-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificate self signing issue #1899
Comments
Hi @mithunhegde-egov! There's no need to sign the test CA's root certificate ( |
thank you very much for the response. does the same apply for tsa and ocsp certificate also while configuring the central server? (tsa.cert.pem and ocs.cert.pem) |
Yes, the same applies to |
thank you. unable to add wsdl copied from the central server management services. throws this error-WSDL download failed |
Have you checked the |
yes. issue is with the connection. not able to connect at this address http://<ip_addr>/managementservices.wsdl. wanted to understand if any port needs to be mapped from the container for wsdl. my security server and central server is on the same machine for testing purpose. different ports. |
The management Security Server needs to be able to access the Central Server port |
sure thank you. In the last step of the configuration I am getting error_code.core.Server.ClientProxy.SslAuthenticationFailed |
The error message means that the Security Server where you try to register the subsystem doesn't have a valid authentication certificate. More information about the cause of the error can be found here. Please search with A service provider and service consumer can share the same Security Server. Both auth and sign certificates need to be signed by the test CA. The required steps for generating the CSRs and importing the certificates can be found here. Instead, the Test CA documentation is available here. |
the authentication cert status is GOOD. I have added signed certs only. the error changed to 400 bad request now- when trying to register.cannot find about this error anywhere in the doc. please share any link for reference 2023-12-12T12:20:19.539Z [https-jsse-nio-4000-exec-4] correlation-id:[116fb988fad675a3] INFO ee.ria.xroad.common.AuditLogger - {"event":"Register client failed","user":"xrd","ipaddress":"106.51.69.20","reason":"Server.ServerProxy.ServiceFailed.HttpError: Server responded with error 400: Bad Request","warning":false,"auth":"Session","url":"/api/v1/clients/EGOV%3AEGOV%3A1234%3ATESTCLIENT/register","data":{"clientIdentifier":{"memberClass":"EGOV","memberCode":"1234","subsystemCode":"TESTCLIENT","fieldsForStringFormat":["EGOV","1234","TESTCLIENT"],"objectType":"SUBSYSTEM","xroadInstance":"EGOV"}}} |
There's something wrong with the management services configuration on the management Security Server, e.g., incorrect service URL. The service URL should be |
thank you the setup is complete. I have security server docker container port 80 mapped to port 6000 of my host. I am trying to make rest api call from the client service using https://<iss_ip_addr>:6000/ but not able to connect to port 6000 in the server. I see that it is listening but throws connection refused error- can you please share something for reference or what I am doing wrong here. |
Hi @mithunhegde-egov! Since you have mapped the container port |
I did those changes. I am unable to curl also to the port mapped with the 80 port in the security server. central server I am able to ping with the port mapped with docker container's port 80. I started a new docker container and facing the same issue with that also. unable to access the port mapped with docker's port 80 for the security server |
What's the error message when you try to submit a request to the Security Server port |
I have changed to using http and using port 80 of the container only still. I am getting this connection refused error |
What Security Server Docker image are you using? In the |
no using this one for testing- https://hub.docker.com/r/niis/xroad-security-server |
Also that image uses ports
|
I am getting this error trying to connect to the provider- have two security servers running in the same machine mapped to different ports and central server is also running in the same machine. |
It looks like the provider Security Server is not able to connect to the service. You should check that the provider Security Server is able to establish connection to |
Hi, I am trying to find helm chart for security server deployment. Can you provide reference to helm chart or is there any other recommended way to deploy security server. |
Hi @mithunhegde-egov! Unfortunately, we don't have helm charts for X-Road. Instead, you can use this Ansible playbook to deploy a single Security Server or an entire X-Road ecosystem. Alternatively, here you can find instructions for Kubernetes. |
Hi @petkivim I have a doubt. how do we secure the client and provider IDs generated? so the only change a consumer needs to make is append the header with client id and add the appropriate provider id in the request url right? basically anyone with the id can connect to the consumer security server? or do we have option to implement any authentication between the information system and security server. |
Hi @mithunhegde-egov! It's strongly recommended to use mTLS in the communication between a client information system and the Security Server. In that way, it's possible to secure the communication and be sure that only authorised clients are able to access the subsystems. More information about the required configuration is available here. |
Hi @petkivim I see there is readme steps for setting external database for sidecar security server in github. is the same available for security server docker image? want to setup external postgres db with docker image for security server. can you share if any steps are available for the same? |
Hi @mithunhegde-egov! The Security Server Sidecar Docker image ( |
okay thank you and regarding authentication between the information system and security server. |
The above refers to a data exchange use case that includes an enduser / a citizen that plays an active role in the data exchange. Here's more information about the topic:
TLS authentication between the Security Server and the information system takes care of authentication on the system level. More information is available here. Instead, you need to implement enduser authentication by yourself if/when needed. |
Hi @petkivim there is an issue with internal db creation hitting this error while trying to create the pod(security server sidecar k8s) APPLICATION FAILED TO START Description: Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured. Reason: Failed to determine a suitable driver class Action: Consider the following: 2024-01-09 08:28:53,828 INFO exited: xroad-proxy-ui-api (exit status 1; not expected) trying to create a statefulset with pvc. that is when I am hitting this error |
Unfortunately, using a |
okay. how can we make pod creation stateful in that case for the single pod sidecar k8s with internal database? whenever the pod gets recreated it loses the state which so we are unable to retain the state. |
You can use a |
Hi @petkivim we are using kubernetes secret to provide credentials for PostgreSQL authentication. modified the yaml file in the docs to add this. getting this authentication issue becuase of the same Using kubernetes secrret for single pod kubernetes sidecar deployment is supported right? |
You can find more information on using Kubernetes secrets with the Sidecar here. |
okay db credneitals are provided with configmap and secret like this. Configmap can be used and this should be working fine correct? apiVersion: v1 apiVersion: v1 |
Please refer to the configuration samples in the Sidecar documentation. Also other alternative approaches may work, but NIIS doesn't provide support for them. |
Hi @petkivim for the security server sidecar k8s, what configurations for the remote db needs to be done if we are using the remote PostgreSQL? the configuration file /etc/xroad/db.properties file has these default value serverconf.hibernate.connection.username= unifieddevdb_serverconf the data in the yaml file is db name, host, url and password,db username in secret as below. I tried changing the db.propeties file with proper authentication credentials, but I get an error that says "serverconf relation does not exist". the relation needs to be explicitly using these instructions https://github.com/nordic-institute/X-Road/blob/develop/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md#annex-d-create-database-structure-manually ?? |
Hi @mithunhegde-egov! When starting the container, you need to provide the external database server hostname, server port, and superuser credentials (for creating the necessary users and tables) as parameters. The supported parameters are |
Hi @petkivim trying to connect to rds. for aws rds superuser will not exist. the current user provided in the deployment has all roles true except superuser. what can we do in this case? other option is to install a postgresql db in an EC2 instance. but I wanted to understand what credentials can be passed with RDS instance for remote db sidecar deployment. |
Hi @mithunhegde-egov! You can use the user that's provided in the deployment. Just make sure that the username is |
okay. created a user with name postgres and granted all permissions granted in rds. I get this error with that |
I just tested with RDS and the default user (username
|
we are trying with sidecar kubernetes installation for security server. There was missing extension hstore in the postgreSQL database and there was same error in the log. adding the extension manually resolved the db migration issues during the creation of kubernetes statefulset with external db. |
hi @petkivim when trying to create an ingress rule with a hostname (xroad-dev.digit.org) by default I have created a service and ingress forwards to port 4000. I created another rule for 5500 port also. But I want to understand when a security server tries to contact management security server, will it append port 5500 to the management security server address that is provided?? |
Hi @mithunhegde-egov! When a Security Server communicates with another Security Server, it establishes connection to the target Security Server ports |
Hi @petkivim I am getting this ssl error when trying to register. could not find about this exact error when tried checking in the error docs. seems like the issue is when security server is trying to contact management secuirty server in the aws cluster. It is expecting the org's tls certificate for authentication right? can it be disabled for testing?? 2024-01-19T05:32:52.777Z WARN [xroad-proxy] [qtp239824711-42] e.r.x.p.c.FastestConnectionSelectingSSLSocketFactory - Failed to connect to https://external_ip_of_the_pod:5500/ |
Hi @mithunhegde-egov! It's a firewall or network configuration issue. The client Security Server is not able to establish connection to the management Security Server port |
Hi @petkivim getting this below error when trying to pull the latest image 7.4.1 2024-02-06T09:03:02.840Z ERROR [xroad-proxy-ui-api] [main] o.s.b.d.LoggingFailureAnalysisReporter - APPLICATION FAILED TO START Description: Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured. Reason: Failed to determine a suitable driver class Action: Consider the following: 2024-02-06 09:03:02,866 INFO exited: xroad-proxy-ui-api (exit status 1; not expected) seems like UI has exit status 1. running the sidecar security server contianer 7.4.1 |
Hi @mithunhegde-egov! Have you followed the instructions defined here? |
Hi @petkivim when we add the management security server address in the consumer, it appends :5500 to it right? is there a way we can remove that and make it communicate with the address we provide directly? |
Hi @mithunhegde-egov ! Yes, the consumer Security Server appends ports |
yes even if it is for all of them where can it be done? we will handle the requests internally once the request is in the cluster where security server is. |
You should look at the following properties and override their default values using the
|
Hi @petkivim I am getting these errors when trying to upload configuration anchor and initialize security server in one of the cluster. There was no issue in another cluster with same deployment. 2024-02-12T11:16:40.313Z ERROR [xroad-proxy] [qtp177389135-54-acceptor-0@4889534-ClientProxyConnector@4d95a72e{SSL, (ssl, http/1.1)}{0.0.0.0:5500}] e.r.x.c.c.g.VersionedConfigurationDirectory - Failed to read instance identifier from /etc/xroad/globalconf/instance-identifier |
Hi @mithunhegde-egov! That error message just means that the Security Server hasn't been initialized yet. However, it doesn't say why uploading the configuration anchor failed. The most common reason is that the Security Server is not able to establish connection to the Central Server ports |
In that case, it's a different issue. You should check the logs for details. |
yes the migrations are failing. that is the understanding from the logs. db migrations are failing. serverconf and messagelog db is present with all previleges applied and credentials I have checked in the /etc/xroad.properties file and /etc/xroad/db.properties file. |
Hi, I am unable to self sign the ca.cert.pem certificate generated. get this error on trying to sign from the form or manually
Error:
Unable to load X509 request
804B4FDE057F0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1188:
804B4FDE057F0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:349:Type=X509_REQ
cert is generated using steos mentioned in docker cs setup steps. please let me know what can be done to resolve this as it is causing issue while importing the signing certificate from the security server.
Regards,
Mithun
The text was updated successfully, but these errors were encountered: