certificate self signing issue

[mithunhegde-egov]

Hi, I am unable to self sign the ca.cert.pem certificate generated. get this error on trying to sign from the form or manually
Error:
Unable to load X509 request
804B4FDE057F0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1188:
804B4FDE057F0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:349:Type=X509_REQ

cert is generated using steos mentioned in docker cs setup steps. please let me know what can be done to resolve this as it is causing issue while importing the signing certificate from the security server.

Regards,
Mithun

[petkivim]

Hi @mithunhegde-egov! There's no need to sign the test CA's root certificate ( ca.cert.pem). It's enough to add it to the Central Server as described here. No additional steps are required for the root certificate.

[mithunhegde-egov]

thank you very much for the response. does the same apply for tsa and ocsp certificate also while configuring the central server? (tsa.cert.pem and ocs.cert.pem)

[petkivim]

Yes, the same applies to ocs.cert.pem and tsa.cert.pem too. It's enough to upload them to the Central Server following the configuration guide.

[mithunhegde-egov]

thank you. unable to add wsdl copied from the central server management services. throws this error-WSDL download failed
ID: 2dca780e1b8742bd.

[petkivim]

Have you checked the /var/log/xroad/proxy_ui_api.log log file for more details?

[mithunhegde-egov]

yes. issue is with the connection. not able to connect at this address http://<ip_addr>/managementservices.wsdl. wanted to understand if any port needs to be mapped from the container for wsdl. my security server and central server is on the same machine for testing purpose. different ports.

[petkivim]

The management Security Server needs to be able to access the Central Server port 80 in order to fetch the WSDL file. Currently, you're using 3.111.118.35 as the Central Server address. Please make sure that the Security Server is able to access the Central Server using the public IP address. More information about the Security Server network configuration is available here and the Central Server network configuration is available here. The port 80 is missing from the diagram between the management Security Server and the Central Server, but it's required too.

[mithunhegde-egov]

sure thank you. In the last step of the configuration I am getting error_code.core.Server.ClientProxy.SslAuthenticationFailed
Security server has no valid authentication certificate when I try to register TEST subsystem as a client. can we add a provider and consumer both to the same security server? even the authentication certificates and signing certificates(the one with .der downloaded) does not need any signing? used the csr html form to sign. the docker readme has mentioned self signing is required. If I am not wrong instructions need to be updated in the same.

[petkivim]

The error message means that the Security Server where you try to register the subsystem doesn't have a valid authentication certificate. More information about the cause of the error can be found here. Please search with Server.ClientProxy.SslAuthenticationFailed.

A service provider and service consumer can share the same Security Server. Both auth and sign certificates need to be signed by the test CA. The required steps for generating the CSRs and importing the certificates can be found here. Instead, the Test CA documentation is available here.

[mithunhegde-egov]

the authentication cert status is GOOD. I have added signed certs only. the error changed to 400 bad request now- when trying to register.cannot find about this error anywhere in the doc. please share any link for reference

2023-12-12T12:20:19.539Z [https-jsse-nio-4000-exec-4] correlation-id:[116fb988fad675a3] INFO ee.ria.xroad.common.AuditLogger - {"event":"Register client failed","user":"xrd","ipaddress":"106.51.69.20","reason":"Server.ServerProxy.ServiceFailed.HttpError: Server responded with error 400: Bad Request","warning":false,"auth":"Session","url":"/api/v1/clients/EGOV%3AEGOV%3A1234%3ATESTCLIENT/register","data":{"clientIdentifier":{"memberClass":"EGOV","memberCode":"1234","subsystemCode":"TESTCLIENT","fieldsForStringFormat":["EGOV","1234","TESTCLIENT"],"objectType":"SUBSYSTEM","xroadInstance":"EGOV"}}}
2023-12-12T12:20:19.540Z [https-jsse-nio-4000-exec-4] correlation-id:[116fb988fad675a3] ERROR o.n.x.r.e.ApplicationExceptionHandler - exception caught
ee.ria.xroad.common.CodedException$Fault: Server.ServerProxy.ServiceFailed.HttpError: Server responded with error 400: Bad Request

[petkivim]

There's something wrong with the management services configuration on the management Security Server, e.g., incorrect service URL. The service URL should be https://<CENTRAL_SERVER_ADDRESS>:4002/managementservice/manage/. Please check that you have completed all the steps described here.

[mithunhegde-egov]

thank you the setup is complete. I have security server docker container port 80 mapped to port 6000 of my host. I am trying to make rest api call from the client service using https://<iss_ip_addr>:6000/ but not able to connect to port 6000 in the server. I see that it is listening but throws connection refused error-
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
at org.egov.enc.Main.main(Main.java:12)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://<ip_addr>:/r1/EGOV/EGOV/1234/MDMS/MDMSService/egov-mdms-service/v1/_search": Connection refused (Connection refused); nested exception is java.net.ConnectException: Connection refused (Connection refused)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:746)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:672)
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:447)
at org.egov.enc.services.KeyManagementService.getTenantIds(KeyManagementService.java:191)
at org.egov.enc.services.KeyManagementService.makeComprehensiveListOfTenantIds(KeyManagementService.java:120)
at org.egov.enc.services.KeyManagementService.generateKeyForNewTenants(KeyManagementService.java:106)
at org.egov.enc.services.KeyManagementService.init(KeyManagementService.java:67)
at org.egov.enc.services.KeyManagementService.run(KeyManagementService.java:208)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:775)
... 5 common frames omitted
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:607)

can you please share something for reference or what I am doing wrong here.

[petkivim]

Hi @mithunhegde-egov! Since you have mapped the container port 80 to port 6000, you should use http and not https. Instead, if you want to use https, you should map the container port 443 to port 6000. In that case, you should change the client subsystem connection type from HTTPS to HTTP NOAUTH. More information about the client subsystem connection type is available here.

[mithunhegde-egov]

I did those changes. I am unable to curl also to the port mapped with the 80 port in the security server. central server I am able to ping with the port mapped with docker container's port 80. I started a new docker container and facing the same issue with that also. unable to access the port mapped with docker's port 80 for the security server

[petkivim]

What's the error message when you try to submit a request to the Security Server port 80 that's mapped to the container port 443?

[mithunhegde-egov]

I have changed to using http and using port 80 of the container only still. I am getting this connection refused error
in(Main.java:12)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://<ip_add>:<port_id>/r1/EGOV/EGOV/1234/MDMS/MDMSService/egov-mdms-service/v1/_search": Connection refused (Connection refused); nested exception is java.net.ConnectException: Connection refused (Connection refused)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:746)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:672)

[petkivim]

What Security Server Docker image are you using? In the niis/xroad-security-server-sidecar image the http port is 8080 and https port 8443.

[mithunhegde-egov]

no using this one for testing- https://hub.docker.com/r/niis/xroad-security-server

[petkivim]

Also that image uses ports 8080 and 8443 now. Unfortunately, the documentation on Docker Hub wasn't up-to-date. These are the correct mappings:

docker run -p 8080:8080 -p 8443:8443 -p 4000:4000 -p 5500:5500 -p 5577:5577 --name my-ss niis/xroad-security-server

[mithunhegde-egov]

I am getting this error trying to connect to the provider- have two security servers running in the same machine mapped to different ports and central server is also running in the same machine.
Caused by: org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Server Error: [{"type":"Server.ServerProxy.NetworkError","message":"Connect to <provider_system_ip>:8094 [/<provider_system_ip>] failed: Connection timed out (Connection timed out)","detail":"8741ddd9-30b2-4a01-86b7-fcc18373517d"}]
is it because of the provider service or issue with the security server setup? I looked for Server.ServerProxy.NetworkError. similar errors are in the doc but not this exact one.

[petkivim]

It looks like the provider Security Server is not able to connect to the service. You should check that the provider Security Server is able to establish connection to <provider_system_ip>:8094.

[mithunhegde-egov]

Hi, I am trying to find helm chart for security server deployment. Can you provide reference to helm chart or is there any other recommended way to deploy security server.

[petkivim]

Hi @mithunhegde-egov! Unfortunately, we don't have helm charts for X-Road. Instead, you can use this Ansible playbook to deploy a single Security Server or an entire X-Road ecosystem. Alternatively, here you can find instructions for Kubernetes.

[mithunhegde-egov]

Hi @petkivim I have a doubt. how do we secure the client and provider IDs generated? so the only change a consumer needs to make is append the header with client id and add the appropriate provider id in the request url right? basically anyone with the id can connect to the consumer security server? or do we have option to implement any authentication between the information system and security server.

[petkivim]

Hi @mithunhegde-egov! It's strongly recommended to use mTLS in the communication between a client information system and the Security Server. In that way, it's possible to secure the communication and be sure that only authorised clients are able to access the subsystems. More information about the required configuration is available here.

[mithunhegde-egov]

Hi @petkivim I see there is readme steps for setting external database for sidecar security server in github. is the same available for security server docker image? want to setup external postgres db with docker image for security server. can you share if any steps are available for the same?

[petkivim]

Hi @mithunhegde-egov! The Security Server Sidecar Docker image (niis/xroad-security-server-sidecar) is the official Docker image for the Security Server. Instead, the niis/xroad-security-server image is for test and development purposes only and it doesn't support an external database. To setup an external database with the Security Server Sidecar, please follow these instructions.

[mithunhegde-egov]

okay thank you and regarding authentication between the information system and security server.
"An X-Road organisation’s client information system Security Server acts as the entry point to all the X-Road services. The client information system is responsible for implementing an end user authentication and access control mechanism that complies with the requirements of the particular X-Road instance. The identity of the end user may be made available to the service provider by including it in the service request"
does this mean we have to implement our own authentication between information system and ss? or does tls take care of the same? the concern is, what happens if someone gets access to the registered client id and server id? any information system can access the provider information system if these two are compromised correct?

[petkivim]

An X-Road organisation’s client information system Security Server acts as the entry point to all the X-Road services. The client information system is responsible for implementing an end user authentication and access control mechanism that complies with the requirements of the particular X-Road instance. The identity of the end user may be made available to the service provider by including it in the service request

The above refers to a data exchange use case that includes an enduser / a citizen that plays an active role in the data exchange. Here's more information about the topic:

End-user authentication

X-Road is a data exchange layer between information systems. Among other things, X-Road provides organization level and machine level authentication that is based on Public Key Infrastructure (PKI). The identity of each organization and Security Server is verified using certificates that are issued by a trusted Certification Authority (CA) when an organization joins an X-Road ecosystem.

In case X-Road is used as a data exchange layer in a process that involves end-users and require their authentication, service consumer and service provider are responsible for the authentication of the end-user. Usually, the service consumer must authenticate the user before sending a request via X-Road and then it’s up to the service provider to decide whether it requires some evidence regarding the authentication to be sent as a part of the service request, e.g. authentication token, session context etc. From X-Road’s point of view end-user authentication is completely transparent and in case some data regarding the authentication is sent within the messages X-Road does not verify or validate it in any way.

TLS authentication between the Security Server and the information system takes care of authentication on the system level. More information is available here. Instead, you need to implement enduser authentication by yourself if/when needed.

[mithunhegde-egov]

Hi @petkivim there is an issue with internal db creation hitting this error while trying to create the pod(security server sidecar k8s)

---

APPLICATION FAILED TO START

---

Description:

Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured.

Reason: Failed to determine a suitable driver class

Action:

Consider the following:
If you want an embedded database (H2, HSQL or Derby), please put it on the classpath.
If you have database settings to be loaded from a particular profile you may need to activate it (the profiles nontest are currently active).

2024-01-09 08:28:53,828 INFO exited: xroad-proxy-ui-api (exit status 1; not expected)
2024-01-09 08:28:54,830 INFO spawned: 'xroad-proxy-ui-api' with pid 1201
08:28:55.197 [main] INFO ee.ria.xroad.common.Version -- xroad-proxy-ui-api 7.4.0 (OpenJDK Runtime Environment 17 17.0.9+9-Ubuntu-120.04)
2024-01-09T08:28:55.976Z ERROR [xroad-proxy-ui-api] [main] o.n.x.r.c.PropertyFileReadingEnvironmentPostProcessor - Failed to process properties file: /etc/xroad/db.properties
java.io.FileNotFoundException: /etc/xroad/db.properties (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
at java.base/java.io.FileInputStream.(FileInputStream.java:157)

trying to create a statefulset with pvc. that is when I am hitting this error

[petkivim]

Unfortunately, using a PersistentVolumeClaim with the PostgreSQL directory (/var/lib/postgresql/12/main) isn't currently supported. Instead, it's recommended to use an external database.

[mithunhegde-egov]

okay. how can we make pod creation stateful in that case for the single pod sidecar k8s with internal database? whenever the pod gets recreated it loses the state which so we are unable to retain the state.

[petkivim]

You can use a PersistentVolumeClaim for the Security Server configuration (/etc/xroad) and message log archive (/var/lib/xroad) directories. When it comes to the database, you need to use an external one.

[mithunhegde-egov]

Hi @petkivim we are using kubernetes secret to provide credentials for PostgreSQL authentication. modified the yaml file in the docs to add this. getting this authentication issue becuase of the same
4-01-11T09:07:52.594Z WARN [xroad-proxy-ui-api] [https-jsse-nio-4000-exec-6] o.h.e.jdbc.spi.SqlExceptionHelper - SQL Error: 0, SQLState: 08004
2024-01-11T09:07:52.594Z ERROR [xroad-proxy-ui-api] [https-jsse-nio-4000-exec-6] o.h.e.jdbc.spi.SqlExceptionHelper - The server requested password-based authentication, but no password was provided by plugin null
2024-01-11T09:07:52.594Z ERROR [xroad-proxy-ui-api] [https-jsse-nio-4000-exec-6] o.n.x.s.r.s.NotificationService - getting soft token pin status failed
2024-01-11T09:07:52.594Z ERROR [xroad-proxy-ui-api] [https-jsse-nio-4000-exec-6] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)

Using kubernetes secrret for single pod kubernetes sidecar deployment is supported right?

[petkivim]

You can find more information on using Kubernetes secrets with the Sidecar here.

[mithunhegde-egov]

okay db credneitals are provided with configmap and secret like this. Configmap can be used and this should be working fine correct?

apiVersion: v1
data:
db-host:
db-name: unifieddevdb
db-url:
kind: ConfigMap
metadata:
name: xroad-config
namespace: xroad

---

apiVersion: v1
data:
password:
username:
kind: Secret
metadata:
name: db
namespace: xroad
type: Opaque

[petkivim]

Please refer to the configuration samples in the Sidecar documentation. Also other alternative approaches may work, but NIIS doesn't provide support for them.

[mithunhegde-egov]

Hi @petkivim for the security server sidecar k8s, what configurations for the remote db needs to be done if we are using the remote PostgreSQL? the configuration file /etc/xroad/db.properties file has these default value

serverconf.hibernate.connection.username= unifieddevdb_serverconf
serverconf.hibernate.connection.url = jdbc:postgresql://<rds_url>:5432/unifieddevdb_serverconf
op-monitor.hibernate.connection.username= unifieddevdb_op-monitor
op-monitor.hibernate.connection.url = jdbc:postgresql://<rds_url>5432/unifieddevdb_op-monitor
messagelog.hibernate.connection.username= unifieddevdb_messagelog
messagelog.hibernate.connection.url = jdbc:postgresql://<rds_url>:5432/unifieddevdb_messagelog
~

the data in the yaml file is db name, host, url and password,db username in secret as below.
apiVersion: v1
data:
db-host:
db-name: unifieddevdb
db-url: jdbc:postgresql://<rds_url>:5432/unifieddevdb
kind: ConfigMap
metadata:
name: xroad-config
namespace: xroad

I tried changing the db.propeties file with proper authentication credentials, but I get an error that says "serverconf relation does not exist". the relation needs to be explicitly using these instructions https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md#annex-d-create-database-structure-manually ??

[petkivim]

Hi @mithunhegde-egov! When starting the container, you need to provide the external database server hostname, server port, and superuser credentials (for creating the necessary users and tables) as parameters. The supported parameters are XROAD_DB_PORT, XROAD_DB_HOST and XROAD_DB_PWD. The serverconf, op-monitor and messagelog databases are created automatically when the container is started if the provided parameter values are correct and connection to the remote database is established successfully.

[mithunhegde-egov]

Hi @petkivim trying to connect to rds. for aws rds superuser will not exist. the current user provided in the deployment has all roles true except superuser. what can we do in this case? other option is to install a postgresql db in an EC2 instance. but I wanted to understand what credentials can be passed with RDS instance for remote db sidecar deployment.

[petkivim]

Hi @mithunhegde-egov! You can use the user that's provided in the deployment. Just make sure that the username is postgres and it should work fine.

[mithunhegde-egov]

okay. created a user with name postgres and granted all permissions granted in rds. I get this error with that
db.proeprties file has correct details and xroad.properties also. for both I have added username as postgres with It's password.
Configuring groups
Database and user exists, skipping database creation.
Liquibase Home: /usr/share/xroad/db
Starting Liquibase at 11:05:27 (version 4.19.0 #6648 built at 2023-01-17 15:02+0000)
Unexpected error running Liquibase: ERROR: permission denied for schema serverconf
Position: 14 [Failed SQL: (0) CREATE TABLE serverconf.databasechangeloglock (ID INTEGER NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT databasechangeloglock_pkey PRIMARY KEY (ID))]
For more information, please use the --logLevel flag
Running database migrations failed, please check database availability and configuration in /etc/xroad/db.properties and /etc/xroad/xroad.properties
Database and user exists, skipping database creation.
Liquibase Home: /usr/share/xroad/db
Starting Liquibase at 11:05:32 (version 4.19.0 #6648 built at 2023-01-17 15:02+0000)
Unexpected error running Liquibase: ERROR: permission denied for schema messagelog
Position: 14 [Failed SQL: (0) CREATE TABLE messagelog.databasechangeloglock (ID INTEGER NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT databasechangeloglock_pkey PRIMARY KEY (ID))]
For more information, please use the --logLevel flag
Running database migrations failed, please check database availability and configuration in /etc/xroad/db.properties and /etc/xroad/xroad.properties
psql: error: could not connect to server: No such file or directory
Is the server running locally and accepting

[petkivim]

I just tested with RDS and the default user (username postgres) worked without problems without adjusting the permissions. I just created the RDS instance and spinned up a new Sidecar container. I didn't need to do any configuration changes to RDS. I did the test with Docker desktop:

docker run --detach \     
  --name ss \
  -p 4000:4000 \
  -p 5588:5588 \
  -p 8080:8080 \
  -p 8443:8443 \
  -p 5500:5500 \
  -p 5577:5577 \
  -e XROAD_TOKEN_PIN=<TOKEN_PIN> \
  -e XROAD_ADMIN_USER=<ADMIN_USER> \
  -e XROAD_ADMIN_PASSWORD=<ADMIN_PASSWORD> \
  -e XROAD_LOG_LEVEL=INFO \
  -e XROAD_DB_HOST=xxxx.xxxxxx.eu-north-1.rds.amazonaws.com \
  -e XROAD_DB_PORT=5432 \
  -e XROAD_DB_PWD=<DB_PASSWORD> \
  niis/xroad-security-server-sidecar:7.4.0

[mithunhegde-egov]

we are trying with sidecar kubernetes installation for security server. There was missing extension hstore in the postgreSQL database and there was same error in the log. adding the extension manually resolved the db migration issues during the creation of kubernetes statefulset with external db.

[mithunhegde-egov]

hi @petkivim when trying to create an ingress rule with a hostname (xroad-dev.digit.org) by default I have created a service and ingress forwards to port 4000. I created another rule for 5500 port also. But I want to understand when a security server tries to contact management security server, will it append port 5500 to the management security server address that is provided??

[petkivim]

Hi @mithunhegde-egov! When a Security Server communicates with another Security Server, it establishes connection to the target Security Server ports 5500 and 5577. This applies to the connections from your Security Server to the management Security Server too. The Security Server in the client role appends the port number automatically to the target Security Server address.

[mithunhegde-egov]

Hi @petkivim I am getting this ssl error when trying to register. could not find about this exact error when tried checking in the error docs. seems like the issue is when security server is trying to contact management secuirty server in the aws cluster. It is expecting the org's tls certificate for authentication right? can it be disabled for testing??

2024-01-19T05:32:52.777Z WARN [xroad-proxy] [qtp239824711-42] e.r.x.p.c.FastestConnectionSelectingSSLSocketFactory - Failed to connect to https://external_ip_of_the_pod:5500/
java.net.SocketTimeoutException: Connect timed out
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:551)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:602)
at java.base/java.net.Socket.connect(Socket.java:633)
Wrapped by: ee.ria.xroad.common.CodedException: SslAuthenticationFailed.InternalError: Connect timed out
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.getAndCacheOcspResponses(AuthTrustVerifier.java:168)
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.getOcspResponses(AuthTrustVerifier.java:151)
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.verifyAuthCert(AuthTrustVerifier.java:105)
2024-01-19T05:32:52.777Z ERROR [xroad-proxy] [qtp239824711-42] e.r.x.p.c.FastestConnectionSelectingSSLSocketFactory - Could not connect to any target host ([https://external_ip_of_the_pod:5500/])
2024-01-19T05:32:52.777Z ERROR [xroad-proxy] [qtp239824711-42] e.r.x.p.c.AbstractClientProxyHandler - Request processing error (379aa02d-4e06-4a22-a41b-2ee5d86643e0)
java.net.SocketTimeoutException: Connect timed out
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:551)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:602)
at java.base/java.net.Socket.connect(Socket.java:633)
Wrapped by: ee.ria.xroad.common.CodedException: Server.ClientProxy.SslAuthenticationFailed.InternalError: Connect timed out
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.getAndCacheOcspResponses(AuthTrustVerifier.java:168)
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.getOcspResponses(AuthTrustVerifier.java:151)
at ee.ria.xroad.proxy.clientproxy.AuthTrustVerifier.verifyAuthCert(AuthTrustVerifier.java:105)
2024-01-19T05:32:52.778Z ERROR [xroad-proxy] [qtp239824711-42-soap] e.r.x.p.c.ClientMessageProcessor - onError()

[petkivim]

Hi @mithunhegde-egov! It's a firewall or network configuration issue. The client Security Server is not able to establish connection to the management Security Server port 5577. Please check your firewall and network configuration.

[mithunhegde-egov]

Hi @petkivim getting this below error when trying to pull the latest image 7.4.1

2024-02-06T09:03:02.840Z ERROR [xroad-proxy-ui-api] [main] o.s.b.d.LoggingFailureAnalysisReporter -

---

APPLICATION FAILED TO START

---

Description:

Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured.

Reason: Failed to determine a suitable driver class

Action:

Consider the following:
If you want an embedded database (H2, HSQL or Derby), please put it on the classpath.
If you have database settings to be loaded from a particular profile you may need to activate it (the profiles nontest are currently active).

2024-02-06 09:03:02,866 INFO exited: xroad-proxy-ui-api (exit status 1; not expected)
2024-02-06 09:03:03,868 INFO spawned: 'xroad-proxy-ui-api' with pid 2080
09:03:04.238 [main] INFO ee.ria.xroad.common.Version -- xroad-proxy-ui-api 7.4.1 (OpenJDK Runtime Environment 17 17.0.9+9-Ubuntu-120.04)

seems like UI has exit status 1. running the sidecar security server contianer 7.4.1

[petkivim]

Hi @mithunhegde-egov! Have you followed the instructions defined here?

[mithunhegde-egov]

Hi @petkivim when we add the management security server address in the consumer, it appends :5500 to it right? is there a way we can remove that and make it communicate with the address we provide directly?

[petkivim]

Hi @mithunhegde-egov ! Yes, the consumer Security Server appends ports 5500 and 5577 to the management Security Server automatically. Those port numbers are configurable, but it means that you have to change them for all the Security Servers. It's not possible to change the ports for the management Security Server only.

[mithunhegde-egov]

yes even if it is for all of them where can it be done? we will handle the requests internally once the request is in the cluster where security server is.

[petkivim]

You should look at the following properties and override their default values using the /etc/xroad/conf.d/local.ini configuration file. More information about the properties is available here. However, I do not recommend changing the default values.

[proxy]
server-listen-port=5500
server-port=5500
ocsp-responder-port=5577

[mithunhegde-egov]

Hi @petkivim I am getting these errors when trying to upload configuration anchor and initialize security server in one of the cluster. There was no issue in another cluster with same deployment.

2024-02-12T11:16:40.313Z ERROR [xroad-proxy] [qtp177389135-54-acceptor-0@4889534-ClientProxyConnector@4d95a72e{SSL, (ssl, http/1.1)}{0.0.0.0:5500}] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
2024-02-12T11:16:40.314Z ERROR [xroad-proxy] [qtp177389135-55-acceptor-1@3931d315-ClientProxyConnector@4d95a72e{SSL, (ssl, http/1.1)}{0.0.0.0:5500}] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier
java.nio.file.NoSuchFileException: /etc/xroad/globalconf/instance-identifier
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)

[petkivim]

Hi @mithunhegde-egov! That error message just means that the Security Server hasn't been initialized yet. However, it doesn't say why uploading the configuration anchor failed. The most common reason is that the Security Server is not able to establish connection to the Central Server ports 80 and 443.

[mithunhegde-egov]

uploading configuration I am getting a successfull message but unable to fetch member class. option to enter the code is also disabled in the UI as can be seen in the screenshot

[petkivim]

In that case, it's a different issue. You should check the logs for details.

[mithunhegde-egov]

yes the migrations are failing. that is the understanding from the logs. db migrations are failing. serverconf and messagelog db is present with all previleges applied and credentials I have checked in the /etc/xroad.properties file and /etc/xroad/db.properties file.