SSO and HTTPS Certificate issues?
I initially setup sso with self signed certificates and http per the documentation. Now I'm following the doc to enable https on sso with SSL Termination. After updating the config file and recreating the certificates with our DigiCert signed certificate I run the sso setup and it hangs on set 3/5. See Below:
-----------------------------------------------------------
[SETUP STAGE] (3/5): Starting and initializing "apigee-sso"
-----------------------------------------------------------
Restarting apigee-sso service
apigee-service: apigee-sso: pid=28056
apigee-service: apigee-sso: OK
apigee-service: apigee-sso: Not running (DEAD)
apigee-service: apigee-sso: OK
apigee-configutil: apigee-sso: # OK
apigee-service: apigee-sso: Not running (NO_LOCKFILE)
apigee-service: apigee-sso: status=2, continuing
apigee-service: apigee-sso: OK
apigee-service: apigee-sso: apigee-sso is running
I can't seem to find a decent log of what may be hanging this up. Does anyone know where I can look? or anyone run into this issue before?
Seeing this in the apigee-sso error logs
Caused by: org.springframework.beans.PropertyBatchUpdateException: Failed properties: Property 'signingKey' threw exception; nested exception is java.lang.IllegalArgumentException: Base64-encoded string must have at least four characters, but length specified was 1
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'signerProvider' defined in ServletContext resource [/WEB-INF/spring/oauth-endpoints.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyBatchUpdateException; nested PropertyAccessExceptions (1) are:
PropertyAccessException 1: org.springframework.beans.MethodInvocationException: Property 'signingKey' threw exception; nested exception is java.lang.IllegalArgumentException: Base64-encoded string must have at least four characters, but length specified was 1
Did this get resolved, I cant get past this either and its been 2 weeks.
Support took too long.... I ended up changing from SSL Termination to SSL Proxy via our F5. But even that still presented some challenges....But what instruction they eventually gave me may be what is needed for SSL Termination too...
None of the following is in the documentation BTW... The certificate presented from your IDP, in our case Okta, has to be added in as a trusted CA within java, and the certificate being used to terminate at the F5 has to be added also....
Using keytool and the crt files for both you can use the following as a template to add both.
keytool -importcert -alias okta -keystore /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/cacerts -file /tmp/okta.cert
Once I imported both, everything started working correctly.
This is exactly what I was after, I knew there was something missing in the docs! I've really been at this far too long, I was giving up hope.
I'll test and let everyone know if this the missing link for me as well.
Thank you for the prompt responce!
Its been 2 weeks, facing the same issue, but setup sso with self signed certificates and HTTP as per the documentation.
I doubt the issue in 2 places.
1. The connection to internet is not there, so the CA certificate verification is not happening.
2. The SSO metadata file shared by the SSO team is not working working properly for trusted CA.
