indicates a reason for this problem. > DB log shows no problem/error. One SQL session was kept for 1129 > seconds. Parallel to this warnings the CPU usage increased to 100%. > During the problem was a training course where 40 users created new > accounts and/or singed in. > > We use a mariadb on the same host. It was the first time we had this > problems. Do you have a hint when this error is shown in the log files? Nothing to worry about. This is an internal watchdog that suspicious transactions - those which take long to complete. Threshold (quite arbitrary) is set to >3s. If this happened during a peak load - then no problem. If this happens during regular operation, may mean that we have a bug/deadlock and then this stack trace is very valuable. Best Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-07-04 14:33:46
|
Hi, W dniu 30.06.2017 o 17:53, André Moreira pisze: > Hi Krzysztof, thank you very much for your answer. Based on the > suggestions I ran some tests while setting the logging to TRACE but > the results puzzled me even further. So when I set > unity.saml.refreshInterval to a value <=358 , the auto refresh works > just fine. If I set it to anything >358 it stops working. The logs > still show the refresh action and the various entityIDs being updated > but it behaves as if no changes were made to the metadata source. Indeed that's very strange. We test and use smaller values (typically in a range of one hour) so it is quite likely that this is untested. Still the 378 boundary is very puzzling. I'll look into it. At least it seems you have a decent workaround for now ;-) Best Krzysztof |
|
From: Sander A. <sa....@fz...> - 2017-07-04 13:28:31
|
Hi Krzysztof, today we had some problems with SQL Session. The logfile output is appended below. Nothing in logfile indicates a reason for this problem. DB log shows no problem/error. One SQL session was kept for 1129 seconds. Parallel to this warnings the CPU usage increased to 100%. During the problem was a training course where 40 users created new accounts and/or singed in. We use a mariadb on the same host. It was the first time we had this problems. Do you have a hint when this error is shown in the log files? Best regards,Sander 2017-07-04 08:57:51,116 [qtp1859956068-45] WARN unity.server.db.DBSessionManager - SqlSession is kept for more than 3s: 3.151s by pool-1-thread-4. Next report in at least 2000ms. Stacktrace is: java.lang.Thread.getStackTrace(Thread.java:1552) pl.edu.icm.unity.db.DBSessionManager.getSqlSession(DBSessionManager.jav a:119) pl.edu.icm.unity.db.DBSessionManager.getSqlSession(DBSessionManager.jav a:108) pl.edu.icm.unity.engine.transactions.TransactionalAspect.createNewSqlSe ssion(TransactionalAspect.java:135) pl.edu.icm.unity.engine.transactions.TransactionalAspect.setupTransacti onSession(TransactionalAspect.java:113) pl.edu.icm.unity.engine.transactions.TransactionalAspect.retryIfNeeded( TransactionalAspect.java:62) pl.edu.icm.unity.engine.transactions.TransactionalAspect.retryIfNeeded4 Method(TransactionalAspect.java:54) sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMetho dWithGivenArgs(AbstractAspectJAdvice.java:620) org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMetho d(AbstractAspectJAdvice.java:609) org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroun dAdvice.java:68) org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Re flectiveMethodInvocation.java:168) org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke( ExposeInvocationInterceptor.java:92) org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Re flectiveMethodInvocation.java:179) org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicA opProxy.java:208) com.sun.proxy.$Proxy26.runInTransaction(Unknown Source) pl.edu.icm.unity.engine.endpoints.EndpointsUpdater.updateInternal(Endpo intsUpdater.java:75) pl.edu.icm.unity.utils.ScheduledUpdaterBase.update(ScheduledUpdaterBase .java:53) pl.edu.icm.unity.utils.ScheduledUpdaterBase.run(ScheduledUpdaterBase.ja va:88) java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.ac cess$301(ScheduledThreadPoolExecutor.java:180) java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.ru n(ScheduledThreadPoolExecutor.java:294) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja va:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j ava:617) java.lang.Thread.run(Thread.java:745) -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: André M. <an...@cl...> - 2017-06-30 15:53:59
|
Hi Krzysztof, thank you very much for your answer. Based on the suggestions I ran some tests while setting the logging to TRACE but the results puzzled me even further. So when I set unity.saml.refreshInterval to a value <=358 , the auto refresh works just fine. If I set it to anything >358 it stops working. The logs still show the refresh action and the various entityIDs being updated but it behaves as if no changes were made to the metadata source. For this test I added one new entityID to the metadata source, wait for the refresh and test the login. Also tried in the opposite direction i.e. removing one entityID, but with the same results. Regards, ---- André Moreira CLARIN ERIC https://www.clarin.eu > On 30 Jun 2017, at 10:12, Krzysztof Benedyczak <kb...@un...> wrote: > > Hi, > > W dniu 28.06.2017 o 15:29, André Moreira pisze: >> Hi, >> >> We are seeing a problem at CLARIN where the SP metadata is not being >> updated automatically despite the option “unity.saml.refreshInterval” >> being set. Currently the only way for us to force unity to reload the >> metadata is to restart it. > > Strange. Can you tell what does the log say? Try to set SAML subsystem logging to the DEBUG level (or even TRACE), decrease refreshInterval to to say 30s and check what happens around refresh. Having this information should help to diagnose problem. > > Best, > Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-06-30 08:13:06
|
Hi, W dniu 28.06.2017 o 15:29, André Moreira pisze: > Hi, > > We are seeing a problem at CLARIN where the SP metadata is not being > updated automatically despite the option “unity.saml.refreshInterval” > being set. Currently the only way for us to force unity to reload the > metadata is to restart it. Strange. Can you tell what does the log say? Try to set SAML subsystem logging to the DEBUG level (or even TRACE), decrease refreshInterval to to say 30s and check what happens around refresh. Having this information should help to diagnose problem. Best, Krzysztof |
|
From: André M. <an...@cl...> - 2017-06-28 13:29:18
|
Hi, We are seeing a problem at CLARIN where the SP metadata is not being updated automatically despite the option “unity.saml.refreshInterval” being set. Currently the only way for us to force unity to reload the metadata is to restart it. In our IdP configuration (conf/endpoints/saml-webidp.properties) we have: ... unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://someserver.tld/somepath/agreegated_SP_md_feed.xml unity.saml.refreshInterval=3600 unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Any ideas? We are currently using unity v1.9.6 Thank you very much, ---- André Moreira CLARIN ERIC https://www.clarin.eu |
|
From: Krzysztof B. <kb...@un...> - 2017-06-26 09:33:17
|
Dear All, We are very happy to announce the final release of Unity 2. After extensive testing and fixing all bugs that were found in the release candidate published 2 months ago, finally the 2.0.0 stable release is available for you. If you tested the RC, a lot was improved since: -) there were many bugs related to attributes handling, especially in case of emails. Those were fixed systematically by introducing a better generic solutions internally -) there were quite a few bugs in the UI code -) also 2 problems related to upgrade were solved. See http://www.unity-idm.eu/downloads page to read the full release notes. Note that upgrade is possible only from 1.9.x releases, and it will involve bit of your manual work, so please read the upgrade documentation carefully. While we may release some further 1.9.x minor releases, our focus is now on the 2.0 series. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-06-20 08:01:14
|
Hi, W dniu 19.06.2017 o 16:52, Gonçalo Barata pisze: > Hi > > > > Im trying to create a *OAuth 2.0 client*(For those who are familiar with > eudat –im trying to make B2SHARE automatically communicate with B2ACCESS ). > > How to I get the *secret key* ? (like its done in google or facebook), > and the *CONSUMER KEY ?*, do have to create a user on the *group > oauth-client* ? where do I put the *return URL*? > Yes, you have to create each authorized client as an entity in Unity, most likely with a username identity, assign it a password and add to the group of ouauth clients as configured for your endpoint. You can also use other authN as TLS authN. Return URL and other client settings (as allowed grants, logo) are configured as OAuth-specific attribtues of that entity. Note: those attributes must be set in the oauth clients group, not in '/'. Best Krzysztof |
|
From: Gonçalo B. <gon...@fc...> - 2017-06-19 14:52:18
|
Hi Im trying to create a OAuth 2.0 client (For those who are familiar with eudat im trying to make B2SHARE automatically communicate with B2ACCESS ). How to I get the secret key ? (like its done in google or facebook), and the CONSUMER KEY ?, do have to create a user on the group oauth-client ? where do I put the return URL? Im looking for some tips on how to achieve this. I already enabled this two endpoints. unityServer.core.endpoints.8.endpointType=OAuth2Authz unityServer.core.endpoints.8.endpointConfigurationFile=conf/endpoints/oauth2 -as.properties unityServer.core.endpoints.8.contextPath=/oauth2-as unityServer.core.endpoints.8.endpointName=UNITY OAuth2 Authorization Server unityServer.core.endpoints.8.endpointRealm=defaultRealm unityServer.core.endpoints.8.endpointAuthenticators=pwdWeb;certWeb unityServer.core.endpoints.9.endpointType=OAuth2Token unityServer.core.endpoints.9.endpointConfigurationFile=conf/endpoints/oauth2 -as.properties unityServer.core.endpoints.9.contextPath=/oauth2 unityServer.core.endpoints.9.endpointName=UNITY OAuth2 Token endpoint unityServer.core.endpoints.9.endpointRealm=defaultRealm unityServer.core.endpoints.9.endpointAuthenticators=pwdRest Thank you Fundação para a Ciência e a Tecnologia Unidade FCCN Computação Científica Nacional Av. do Brasil, 101 1700-066 Lisboa | Portugal Email: <mailto:gon...@fc...> gon...@fc... <http://www.fccn.pt/> http://www.fccn.pt Aviso de Confidencialidade Esta mensagem é exclusivamente destinada ao seu destinatário, podendo conter informação CONFIDENCIAL, cuja divulgação está expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218440100 devendo apagar o seu conteúdo de imediato. |
|
From: Krzysztof B. <kb...@un...> - 2017-06-15 11:11:43
|
Hi Willem, OK, so everything is clear now. The key parts are: W dniu 14.06.2017 o 13:41, Willem Elbers pisze: > 9: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10 > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > 10: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > together with: > The SAML request from SP -> IdP: ... > <samlp:NameIDPolicy > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > AllowCreate="false" > /> So the client is requesting a transient identity (i.e. that after authentication of a user, Unity should return it a response assertion with an identity of the user of 'transient' type). The transient identity by definition is session&requester scoped: so that any other SP should get a different transient identifier for the same user and (!) this particular SP should get a different identifier for the same user in the next session (so after logout). At the same time SP sets AllowCreate=false, what tells Unity that it should not create any new identifier for the user - only some already existing can be returned. So this has no sense together. This request can be only served when the user was previously authenticated *to the same SP and in the same SSO session*. The first authentication from this SP to Unity will never work as a new transient identity needs to be generated exactly then. The error you get is from profile: 'targetedPersistent' identity is also not created for this user as AllowCreate=false prevents it too. This can be fixed with a proper condition. However the request won't be served anyway as after profile processing unity won't have the transient identity to be put into response. Shortly speaking: AllowCreate should be true or Format changed to some fixed identity. And fix the profile as it shouldn't assume that some dynamic identity is always present. Best Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-06-14 11:42:10
|
The translation profile we use:
Name:
SAML-Attributes
Description:
The set of CLARIN attributes release to service providers
Rules:
1: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
expression = idsByType['email'][0].replaceAll('@', '_') + '@clarin.eu'
mandatory = false
attributeDisplayName =
attributeDescription =
2: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.10
expression = 'CLARIN'
mandatory = false
attributeDisplayName =
attributeDescription =
3: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.9
expression = 'me...@cl...'
mandatory = false
attributeDisplayName =
attributeDescription =
4: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.16.840.1.113730.3.1.241
expression = attr['clarin-full-name']
mandatory = false
attributeDisplayName =
attributeDescription =
5: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:0.9.2342.19200300.100.1.3
expression = idsByType['email'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
6: Condition:
groups contains '/clarin/academic'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/academic'
mandatory = false
attributeDisplayName =
attributeDescription =
7: Condition:
groups contains '/clarin/normal'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/none'
mandatory = false
attributeDisplayName =
attributeDescription =
8: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.3
expression = attr['cn']
mandatory = false
attributeDisplayName =
attributeDescription =
9: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
10: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
The SAML request from SP -> IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_AE13D5C8472D79640CE19B291E2442E8"
Version="2.0"
IssueInstant="2017-06-14T11:39:04Z"
Destination="https://idm.clarin.eu/saml-idp/saml2idp-web"
ForceAuthn="false"
IsPassive="false"
>
<saml:Issuer>https://clarino.uib.no/</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="false"
/>
</samlp:AuthnRequest>
The SAML response from IdP -> SP:
<urn:Response IssueInstant="2017-06-14T11:39:22.163Z"
ID="SAMLY2lib_msg_8632ac33e351d8f2ba9316addaacff9bbba3e403cf02e3e"
Version="2.0"
InResponseTo="_AE13D5C8472D79640CE19B291E2442E8"
xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"
>
<urn1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idm.clarin.eu</urn1:Issuer>
<urn:Status>
<urn:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<urn:StatusMessage>[Error: null pointer:
idsByType['targetedPersistent'][0]]
[Near : {... idsByType['targetedPersistent' ....}]
^
[Line: 1, Column: 1]</urn:StatusMessage>
</urn:Status>
</urn:Response>
Hope this helps.
Best,
Willem
On 13/06/2017 11:27, Krzysztof Benedyczak wrote:
> Hi Willem,
>
> W dniu 13.06.2017 o 11:05, Willem Elbers pisze:
>> Forgot to include the mailing list...
>
> Actually same here - the last time...
>
>>
>> Hi Krzystof,
>>
>> apologies for the delay, I became father again which took most of my
>> focus :)
>
> Huge congratulations!
>
>>
>> After increasing the translation profile logging I can see the following
>> for my identity:
>>
>> Working login:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a
>> - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://sp.catalog.clarin.eu
>>
>> Failed login with problematic SP:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://clarino.uib.no/
>>
>> As you can see from the log, for the problematic SP the
>> [targetedPersistent] and [transient] identities are missing, hence the
>> error.
>>
>> The SAML configuration is as follows:
>>
>> unity.saml.issuerURI=https://idm.clarin.eu
>> unity.saml.credential=IDP
>> unity.saml.defaultGroup=/clarin
>> unity.saml.spAcceptPolicy=validRequester
>> unity.saml.signResponses=asRequest
>> unity.saml.validityPeriod=3600
>> unity.saml.requestValidityPeriod=600
>> unity.saml.authenticationTimeout=20
>> unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml
>>
>> unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml
>>
>> unity.saml.refreshInterval=3600
>> unity.saml.translationProfile=SAML-Attributes
>> unity.saml.skipConsent=true
>>
>> Please let me know if you need more info.
>
> Yes, the critical part is your translation profile. Also can you
> describe the flow? I guess you have saml login to unity, correct? If
> so - the request would be helpful too.
>
> Best
> Krzysztof
>
>
--
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers
|
|
From: Krzysztof B. <kb...@un...> - 2017-06-13 09:27:49
|
Hi Willem, W dniu 13.06.2017 o 11:05, Willem Elbers pisze: > Forgot to include the mailing list... Actually same here - the last time... > > Hi Krzystof, > > apologies for the delay, I became father again which took most of my > focus :) Huge congratulations! > > After increasing the translation profile logging I can see the following > for my identity: > > Working login: > > Entity 261: > - [email] wi...@cl... > - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd > - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a > - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991 > In group: /clarin > Groups: [/clarin/developer, /clarin-admin, /clarin/normal, > /clarin/academic, /clarin, /] > Requester: https://sp.catalog.clarin.eu > > Failed login with problematic SP: > > Entity 261: > - [email] wi...@cl... > - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd > In group: /clarin > Groups: [/clarin/developer, /clarin-admin, /clarin/normal, > /clarin/academic, /clarin, /] > Requester: https://clarino.uib.no/ > > As you can see from the log, for the problematic SP the > [targetedPersistent] and [transient] identities are missing, hence the > error. > > The SAML configuration is as follows: > > unity.saml.issuerURI=https://idm.clarin.eu > unity.saml.credential=IDP > unity.saml.defaultGroup=/clarin > unity.saml.spAcceptPolicy=validRequester > unity.saml.signResponses=asRequest > unity.saml.validityPeriod=3600 > unity.saml.requestValidityPeriod=600 > unity.saml.authenticationTimeout=20 > unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml > unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml > unity.saml.refreshInterval=3600 > unity.saml.translationProfile=SAML-Attributes > unity.saml.skipConsent=true > > Please let me know if you need more info. Yes, the critical part is your translation profile. Also can you describe the flow? I guess you have saml login to unity, correct? If so - the request would be helpful too. Best Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-06-13 09:05:40
|
Forgot to include the mailing list... -------- Forwarded Message -------- Subject: Re: [Unity-idm-discuss] Nullpointer when SP tries to access IDP Date: Mon, 12 Jun 2017 13:34:48 +0200 From: Willem Elbers <wi...@cl...> Reply-To: wi...@cl... Organization: CLARIN ERIC To: Krzysztof Benedyczak <kb...@un...> Hi Krzystof, apologies for the delay, I became father again which took most of my focus :) After increasing the translation profile logging I can see the following for my identity: Working login: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991 In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://sp.catalog.clarin.eu Failed login with problematic SP: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://clarino.uib.no/ As you can see from the log, for the problematic SP the [targetedPersistent] and [transient] identities are missing, hence the error. The SAML configuration is as follows: unity.saml.issuerURI=https://idm.clarin.eu unity.saml.credential=IDP unity.saml.defaultGroup=/clarin unity.saml.spAcceptPolicy=validRequester unity.saml.signResponses=asRequest unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml unity.saml.refreshInterval=3600 unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Please let me know if you need more info. Best, Willem On 23/05/2017 10:14, Krzysztof Benedyczak wrote: > Dear Willem, > > W dniu 19.05.2017 o 13:32, Willem Elbers pisze: >> Dear Krzysztof, >> >> this issue seems to fixed in 1.9.6, but now we are observing the >> following behavior. >> >> In unity log file we see to following (I've redacted all sensitive >> information): >> >> ========== >> Routing request to DEFAULT destination /saml2idp-web-consentdecider >> Unprocessed data from local database: >> Entity 261: >> - [email] ...@clarin.eu >> - [persistent] 20...-....-....-....-.....bd >> In group: /... >> Groups: [/.../..., /...., /..../...., /..../...., /...., /] >> Requester: https://clarino.uib.no/ >> Protocol: SAML2:urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST >> Condition OK >> Returning SSO Authentication error response SAMLResponse with HTTP POST >> binding to https://clarino.uib.no/feide/assertion-consumer >> ========== >> >> There seems to be an SSO Authentication error response. When looking at >> the SAML going over the wire, the following is send from unity to the SP >> and no attributes are released. The entity does have an persistent id >> and works with other (shibboleth) SPs: >> >> ========== >> <urn:Response IssueInstant="2017-05-19T11:27:28.332Z" >> >> ID="SAMLY2lib_msg_b7bba6ead014cb17b3652b00fbf2bfbb1b1720afc62aa64d" >> Version="2.0" >> InResponseTo="_AB05AE52C8A42786AE8FEA16DD59576D" >> xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" >> > >> <urn1:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" >> >https://idm.clarin.eu</urn1:Issuer> >> <urn:Status> >> <urn:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> >> <urn:StatusMessage>[Error: null pointer: >> idsByType['targetedPersistent'][0]] >> [Near : {... idsByType['targetedPersistent' ....}] >> ^ >> [Line: 1, Column: 1]</urn:StatusMessage> >> </urn:Status> >> </urn:Response> >> ========== >> >> I'm using the following log settings: >> >> ========== >> log4j.logger.unity.server=TRACE >> log4j.logger.unity.server.saml=TRACE >> ========== >> >> The amount of SAML related log message is quite minimal. >> >> Two questions: >> >> 1. Any suggestions on how to resolve the SAML issue for this SP? > > I guess in your profile you have idsByType['tagetedPersistent'][0] and > from what you have shown in your log there is no such identity type > extracted from SAML request. So I guess all you need is to change > tergetedPersistent to persistent, which is what you profile gets. > > [Side note: you have not shown you saml config and the request so it > is hard to say why you have persistent, instead of standard one] > >> >> 2. How can we increase the logging of SAML related messages? > > For this case translation profile logging set to TRACE may show more. > However the cause in this case is rather clear. > > Best, > Krzysztof > > -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
|
From: Krzysztof B. <kb...@un...> - 2017-06-07 07:43:59
|
W dniu 06.06.2017 o 13:36, Shiraz Memon pisze: > Hi, > > The vulnerability has been resolved. The main issue was the incorrect > cipher suite name. Although the ssllabs server test mentions the > TLS_RSA_WITH_3DES_EDE_CBC_SHA, alas the correct name > is SSL_RSA_WITH_3DES_EDE_CBC_SHA and I have guessed that from > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites - > there is no such TLS_RSA.... cipher suite supported in JDK8. Yeah - the naming of those ciphersuites is very tricky. Good that this was solved. Cheers KB |
|
From: Shiraz M. <a....@fz...> - 2017-06-06 11:36:49
|
Hi, The vulnerability has been resolved. The main issue was the incorrect cipher suite name. Although the ssllabs server test mentions the TLS_RSA_WITH_3DES_EDE_CBC_SHA, alas the correct name is SSL_RSA_WITH_3DES_EDE_CBC_SHA and I have guessed that from http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites - there is no such TLS_RSA.... cipher suite supported in JDK8. Cheers, Shiraz On Fri, Jun 2, 2017 at 2:16 PM, Shiraz Memon <a....@fz...<mailto:a....@fz...>> wrote: Hi Krzysztof, Unity v1.9.6 (probably underlying jetty) cannot disable the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite despite of being declared inside the unityServer.conf, see below, the conf snippet and the ssl test screenshot: unityServer.core.httpServer.disabledCipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_ WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_A ES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA [Inline image 1] Our network dept. is also complaining about this too. Can you guide me how to disable the given cipher? Thanks, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899<tel:02461%20616899> Fax: +49 2461 61 6656<tel:02461%20616656> -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
