Open mithunhegde-egov opened 9 months ago
Hi @mithunhegde-egov! There's no need to sign the test CA's root certificate ( ca.cert.pem
). It's enough to add it to the Central Server as described here. No additional steps are required for the root certificate.
thank you very much for the response. does the same apply for tsa and ocsp certificate also while configuring the central server? (tsa.cert.pem and ocs.cert.pem)
Yes, the same applies to ocs.cert.pem
and tsa.cert.pem
too. It's enough to upload them to the Central Server following the configuration guide.
thank you. unable to add wsdl copied from the central server management services. throws this error-WSDL download failed ID: 2dca780e1b8742bd.
Have you checked the /var/log/xroad/proxy_ui_api.log
log file for more details?
yes. issue is with the connection. not able to connect at this address http://
The management Security Server needs to be able to access the Central Server port 80
in order to fetch the WSDL file. Currently, you're using 3.111.118.35
as the Central Server address. Please make sure that the Security Server is able to access the Central Server using the public IP address. More information about the Security Server network configuration is available here and the Central Server network configuration is available here. The port 80
is missing from the diagram between the management Security Server and the Central Server, but it's required too.
sure thank you. In the last step of the configuration I am getting error_code.core.Server.ClientProxy.SslAuthenticationFailed Security server has no valid authentication certificate when I try to register TEST subsystem as a client. can we add a provider and consumer both to the same security server? even the authentication certificates and signing certificates(the one with .der downloaded) does not need any signing? used the csr html form to sign. the docker readme has mentioned self signing is required. If I am not wrong instructions need to be updated in the same.
The error message means that the Security Server where you try to register the subsystem doesn't have a valid authentication certificate. More information about the cause of the error can be found here. Please search with Server.ClientProxy.SslAuthenticationFailed
.
A service provider and service consumer can share the same Security Server. Both auth and sign certificates need to be signed by the test CA. The required steps for generating the CSRs and importing the certificates can be found here. Instead, the Test CA documentation is available here.
the authentication cert status is GOOD. I have added signed certs only. the error changed to 400 bad request now- when trying to register.cannot find about this error anywhere in the doc. please share any link for reference
2023-12-12T12:20:19.539Z [https-jsse-nio-4000-exec-4] correlation-id:[116fb988fad675a3] INFO ee.ria.xroad.common.AuditLogger - {"event":"Register client failed","user":"xrd","ipaddress":"106.51.69.20","reason":"Server.ServerProxy.ServiceFailed.HttpError: Server responded with error 400: Bad Request","warning":false,"auth":"Session","url":"/api/v1/clients/EGOV%3AEGOV%3A1234%3ATESTCLIENT/register","data":{"clientIdentifier":{"memberClass":"EGOV","memberCode":"1234","subsystemCode":"TESTCLIENT","fieldsForStringFormat":["EGOV","1234","TESTCLIENT"],"objectType":"SUBSYSTEM","xroadInstance":"EGOV"}}} 2023-12-12T12:20:19.540Z [https-jsse-nio-4000-exec-4] correlation-id:[116fb988fad675a3] ERROR o.n.x.r.e.ApplicationExceptionHandler - exception caught ee.ria.xroad.common.CodedException$Fault: Server.ServerProxy.ServiceFailed.HttpError: Server responded with error 400: Bad Request
There's something wrong with the management services configuration on the management Security Server, e.g., incorrect service URL. The service URL should be https://<CENTRAL_SERVER_ADDRESS>:4002/managementservice/manage/
. Please check that you have completed all the steps described here.
thank you the setup is complete. I have security server docker container port 80 mapped to port 6000 of my host. I am trying to make rest api call from the client service using https://
can you please share something for reference or what I am doing wrong here.
Hi @mithunhegde-egov! Since you have mapped the container port 80
to port 6000
, you should use http
and not https
. Instead, if you want to use https
, you should map the container port 443
to port 6000
. In that case, you should change the client subsystem connection type from HTTPS
to HTTP NOAUTH
. More information about the client subsystem connection type is available here.
I did those changes. I am unable to curl also to the port mapped with the 80 port in the security server. central server I am able to ping with the port mapped with docker container's port 80. I started a new docker container and facing the same issue with that also. unable to access the port mapped with docker's port 80 for the security server
What's the error message when you try to submit a request to the Security Server port 80
that's mapped to the container port 443
?
I have changed to using http and using port 80 of the container only still. I am getting this connection refused error
in(Main.java:12)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://
What Security Server Docker image are you using? In the niis/xroad-security-server-sidecar
image the http
port is 8080
and https
port 8443
.
no using this one for testing- https://hub.docker.com/r/niis/xroad-security-server
Also that image uses ports 8080
and 8443
now. Unfortunately, the documentation on Docker Hub wasn't up-to-date. These are the correct mappings:
docker run -p 8080:8080 -p 8443:8443 -p 4000:4000 -p 5500:5500 -p 5577:5577 --name my-ss niis/xroad-security-server
I am getting this error trying to connect to the provider- have two security servers running in the same machine mapped to different ports and central server is also running in the same machine.
Caused by: org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Server Error: [{"type":"Server.ServerProxy.NetworkError","message":"Connect to
It looks like the provider Security Server is not able to connect to the service. You should check that the provider Security Server is able to establish connection to <provider_system_ip>:8094
.
Hi, I am trying to find helm chart for security server deployment. Can you provide reference to helm chart or is there any other recommended way to deploy security server.
Hi @petkivim I have a doubt. how do we secure the client and provider IDs generated? so the only change a consumer needs to make is append the header with client id and add the appropriate provider id in the request url right? basically anyone with the id can connect to the consumer security server? or do we have option to implement any authentication between the information system and security server.
Hi @mithunhegde-egov! It's strongly recommended to use mTLS in the communication between a client information system and the Security Server. In that way, it's possible to secure the communication and be sure that only authorised clients are able to access the subsystems. More information about the required configuration is available here.
Hi @petkivim I see there is readme steps for setting external database for sidecar security server in github. is the same available for security server docker image? want to setup external postgres db with docker image for security server. can you share if any steps are available for the same?
Hi @mithunhegde-egov! The Security Server Sidecar Docker image (niis/xroad-security-server-sidecar
) is the official Docker image for the Security Server. Instead, the niis/xroad-security-server
image is for test and development purposes only and it doesn't support an external database. To setup an external database with the Security Server Sidecar, please follow these instructions.
okay thank you and regarding authentication between the information system and security server. "An X-Road organisation’s client information system Security Server acts as the entry point to all the X-Road services. The client information system is responsible for implementing an end user authentication and access control mechanism that complies with the requirements of the particular X-Road instance. The identity of the end user may be made available to the service provider by including it in the service request" does this mean we have to implement our own authentication between information system and ss? or does tls take care of the same? the concern is, what happens if someone gets access to the registered client id and server id? any information system can access the provider information system if these two are compromised correct?
An X-Road organisation’s client information system Security Server acts as the entry point to all the X-Road services. The client information system is responsible for implementing an end user authentication and access control mechanism that complies with the requirements of the particular X-Road instance. The identity of the end user may be made available to the service provider by including it in the service request
The above refers to a data exchange use case that includes an enduser / a citizen that plays an active role in the data exchange. Here's more information about the topic:
End-user authentication
X-Road is a data exchange layer between information systems. Among other things, X-Road provides organization level and machine level authentication that is based on Public Key Infrastructure (PKI). The identity of each organization and Security Server is verified using certificates that are issued by a trusted Certification Authority (CA) when an organization joins an X-Road ecosystem.
In case X-Road is used as a data exchange layer in a process that involves end-users and require their authentication, service consumer and service provider are responsible for the authentication of the end-user. Usually, the service consumer must authenticate the user before sending a request via X-Road and then it’s up to the service provider to decide whether it requires some evidence regarding the authentication to be sent as a part of the service request, e.g. authentication token, session context etc. From X-Road’s point of view end-user authentication is completely transparent and in case some data regarding the authentication is sent within the messages X-Road does not verify or validate it in any way.
TLS authentication between the Security Server and the information system takes care of authentication on the system level. More information is available here. Instead, you need to implement enduser authentication by yourself if/when needed.
Hi @petkivim trying this single pod deployment in our environemtn is failing. using this for testing and development apiVersion: v1 kind: Pod metadata: name: xroad-ss namespace: xroad spec: containers:
name: xroad-ss image: niis/xroad-security-server-sidecar:7.4.0 imagePullPolicy: "Always" env:
2023-12-28T06:41:55.649Z ERROR [xroad-confclient-service] [QuartzScheduler_Worker-2] o.n.xroad.schedule.RetryingQuartzJob - Error executing job.
java.io.FileNotFoundException: /etc/xroad/configuration-anchor.xml
at ee.ria.xroad.common.conf.globalconf.ConfigurationClient.initConfigurationAnchor(ConfigurationClient.java:105)
at ee.ria.xroad.common.conf.globalconf.ConfigurationClient.execute(ConfigurationClient.java:79)
at ee.ria.xroad.common.conf.globalconf.ConfigurationClientJob.executeWithRetry(ConfigurationClientJob.java:62)
Wrapped by: org.quartz.JobExecutionException: java.io.FileNotFoundException: /etc/xroad/configuration-anchor.xml
at ee.ria.xroad.common.conf.globalconf.ConfigurationClientJob.executeWithRetry(ConfigurationClientJob.java:76)
at org.niis.xroad.schedule.RetryingQuartzJob.execute(RetryingQuartzJob.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
2023-12-28T06:41:55.650Z INFO [xroad-confclient-service] [QuartzScheduler_Worker-2] e.r.x.c.c.g.ConfigurationClientMain$ConfigurationClientJobListener - job was executed result=DiagnosticsStatus(returnCode=125, prevUpdate=2023-12-28T06:41:55.649745Z, nextUpdate=2023-12-28T06:42:55.649783Z, description=null)
2023-12-28T06:41:59.354Z ERROR [xroad-opmonitor] [DefaultQuartzScheduler_Worker-2] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2023-12-28T06:41:59.357Z ERROR [xroad-opmonitor] [DefaultQuartzScheduler_Worker-2] e.r.x.c.c.g.GlobalConfUpdater - Error updating globalconf
ee.ria.xroad.common.CodedException: MalformedGlobalConf.InternalError: Could not read instance identifier of this security server
at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.loadInstanceIdentifier(VersionedConfigurationDirectory.java:371)
at ee.ria.xroad.common.conf.globalconf.VersionedConfigurationDirectory.
what might be the issue? is the sidecar supposed to run where the central server is running? trying in our internal org cluster
Hi @mithunhegde-egov! Have you tried to access the Security Server UI running in port 4000
? Errors about the instance identifier and configuration anchor are normal until the Security Server has been initialised. They'll go away after the initial configuration has been completed.
I am not able to access. by port forwarding I can access the UI but frmo the aws host where the cluster is running it tthrows this error.
Refused to apply style from 'https://
I haven't come up with that kind of error message before. I'd say that it's related to your environment's configuration.
okay. thank you very much. that helps.
Hi @petkivim we are using postgres v10.x as remote rds. when I login to the ss there is this http 500 error. I cannot find much in the proxy_ui_api.log about the error except for the 500 status in the post request. this might have to do anything with the version or the environment?
Hi @mithunhegde-egov! The supported PostgreSQL version depends on the X-Road software version and the operating system that you're using. For example, by default X-Road 7.3.x uses the following PostgreSQL versions on different operating systems:
You can find the default PostgreSQL versions from the X-Road Technologies document:
Please note that you should change the tag according to the X-Road version that you're using.
[5] PostgreSQL version varies depending on operating system. By default, RHEL7 uses version 9, RHEL8 - 10, Ubuntu 20.04 - 12, Ubuntu 22.04 - 14. User may also use external PostgreSQL server.
latest security server version is being used(7.4.0) and Ubuntu 20.04. If we are using external remote db in this case PostgreSQL 12 needs to be used? currently using postgres v10 remote db. can that be causing this error? AxiosError: Request failed with status code 500. basically I am trying to understand if any feature other than backup and restore does not work with postgreSQL version 10 external db.
Yes, the Security Server version 7.4.0 on Ubuntu 20.04 requires PostgreSQL 12.
The error message (AxiosError
) doesn't say a lot, it just means that a request to the management API failed for some reason. A more detailed reason for the error should be available in the /var/log/xroad/proxy_ui_api.log
file.
yes I did check the logs. there is not detailed descritpion of the failure in the logs too.
The screenshot is from the the /var/log/xroad/proxy_ui_api_access.log
log file. Instead, you should look at the /var/log/xroad/proxy_ui_api.log
log file.
this the only file present. proxy_ui_api.log file is missing the directory /var/log/xroad. checked for the hidden files too. but cannot find any other file other than the /var/log/xroad/proxy_ui_api_access.log. can it be present in any other location other than the one mentioned above? I am able to get this from kubectl logs though
2024-01-03T07:36:54.064Z ERROR [xroad-proxy-ui-api] [scheduling-1] com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Exception during pool initialization. org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.postgresql.core.v3.AuthenticationPluginManager.lambda$withEncodedPassword$0(AuthenticationPluginManager.java:110) at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81) at org.postgresql.core.v3.AuthenticationPluginManager.withEncodedPassword(AuthenticationPluginManager.java:107) 2024-01-03T07:36:54.065Z WARN [xroad-proxy-ui-api] [scheduling-1] o.h.e.jdbc.spi.SqlExceptionHelper - SQL Error: 0, SQLState: 08004 2024-01-03T07:36:54.065Z ERROR [xroad-proxy-ui-api] [scheduling-1] o.h.e.jdbc.spi.SqlExceptionHelper - The server requested password-based authentication, but no password was provided by plugin null 2024-01-03T07:36:54.065Z ERROR [xroad-proxy-ui-api] [scheduling-1] o.s.s.s.TaskUtils$LoggingErrorHandler - Unexpected error occurred in scheduled task org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.postgresql.core.v3.AuthenticationPluginManager.lambda$withEncodedPassword$0(AuthenticationPluginManager.java:110) at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81) at org.postgresql.core.v3.AuthenticationPluginManager.withEncodedPassword(AuthenticationPluginManager.java:107) Wrapped by: org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC Connection [The server requested password-based authentication, but no password was provided by plugin null] [n/a] at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:98) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:56) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:108) Wrapped by: org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:466) at org.niis.xroad.securityserver.restapi.config.UsernameSettingTransactionManager.doBegin(UsernameSettingTransactionManager.java:58) at org.springframework.transaction.support.AbstractPlatformTransactionManager.startTransaction(AbstractPlatformTransactionManager.java:400)
When running the Security Server in Docker on Kubernetes the proxy_ui_api.log
must be accessed using kubectl logs
.
It seems that the problem is related to database authentication. When setting up the Security Server, have you followed these instructions:
yes followed the same steps but with the external db which is postgresql v10. I am getting the above error for this setup when I try to login with the given username and pwd. unable to make out if it is the deployment or the environment that is causing the above issue.
I'd recommend you to try with PostgreSQL 12 since it's the officially supported version. Also, you could try to further debug the issue by trying to establish a connection from inside the Security Server container to the database manually.
yes manually I am able to connect. I did try that. we will try with the PostgreSQL 12.
Hi @petkivim we are getting ImagePullBackOff error. Is there a rate limiting? this is happening for security server sidecar kubernetes single pod deployment.
The Docker Hub rate limits are available here. There shouldn't be other restrictions besides them.
okay. there is this error when I am trying to register a new sub system in the last configuration step. the 5500 port is listening on the server. what might the issue be about. central server is on an ec2 instance and security server sidecar has been deployed in our cluster. 2024-01-04T09:04:17.190Z ERROR [xroad-proxy-ui-api] [https-jsse-nio-4000-exec-5] o.n.x.r.e.ApplicationExceptionHandler - exception caught ee.ria.xroad.common.CodedException$Fault: Server.ClientProxy.NetworkError: Could not connect to any target host ([https://xroad-dev.digit.org:5500/]) at ee.ria.xroad.common.CodedException.fromFault(CodedException.java:141) at ee.ria.xroad.common.message.SoapFault.toCodedException(SoapFault.java:130) at org.niis.xroad.common.managementrequest.ManagementRequestSender.getResponse(ManagementRequestSender.java:272)
The error means that the Security Server where you're trying to register a subsystem is not able to establish a connection to the management Security Server port 5500
. This is the management Security Server URL that the client Security Server is using: https://xroad-dev.digit.org:5500
. Either the URL is incorrect or there's something wrong with the firewall configurations.
I have a central server deployed with the docker image and two security servers deployed on two different clusters. those are the client and provider security servers. is management security server the one deployed along with the central server docker image?? in which step of the configuration do we add/change the management security url. I am not able to find it in the documentation.
Hi, I am unable to self sign the ca.cert.pem certificate generated. get this error on trying to sign from the form or manually Error: Unable to load X509 request 804B4FDE057F0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1188: 804B4FDE057F0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:349:Type=X509_REQ
cert is generated using steos mentioned in docker cs setup steps. please let me know what can be done to resolve this as it is causing issue while importing the signing certificate from the security server.
Regards, Mithun