1 2 3 Previous Next 37 Replies Latest reply on Nov 4, 2011 10:15 AM by mposolda

    GateIn + OpenAM 9.5.2

    macois

      Hi,

       

      I'm actually trying GateIn for my firm and I don't manage to integrate OpenAM and GateIn.

       

      I follow all the steps in the GateInReference Guide but I've a problem.

       

      The scenarii of the problem is :

       

      1) Go to http://localhost:8080/portal

       

      2) Click sur Administrator

       

      3) I'm redirected to : http://openam.vauban.com:2080/openam_s952/UI/Login?realm=gatein&goto=http://localhost:8080/portal/private/classic

       

      4) I filled in the form with root / gtn

       

      5) I'm redirected to http://localhost:8080/portal/private/classic and the page is blank and the main fact is : The system seems to redirect me to this page infinitely..

       

       

       

      Does Someone know an issue for this infinite loop ?

       

       

      For information, I configured my OpenAM  :

      • to encode the cookies,
      • to use c66encode.

       

      Thanks&Regards,

       

      François

        • 1. GateIn + OpenAM 9.5.2
          macois

          Hi,

           

          The guide is wrong on one point :

          => The modification on the jaas.conf file :

           

          The guide says to uncomment this :

            // Uncomment the following part (and comment the other part for CAS integration

            org.gatein.sso.agent.login.SSOLoginModule required

            org.exoplatform.services.security.j2ee.TomcatLoginModule required

            portalContainerName=portal

            realmName=gatein-domain

           

          But the syntax is false, we just need that (be careful on the ';' :

           

            // Uncomment the following part (and comment the other part for CAS integration

          org.gatein.sso.agent.login.SSOLoginModule required;

            org.exoplatform.services.security.j2ee.TomcatLoginModule required;

          1 of 1 people found this helpful
          • 2. GateIn + OpenAM 9.5.2
            macois

            Hi, after few tests,

             

            I've no error in my logs (good point) but I stil have my infinite loop on the blank page. It's a matter with the cookies, isn't it ???

             

            Please help me, thanks

            • 3. GateIn + OpenAM 9.5.2
              stevepamer

              OpenAM doesnt like localhost.  You need to use FQDN.

               

              -steve

              • 4. GateIn + OpenAM 9.5.2
                macois

                Thanks for answering me Steve !

                 

                Do you think I can use the same domain so (openam.vauban.com) for my GateIn and my OpenAM even if the two applications are on the same machine but on two tomcat different ?

                 

                thanks,

                 

                regards,

                 

                françois.

                • 5. GateIn + OpenAM 9.5.2
                  macois

                  Hi,

                   

                  I've tried with the same FQDN for OpenAM and GateIn and with two different FQDN and the both are KO (on the same machine).

                   

                  Do you have another idea ?

                   

                  Thanks,

                   

                  F.

                  • 6. GateIn + OpenAM 9.5.2
                    stevepamer

                    You should be able to use the same FQDN for both.  When you installed openAM you set the cookie domain. 

                    Whe you access the system do not use localhost in the URL use the FQDN.

                    If you look at the cookies in your browser, where do you find the OpenAM cookie?

                    It should be under the cookie domain that you installed with.

                     

                    I had this problem when I first installed and there are articles around regarding this.

                    You found the other issue with the cookie encoding.

                     

                    -steve

                    • 7. GateIn + OpenAM 9.5.2
                      macois

                      Hi Steve,

                       

                      Oki for the fqdn, so it's the matter anymore (since I used two different fqdn : domain.agent.com (for gatein) and openam.vauban.com (for openam)). And I do my tests all the time with the domain domain.agent.com or openam.vauban.com.

                       

                      In my brother the cookie is called : iPlanetDirectoryPro under the domain .vauban.com


                      In my OpenAm, I found this :

                       

                      For the cookie : Configuration > Server and Sites > Server default configuration > Security > The cookie is called too : iPlanetDirectoryPro

                      (and the same for my server)

                       

                      For the domain : Access Control > Domain : GateIn > Domain/Alias DNS : .vauban.com, vauban


                      Does it seem correct for you ?

                       

                      Thanks by advance,

                       

                      François

                      • 8. GateIn + OpenAM 9.5.2
                        mposolda

                        Hello,

                         

                        I think that you can have problem with validation of OpenAM ticket. You can look at sources of class OpenSSOAgent http://anonsvn.jboss.org/repos/gatein/components/sso/tags/1.0.1-GA/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java which is doing validation . You can enable DEBUG log for this class in server/default/conf/jboss-log4j.xml and it's possible that then you will see in server.log what is wrong .

                         

                        You can also try to debug this class in your IDE, that may give you more informations.

                         

                        Hope this helps,

                        Marek

                        • 9. GateIn + OpenAM 9.5.2
                          stevepamer

                          Hi Francois,

                          Hmmm.  That all *seems* to be ok.

                           

                          Don tknow if it matters but I have everything in one domain (in your case it would be openam.vauban.com, and domain.vauban.com).

                           

                          From my experience, the infinite redirect is either from the agent not finding the cookie because of a mismatch in domains

                          or cannot interpret it (encoding issue) so it keeps going back to the openam server but the openam server can see it just fine

                          so it sends it right back.

                           

                          You will probably have to turn up the logging on the agent side to message level and wade through that.  There is a

                          forum on forgerock.com that might be able to help.

                           

                          Sorry, but I dont have any more ideas at the moment.

                           

                          Best Regards,

                          Steve

                          • 10. GateIn + OpenAM 9.5.2
                            macois

                            Thanks for the two answers, it's cool to have some helps when you've a tricky problem...like this one.

                             

                            For the logging part in DEBUG, I modified the file  GateInHOME\conf\logging.properties and I pass all the logs in DEBUG.

                            I still have no log when I reproduce the problem.

                             

                            So, is-it the good file ?

                            Or it confirms the cookie problem ?

                             

                            Thanks by advance,

                             

                            F.

                            • 11. GateIn + OpenAM 9.5.2
                              stevepamer
                              1 of 1 people found this helpful
                              • 12. Re: GateIn + OpenAM 9.5.2
                                macois

                                Hi !

                                 

                                Oki it's a very good news for me, it's possible

                                 

                                I've just to manage it on my local PC.

                                So I will follow your documentation and test it !

                                 

                                Did you use two different PCs ? Two domains ? Which version of the sso gate in packaging did you use ?

                                Did you configure OpenAM in order to encode the cookies ? or to use the c66encode ?

                                Did you add some others configurations ?

                                 

                                Did you have a problem with the modification of the jaas.conf file ?

                                On my PC, I just kept the two first lines with a semi colon at the end of each line.

                                 

                                 

                                Thanks for your help,

                                 

                                François.

                                • 13. GateIn + OpenAM 9.5.2
                                  stevepamer

                                  Hi,

                                   

                                  I am using two Linux machines, one for openAM running in Tomcat 6, and the other with GateIn installed in JBoss 5.

                                  One domain.

                                  My gateIn package was 1.0.1-GA found here:

                                       https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.0.1-GA/

                                  I used the default c66encode.  OpenAM 9.5.2 by default is now c66Encode=true.

                                  No other special configuration that I am using that would effect this.

                                       I have a seperate OpenDS for my OpenAM, and use additional read only LDAP in GateIn against that directory (which doesnt work correctly, yet)

                                       but am able to authenticate against users created in GateIn (root, mary, etc)

                                   

                                  I am running GateIn in JBoss, not Tomcat, so I did not have to configure jaas.conf.

                                   

                                  the instructions seem to assume that you are running on the same host so step 5 didnt mention that you

                                  need to edit gatein.properties and put in the host and port for your GateIn host.

                                   

                                  Good Luck,

                                   

                                  Steve

                                  • 14. GateIn + OpenAM 9.5.2
                                    prabhat.jha

                                    Hi Steve,

                                     

                                    We appreciate your active contributions to GateIn community on OpenAM integration. Thanks a lot.

                                     

                                    Is is possible for you to create a wiki/how-to doc on this topic assuming that a user has just downloaded GateIn? We have created few similar docs such as http://community.jboss.org/wiki/Createanewportalusingextension

                                     

                                    Thanks,

                                    Prabhat

                                    1 2 3 Previous Next