OIM V9 New installation - Login failed with angular build

[stevealexandre]

Hello

We have a new project to implement OneIdentity V9.0 with some web development needed and encountered some issues to initiate the dev environment with the new angular portal.

Describe the bug

From a new OIM V9.0 installation, we have some errors on the qer-app-portal build from Angular while there is no issue on the default ApiServer portal installation on IIS Server. As you can see at the screenshots section, on the first one, an authentication successfull on the IIS and on the second from the angular build, we can found many errors in the console logs and finished to the dashboard but with errors.

Also, I do not find where the vs extension file is located. I've tried to search in the installation package and the OIM installed directory, there is no vcode-extension.vsix file as describe on the web documentation.

Errors

• Web console logs with ImxClient API Server

  Error: [{"Message":"Potentially dangerous behavior was detected. The request will be ignored.","Number":810452}]

• ImxClient logs

  Info: Loaded API method group assignments, 0 found
  Info: User DOE, John (Dialog user: CCC-2E50834777434611A429A16D7B1A8744, X fields: JOHND) authenticated.
  Error: An error occurred while processing the request: GET http://localhost:8182/portal/person/configSystem

• Web console logs with IIS API Server

  2022-12-20T02:57:25.142Z ERROR [main.js:10978] Error: [{"Message":"An error occurred while processing your request.","Number":0}]

To Reproduce

Steps to reproduce the behavior:

1. New installation of OIM V9.0 (Database with agent, IIS SSL AppServer+ApiServer and one manager identity created)
2. Clone the repo IdentityManager.Imx
3. Switch to branch v90
4. Navigate to the directory imxweb
5. Run npm install
6. Run npm run build of qbm and qer
7. Run ImxClient local api (I also tried to put directly the IIS Api server endpoint but get HTTP 400 errors and have blank page after logon)
8. npm run start qer-app-portal app
9. Navigate to localhost:4200 and try to logon as the manager with employee role base authentication type

Screenshots

• Default portal deployed on OIM IIS Server

• Localhost Angular build with local api ImxClient

• Localhost Angular build with IIS ApiServer

Thanks for your help.

[hannoquest]

Hello @stevealexandre ,

The locally hosted API Server must be configured for trusted database access. To do this, follow these steps:

• Obtain the trusted source key assoiated with the web application (http://localhost:8182). If you don't know this value, you can enter a new key in Designer.
• Configure the key in the imxclient.exe.config file as shown below, where <KEY> is your key value.

...
  <configSections>
    <!-- enter this new section -->
    <section name="connectionSettings" type="System.Configuration.NameValueSectionHandler" />
  </configSections>
...
  <connectionSettings>
    <add name="TrustedSourceKey" connectionString="<KEY>" />
  </connectionSettings>

[hannoquest]

Hello @stevealexandre,

Also, I do not find where the vs extension file is located. I've tried to search in the installation package and the OIM installed directory, there is no vcode-extension.vsix file as describe on the web documentation.

The Visual Studio Code documentation was removed from the product starting the version 9.0.

[stevealexandre]

Hello @stevealexandre ,

The locally hosted API Server must be configured for trusted database access. To do this, follow these steps:

• Obtain the trusted source key assoiated with the web application (http://localhost:8182). If you don't know this value, you can enter a new key in Designer.
• Configure the key in the imxclient.exe.config file as shown below, where <KEY> is your key value.

...
  <configSections>
    <!-- enter this new section -->
    <section name="connectionSettings" type="System.Configuration.NameValueSectionHandler" />
  </configSections>
...
  <connectionSettings>
    <add name="TrustedSourceKey" connectionString="<KEY>" />
  </connectionSettings>

Hello @hannoquest,

Thanks for taking time to reply quickly and with the elements. Maybe it could be great to include these details into the html5 documentation. Also, do you confirm it should be possible to connect directly to the IIS ApiServer instead of running the local API with imxclient ?

After setting the configuration, I still get the same issue :

• Designer configuration I've also tried with Program set on Default, ApplictionServer and Web designer with the same result but without rebuilding webapp since it should not be needed I think

• ImxClient configuration

• ImxClient console logs

• Browser error

Hello @stevealexandre,

Also, I do not find where the vs extension file is located. I've tried to search in the installation package and the OIM installed directory, there is no vcode-extension.vsix file as describe on the web documentation.

The Visual Studio Code documentation was removed from the product starting the version 9.0.

Ok thanks for the info. It was great to have a plugin which could help manage imxclient etc...

[stevealexandre]

Hello @hannoquest ,

A little update of my case ? FYI, I'm able to connect on the api configuration app http://localhost:8182/html/qbm-app-landingpage/#/dashboard with my admin but still have the same issue for the web portal.

Thanks.

[stevealexandre]

I have tried tonight to install and test on 9.1 and got the same error result but I get some more details of some SQL queries which are impacted :

Error: SQL injection detected in WHERE clause: (isnull(XDateUpdated, '1899-12-30 00:00:00.000') > '1899-12-30 00:00:00.000') and (UID_Tree in (select UID_Tree from DialogProcessChain where GenProcID in (select GenProcID from dbo.QBM_FTDialogProcessSelect(null, N
'JOHND', null, 0))))
Error: An error occurred while processing the request: GET http://localhost:8182/portal/pendingitemsSystem.Exception: An error occurred while processing the request: GET http://localhost:8182/portal/pendingitems ---> VI.Base.ViException: Potentially dangerous be
havior was detected. The request will be ignored. ---> VI.Base.ViException: SQL injection detected in WHERE clause: (isnull(XDateUpdated, '1899-12-30 00:00:00.000') > '1899-12-30 00:00:00.000') and (UID_Tree in (select UID_Tree from DialogProcessChain where GenP
rocID in (select GenProcID from dbo.QBM_FTDialogProcessSelect(null, N'JOHND', null, 0))))

Error: SQL injection detected in WHERE clause: (orderstate = N'Assigned') and (UID_PersonInserted = '87b607ab-3df8-4ab7-b977-c1d98be3bd0a') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') < '2023-01-06 23:59:46.001') and (isnull(ValidUntil, '1899-12-30 00:00:
00.000') > '1899-12-30 00:00:00.000')
Error: An error occurred while processing the request: GET http://localhost:8182/portal/person/configSystem.Exception: An error occurred while processing the request: GET http://localhost:8182/portal/person/config ---> VI.Base.ViException: Potentially dangerous
behavior was detected. The request will be ignored. ---> VI.Base.ViException: SQL injection detected in WHERE clause: (orderstate = N'Assigned') and (UID_PersonInserted = '87b607ab-3df8-4ab7-b977-c1d98be3bd0a') and (isnull(ValidUntil, '1899-12-30 00:00:00.000')
< '2023-01-06 23:59:46.001') and (isnull(ValidUntil, '1899-12-30 00:00:00.000') > '1899-12-30 00:00:00.000')

I found a temporary workaround by setting the SQLCheck RiskEvaluation to Low for moment until to have a better solution.

Also on imxclient v9.1, it doesn't like the configuration bloc "connectionSettings" in the imxclient configuration file :

System.TypeInitializationException: Une exception a été levée par l'initialiseur de type pour 'VI.ImxClient.PlugIns'. ---> System.Configuration.ConfigurationErrorsException: Échec de l'initialisation du système de configuration ---> System.
Configuration.ConfigurationErrorsException: Section de configuration non reconnue connectionSettings. (C:\Tools\One Identity Manager9.1\ImxClient.exe.Config line 17)
   à System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignoreLocal)
   à System.Configuration.BaseConfigurationRecord.ThrowIfParseErrors(ConfigurationSchemaErrors schemaErrors)
   à System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
   --- Fin de la trace de la pile d'exception interne ---
   à System.Configuration.ConfigurationManager.PrepareConfigSystem()
   à System.Configuration.ConfigurationManager.GetSection(String sectionName)
   à System.Configuration.PrivilegedConfigurationManager.GetSection(String sectionName)
   à System.Diagnostics.DiagnosticsConfiguration.GetConfigSection()
   à System.Diagnostics.DiagnosticsConfiguration.Initialize()
   à System.Diagnostics.DiagnosticsConfiguration.get_Sources()
   à System.Diagnostics.TraceSource.Initialize()
   à System.ComponentModel.Composition.Diagnostics.TraceSourceTraceWriter.get_CanWriteInformation()
   à System.ComponentModel.Composition.Diagnostics.CompositionTrace.DefinitionContainsNoExports(Type type)
   à System.ComponentModel.Composition.AttributedModel.AttributedPartCreationInfo.IsPartDiscoverable()
   à System.ComponentModel.Composition.AttributedModel.AttributedModelDiscovery.CreatePartDefinitionIfDiscoverable(Type type, ICompositionElement origin)
   à System.ComponentModel.Composition.Hosting.TypeCatalog.get_PartsInternal()
   à System.ComponentModel.Composition.Hosting.TypeCatalog.GetEnumerator()
   à System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   à System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   à VI.Base.SafeDirectoryCatalog..ctor(String directory, String pattern, SearchOption searchOption)
   à VI.ImxClient.PlugIns..cctor()
   --- Fin de la trace de la pile d'exception interne ---
   à VI.ImxClient.PlugIns.AddDependency[T](T dependency)
   à VI.ImxClient.Program.Main(String[] args)

[hannoquest]

Hi @stevealexandre , You need to include this line in every configuration file that uses a <connectionSettings> section. The last screenshot shows the file is missing this line.

    <section name="connectionSettings" type="System.Configuration.NameValueSectionHandler" />

[stevealexandre]

Hi @hannoquest ,

My bad, it was late in the day and missed the line in my config. Added, the error about the "connectionSettings" bloc disapeared but still have the same issue on 9.1 about the dangerous behavior and still need to define the RiskEvaluation to low to be able to interact with the portal. So as I udnerstand, this is needed only because the trusted key is not working to set the api as secure in Medium mode.

ImxClient Config

Webserver designer Config

[hannoquest]

Hi @stevealexandre ,

I noticed something in the "Webserver designer Config" screenshot -- and I apologize for omitting an important detail: The key cannot be entered in Designer, it must be entered as described in the 8.2.1 Release Notes:

• On the server where the web application is installed, open a command line utility with administrator privileges.
• Change to a directory with installed One Identity Manager development tools.
• Call the following command: imxclient edit-config /path <web.config file path> -T (for example imxclient edit-config /path c:\inetpub\wwroot\apiserver\web.config -T) or imxclient edit-config /path <web.config file path> /trustedsourcekey <Key>

[stevealexandre]

Hi @hannoquest,

Thanks for your reply. First at all, it's a new installation and not an upgrade so the trustedkey should be automatically filled for apiserver as indicated in the release note "During the initial installation, the trusted source key is configured automatically." Running the cmd is not working but I guess it's because it's already done by the installation ?:

But how do you trust the local api server used by imxclient? And by the way, what exactly do the edit-config ? Generate a new trust key, store it in the database for the webapp and configure the web app config with it?

[hannoquest]

Hi @stevealexandre ,

edit-config works in one of two modes (you can run imxclient help edit-config for the entire text):

-T                      Configures a randomly generated trusted source key for the application specified by
                        the BaseURL setting in the web.config.
/trustedsourcekey {key} Configures the specified trusted source key for the application specified by
                        the BaseURL setting in the web.config.

The error message is from the .NET Framework and points to a problem with the cryptography configuration - it might be missing permissions; hard to say.

As a workaround, you can do what you are describing in your last sentence. The (plain text) TrustedSourceKey can be copied and used by a different client.