Adding secondary configuration instance

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Adding secondary configuration instance

Franck Richard

Hi,

 

Working with OpenAM 11.0, I try to add a Secondary configuration instance to test SFO. But when I try to save the new instance I get this message:

 

"The service iPlanetAMSessionService does not have organization schema"

 

Is there someone that could explain me the meaning of this message?

 

Thanks in advance

 

Franck


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Cyril Grosjean-2
Frank,

The easiest way to configure SFO is to do it when you install your
second, third, .., nth server,
either with the configurator or from the wizard ..
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi Cyril,

I am not able configure high availability when adding a server, I get the same error :

"The service iPlanetAMSessionService does not have organization schema"

But for load balancing does SFO absolutely necessary? Does a user able to connect with a round robin balancer because on my case after submitting user and password I  return to the login screen...?

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Cyril Grosjean
Sent: lundi 11 janvier 2016 11:46
To: Users
Subject: Re: [OpenAM] Adding secondary configuration instance

Frank,

The easiest way to configure SFO is to do it when you install your second, third, .., nth server, either with the configurator or from the wizard ..
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Sarris Overbosch
When you use sticky load balancing you don't need SFO, as the user will every time end up at the same openam instance (except when the instance is down which means the user has to reauthenticate at another openam instance) So wether you want to use SFO depends on the requirements you have! But if you insist on using a round robin load balancer then you need SFO as you never know at which openam instance the request will end up.

2016-01-18 17:32 GMT+01:00 Franck Richard <[hidden email]>:
Hi Cyril,

I am not able configure high availability when adding a server, I get the same error :

"The service iPlanetAMSessionService does not have organization schema"

But for load balancing does SFO absolutely necessary? Does a user able to connect with a round robin balancer because on my case after submitting user and password I  return to the login screen...?

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Cyril Grosjean
Sent: lundi 11 janvier 2016 11:46
To: Users
Subject: Re: [OpenAM] Adding secondary configuration instance

Frank,

The easiest way to configure SFO is to do it when you install your second, third, .., nth server, either with the configurator or from the wizard ..
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Bernhard Thalmayr
Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
> When you use sticky load balancing you don't need SFO, as the user will
> every time end up at the same openam instance (except when the instance
> is down which means the user has to reauthenticate at another openam
> instance) So wether you want to use SFO depends on the requirements you
> have! But if you insist on using a round robin load balancer then you
> need SFO as you never know at which openam instance the request will end up.

This is not correct. You don't need sticky loadbalancing at all as
OpenAM uses crosstalk to validate the SSO session on the 'authoritative
OpenAM instance'.

Sticky loadbalancing may only reduce crosstalk in specific cases.

You only need SFO if you do not want users to re-authenticate when the
'authoritative OpenAM instance' for a given SSO Session wents down.

However IMHO then every business application protected my OpenAM also
would need 'HA' (session failover)....

-Bernhard

>
> 2016-01-18 17:32 GMT+01:00 Franck Richard
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi Cyril,
>
>     I am not able configure high availability when adding a server, I
>     get the same error :
>
>     "The service iPlanetAMSessionService does not have organization schema"
>
>     But for load balancing does SFO absolutely necessary? Does a user
>     able to connect with a round robin balancer because on my case after
>     submitting user and password I  return to the login screen...?
>
>     Thanks
>
>     Franck
>
>     -----Original Message-----
>     From: [hidden email]
>     <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>     Sent: lundi 11 janvier 2016 11:46
>     To: Users
>     Subject: Re: [OpenAM] Adding secondary configuration instance
>
>     Frank,
>
>     The easiest way to configure SFO is to do it when you install your
>     second, third, .., nth server, either with the configurator or from
>     the wizard ..
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi ,

Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...

Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mardi 19 janvier 2016 09:41
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
> When you use sticky load balancing you don't need SFO, as the user
> will every time end up at the same openam instance (except when the
> instance is down which means the user has to reauthenticate at another
> openam
> instance) So wether you want to use SFO depends on the requirements
> you have! But if you insist on using a round robin load balancer then
> you need SFO as you never know at which openam instance the request will end up.

This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.

Sticky loadbalancing may only reduce crosstalk in specific cases.

You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.

However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....

-Bernhard

>
> 2016-01-18 17:32 GMT+01:00 Franck Richard
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi Cyril,
>
>     I am not able configure high availability when adding a server, I
>     get the same error :
>
>     "The service iPlanetAMSessionService does not have organization schema"
>
>     But for load balancing does SFO absolutely necessary? Does a user
>     able to connect with a round robin balancer because on my case after
>     submitting user and password I  return to the login screen...?
>
>     Thanks
>
>     Franck
>
>     -----Original Message-----
>     From: [hidden email]
>     <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>     Sent: lundi 11 janvier 2016 11:46
>     To: Users
>     Subject: Re: [OpenAM] Adding secondary configuration instance
>
>     Frank,
>
>     The easiest way to configure SFO is to do it when you install your
>     second, third, .., nth server, either with the configurator or from
>     the wizard ..
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Swanson, Ryan
Hi Franck,

We had seen an issue similar to this a while back when implementing OpenAM as well. I'm trying to remember the fix, but as a workaround does going to http://yourdomain.com/openam/home/Task/ allow you to login and get into the OpenAM console?

Ryan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Franck Richard
Sent: Tuesday, January 19, 2016 11:47 AM
To: Users
Subject: Re: [OpenAM] Adding secondary configuration instance

Hi ,

Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...

Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mardi 19 janvier 2016 09:41
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
> When you use sticky load balancing you don't need SFO, as the user
> will every time end up at the same openam instance (except when the
> instance is down which means the user has to reauthenticate at another
> openam
> instance) So wether you want to use SFO depends on the requirements
> you have! But if you insist on using a round robin load balancer then
> you need SFO as you never know at which openam instance the request will end up.

This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.

Sticky loadbalancing may only reduce crosstalk in specific cases.

You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.

However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....

-Bernhard

>
> 2016-01-18 17:32 GMT+01:00 Franck Richard
> <[hidden email]
> <mailto:[hidden email]>>:
>
>     Hi Cyril,
>
>     I am not able configure high availability when adding a server, I
>     get the same error :
>
>     "The service iPlanetAMSessionService does not have organization schema"
>
>     But for load balancing does SFO absolutely necessary? Does a user
>     able to connect with a round robin balancer because on my case after
>     submitting user and password I  return to the login screen...?
>
>     Thanks
>
>     Franck
>
>     -----Original Message-----
>     From: [hidden email]
>     <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>     Sent: lundi 11 janvier 2016 11:46
>     To: Users
>     Subject: Re: [OpenAM] Adding secondary configuration instance
>
>     Frank,
>
>     The easiest way to configure SFO is to do it when you install your
>     second, third, .., nth server, either with the configurator or from
>     the wizard ..
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

________________________________

NOTICE: This e-mail and any attachments is intended only for use by the addressee(s) named herein and may contain legally privileged, proprietary or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, is strictly prohibited. If you receive this email in error please immediately notify me via reply email or at (800) 927-9800 and permanently delete the original copy and any copy of any e-mail, and any printout.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Bernhard Thalmayr
In reply to this post by Franck Richard
Hi Franck, leave out the lb first.

If you use domain cookies do ...

1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM console)

2) in browser navigation bar relace FQDN (and port) of instance 1....
you must not be prompted for authentication


OpenAM uses the instance URLs for cross talk, (if you have scheme
'https' there, you need to configure a proper trust on OpenAM's JVM).

-Bernhard


Am 19/01/16 um 17:46 schrieb Franck Richard:

> Hi ,
>
> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>
> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>
> Thanks
>
> Franck
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mardi 19 janvier 2016 09:41
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>> When you use sticky load balancing you don't need SFO, as the user
>> will every time end up at the same openam instance (except when the
>> instance is down which means the user has to reauthenticate at another
>> openam
>> instance) So wether you want to use SFO depends on the requirements
>> you have! But if you insist on using a round robin load balancer then
>> you need SFO as you never know at which openam instance the request will end up.
>
> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>
> Sticky loadbalancing may only reduce crosstalk in specific cases.
>
> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>
> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>
> -Bernhard
>
>>
>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>> <[hidden email]
>> <mailto:[hidden email]>>:
>>
>>     Hi Cyril,
>>
>>     I am not able configure high availability when adding a server, I
>>     get the same error :
>>
>>     "The service iPlanetAMSessionService does not have organization schema"
>>
>>     But for load balancing does SFO absolutely necessary? Does a user
>>     able to connect with a round robin balancer because on my case after
>>     submitting user and password I  return to the login screen...?
>>
>>     Thanks
>>
>>     Franck
>>
>>     -----Original Message-----
>>     From: [hidden email]
>>     <mailto:[hidden email]>
>>     [mailto:[hidden email]
>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>     Sent: lundi 11 janvier 2016 11:46
>>     To: Users
>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>>     Frank,
>>
>>     The easiest way to configure SFO is to do it when you install your
>>     second, third, .., nth server, either with the configurator or from
>>     the wizard ..
>>     _______________________________________________
>>     Visit the OpenAM forum at
>>     https://forgerock.org/forum/fr-projects/openam/
>>     OpenAM mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>>     _______________________________________________
>>     Visit the OpenAM forum at
>>     https://forgerock.org/forum/fr-projects/openam/
>>     OpenAM mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi Bernhard,

Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.

- Ryan- I guess that's you were meaning in your message.

There is a chance that login issue is provided by the balancer.

Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme. As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mardi 19 janvier 2016 18:56
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Hi Franck, leave out the lb first.

If you use domain cookies do ...

1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM console)

2) in browser navigation bar relace FQDN (and port) of instance 1....
you must not be prompted for authentication


OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).

-Bernhard


Am 19/01/16 um 17:46 schrieb Franck Richard:

> Hi ,
>
> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>
> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>
> Thanks
>
> Franck
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mardi 19 janvier 2016 09:41
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>> When you use sticky load balancing you don't need SFO, as the user
>> will every time end up at the same openam instance (except when the
>> instance is down which means the user has to reauthenticate at
>> another openam
>> instance) So wether you want to use SFO depends on the requirements
>> you have! But if you insist on using a round robin load balancer then
>> you need SFO as you never know at which openam instance the request will end up.
>
> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>
> Sticky loadbalancing may only reduce crosstalk in specific cases.
>
> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>
> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>
> -Bernhard
>
>>
>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>> <[hidden email]
>> <mailto:[hidden email]>>:
>>
>>     Hi Cyril,
>>
>>     I am not able configure high availability when adding a server, I
>>     get the same error :
>>
>>     "The service iPlanetAMSessionService does not have organization schema"
>>
>>     But for load balancing does SFO absolutely necessary? Does a user
>>     able to connect with a round robin balancer because on my case after
>>     submitting user and password I  return to the login screen...?
>>
>>     Thanks
>>
>>     Franck
>>
>>     -----Original Message-----
>>     From: [hidden email]
>>     <mailto:[hidden email]>
>>     [mailto:[hidden email]
>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>     Sent: lundi 11 janvier 2016 11:46
>>     To: Users
>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>>     Frank,
>>
>>     The easiest way to configure SFO is to do it when you install your
>>     second, third, .., nth server, either with the configurator or from
>>     the wizard ..
>>     _______________________________________________
>>     Visit the OpenAM forum at
>>     https://forgerock.org/forum/fr-projects/openam/
>>     OpenAM mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>>     _______________________________________________
>>     Visit the OpenAM forum at
>>     https://forgerock.org/forum/fr-projects/openam/
>>     OpenAM mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Bernhard Thalmayr
Am 20/01/16 um 09:36 schrieb Franck Richard:
> Hi Bernhard,
>
> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.

most likely

>
> - Ryan- I guess that's you were meaning in your message.
>
> There is a chance that login issue is provided by the balancer.

Could be,
>
> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.


so your are actually doing SSL offloading at the LB.

It seems your env looks like


client --> HTTPS --> LB (which product?) --> HTTP --> HTTP Reverse-Proxy
(which product?) --> HTTP --> OpenAM

correct?

does HTTP Host header 'rewriting' happen at LB or RP?

the next step to try is

Client --> HTTP RP --> OpenAM

and check access log of OpenAM deployment container for cross talk


 As OpenAM instances are able to communicate each other in http, I am
not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.

It's not needed , see my reply.

-Bernhard

>
> Thanks
>
> Franck
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mardi 19 janvier 2016 18:56
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Hi Franck, leave out the lb first.
>
> If you use domain cookies do ...
>
> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM console)
>
> 2) in browser navigation bar relace FQDN (and port) of instance 1....
> you must not be prompted for authentication
>
>
> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>
> -Bernhard
>
>
> Am 19/01/16 um 17:46 schrieb Franck Richard:
>> Hi ,
>>
>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>
>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 09:41
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>> When you use sticky load balancing you don't need SFO, as the user
>>> will every time end up at the same openam instance (except when the
>>> instance is down which means the user has to reauthenticate at
>>> another openam
>>> instance) So wether you want to use SFO depends on the requirements
>>> you have! But if you insist on using a round robin load balancer then
>>> you need SFO as you never know at which openam instance the request will end up.
>>
>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>
>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>
>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>
>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>
>> -Bernhard
>>
>>>
>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>> <[hidden email]
>>> <mailto:[hidden email]>>:
>>>
>>>     Hi Cyril,
>>>
>>>     I am not able configure high availability when adding a server, I
>>>     get the same error :
>>>
>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>
>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>     able to connect with a round robin balancer because on my case after
>>>     submitting user and password I  return to the login screen...?
>>>
>>>     Thanks
>>>
>>>     Franck
>>>
>>>     -----Original Message-----
>>>     From: [hidden email]
>>>     <mailto:[hidden email]>
>>>     [mailto:[hidden email]
>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>     Sent: lundi 11 janvier 2016 11:46
>>>     To: Users
>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>>     Frank,
>>>
>>>     The easiest way to configure SFO is to do it when you install your
>>>     second, third, .., nth server, either with the configurator or from
>>>     the wizard ..
>>>     _______________________________________________
>>>     Visit the OpenAM forum at
>>>     https://forgerock.org/forum/fr-projects/openam/
>>>     OpenAM mailing list
>>>     [hidden email] <mailto:[hidden email]>
>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>     _______________________________________________
>>>     Visit the OpenAM forum at
>>>     https://forgerock.org/forum/fr-projects/openam/
>>>     OpenAM mailing list
>>>     [hidden email] <mailto:[hidden email]>
>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi Bernhard,

My environment:

client --> HTTPS --> LB Nginx  --> HTTP (or HTTPS or AJP, same issue) --> OpenAM.

Activating the second OpenAM server, I try to connect to the Nginx front, I have the same behavior as described previously I return to login screen after trying to log in. Making a Ctrl+f5 (Firefox), I am able to connect.

After disconnection, same issue.

Starting a private session in Firefox I am able to connect at first attempt. After disconnection, same issue.

I think there is something related with cookie or session somewhere.

Thanks

Franck


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mercredi 20 janvier 2016 11:00
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 20/01/16 um 09:36 schrieb Franck Richard:
> Hi Bernhard,
>
> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.

most likely

>
> - Ryan- I guess that's you were meaning in your message.
>
> There is a chance that login issue is provided by the balancer.

Could be,
>
> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.


so your are actually doing SSL offloading at the LB.

It seems your env looks like


client --> HTTPS --> LB (which product?) --> HTTP --> HTTP Reverse-Proxy (which product?) --> HTTP --> OpenAM

correct?

does HTTP Host header 'rewriting' happen at LB or RP?

the next step to try is

Client --> HTTP RP --> OpenAM

and check access log of OpenAM deployment container for cross talk


 As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.

It's not needed , see my reply.

-Bernhard

>
> Thanks
>
> Franck
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mardi 19 janvier 2016 18:56
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Hi Franck, leave out the lb first.
>
> If you use domain cookies do ...
>
> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM
> console)
>
> 2) in browser navigation bar relace FQDN (and port) of instance 1....
> you must not be prompted for authentication
>
>
> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>
> -Bernhard
>
>
> Am 19/01/16 um 17:46 schrieb Franck Richard:
>> Hi ,
>>
>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>
>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 09:41
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>> When you use sticky load balancing you don't need SFO, as the user
>>> will every time end up at the same openam instance (except when the
>>> instance is down which means the user has to reauthenticate at
>>> another openam
>>> instance) So wether you want to use SFO depends on the requirements
>>> you have! But if you insist on using a round robin load balancer
>>> then you need SFO as you never know at which openam instance the request will end up.
>>
>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>
>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>
>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>
>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>
>> -Bernhard
>>
>>>
>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>> <[hidden email]
>>> <mailto:[hidden email]>>:
>>>
>>>     Hi Cyril,
>>>
>>>     I am not able configure high availability when adding a server, I
>>>     get the same error :
>>>
>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>
>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>     able to connect with a round robin balancer because on my case after
>>>     submitting user and password I  return to the login screen...?
>>>
>>>     Thanks
>>>
>>>     Franck
>>>
>>>     -----Original Message-----
>>>     From: [hidden email]
>>>     <mailto:[hidden email]>
>>>     [mailto:[hidden email]
>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>     Sent: lundi 11 janvier 2016 11:46
>>>     To: Users
>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>>     Frank,
>>>
>>>     The easiest way to configure SFO is to do it when you install your
>>>     second, third, .., nth server, either with the configurator or from
>>>     the wizard ..
>>>     _______________________________________________
>>>     Visit the OpenAM forum at
>>>     https://forgerock.org/forum/fr-projects/openam/
>>>     OpenAM mailing list
>>>     [hidden email] <mailto:[hidden email]>
>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>     _______________________________________________
>>>     Visit the OpenAM forum at
>>>     https://forgerock.org/forum/fr-projects/openam/
>>>     OpenAM mailing list
>>>     [hidden email] <mailto:[hidden email]>
>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Bernhard Thalmayr
Am 20/01/16 um 11:21 schrieb Franck Richard:

> Hi Bernhard,
>
> My environment:
>
> client --> HTTPS --> LB Nginx  --> HTTP (or HTTPS or AJP, same issue) --> OpenAM.
>
> Activating the second OpenAM server, I try to connect to the Nginx front, I have the same behavior as described previously I return to login screen after trying to log in. Making a Ctrl+f5 (Firefox), I am able to connect.
>
> After disconnection, same issue.
>
> Starting a private session in Firefox I am able to connect at first attempt. After disconnection, same issue.
>
> I think there is something related with cookie or session somewhere.

Indeed it seems Nginx is messing around with the cookies (but this is
not done by default; at least not when I used it lately).

You may check http trace with 'liveHttpHeaders' plugin for Firefox.

-Bernhard

>
> Thanks
>
> Franck
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mercredi 20 janvier 2016 11:00
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 20/01/16 um 09:36 schrieb Franck Richard:
>> Hi Bernhard,
>>
>> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.
>
> most likely
>
>>
>> - Ryan- I guess that's you were meaning in your message.
>>
>> There is a chance that login issue is provided by the balancer.
>
> Could be,
>>
>> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.
>
>
> so your are actually doing SSL offloading at the LB.
>
> It seems your env looks like
>
>
> client --> HTTPS --> LB (which product?) --> HTTP --> HTTP Reverse-Proxy (which product?) --> HTTP --> OpenAM
>
> correct?
>
> does HTTP Host header 'rewriting' happen at LB or RP?
>
> the next step to try is
>
> Client --> HTTP RP --> OpenAM
>
> and check access log of OpenAM deployment container for cross talk
>
>
>  As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.
>
> It's not needed , see my reply.
>
> -Bernhard
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 18:56
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Hi Franck, leave out the lb first.
>>
>> If you use domain cookies do ...
>>
>> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM
>> console)
>>
>> 2) in browser navigation bar relace FQDN (and port) of instance 1....
>> you must not be prompted for authentication
>>
>>
>> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>>
>> -Bernhard
>>
>>
>> Am 19/01/16 um 17:46 schrieb Franck Richard:
>>> Hi ,
>>>
>>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>>
>>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>>
>>> Thanks
>>>
>>> Franck
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>>> Sent: mardi 19 janvier 2016 09:41
>>> To: [hidden email]
>>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>>> When you use sticky load balancing you don't need SFO, as the user
>>>> will every time end up at the same openam instance (except when the
>>>> instance is down which means the user has to reauthenticate at
>>>> another openam
>>>> instance) So wether you want to use SFO depends on the requirements
>>>> you have! But if you insist on using a round robin load balancer
>>>> then you need SFO as you never know at which openam instance the request will end up.
>>>
>>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>>
>>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>>
>>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>>
>>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>>
>>> -Bernhard
>>>
>>>>
>>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>>> <[hidden email]
>>>> <mailto:[hidden email]>>:
>>>>
>>>>     Hi Cyril,
>>>>
>>>>     I am not able configure high availability when adding a server, I
>>>>     get the same error :
>>>>
>>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>>
>>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>>     able to connect with a round robin balancer because on my case after
>>>>     submitting user and password I  return to the login screen...?
>>>>
>>>>     Thanks
>>>>
>>>>     Franck
>>>>
>>>>     -----Original Message-----
>>>>     From: [hidden email]
>>>>     <mailto:[hidden email]>
>>>>     [mailto:[hidden email]
>>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>>     Sent: lundi 11 janvier 2016 11:46
>>>>     To: Users
>>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>>
>>>>     Frank,
>>>>
>>>>     The easiest way to configure SFO is to do it when you install your
>>>>     second, third, .., nth server, either with the configurator or from
>>>>     the wizard ..
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Visit the OpenAM forum at
>>>> https://forgerock.org/forum/fr-projects/openam/
>>>> OpenAM mailing list
>>>> [hidden email]
>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>
>>>
>>> --
>>> Painstaking Minds
>>> IT-Consulting Bernhard Thalmayr
>>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> Tel: +49 (0)8062 7769174
>>> Mobile: +49 (0)176 55060699
>>>
>>> [hidden email] - Solution Architect
>>> http://www.xing.com/profile/Bernhard_Thalmayr
>>> http://de.linkedin.com/in/bernhardthalmayr
>>>
>>> This e-mail may contain confidential and/or privileged information.If
>>> you are not the intended recipient (or have received this email in
>>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi Bernhard ,

Looking at the connections with liveHttpHeaders everything seems ok. I can see that when accessing the login page a cookie names AMAuthCookie is set in the header with a value.
A series of Set-Cookie are also set because there are several domains.

When a session is opened I can see also that the cookie session is in the header too until logout.

If not it loops to the login screen with AMAuthCookie filled with the same value.


Franck


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mercredi 20 janvier 2016 11:25
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 20/01/16 um 11:21 schrieb Franck Richard:

> Hi Bernhard,
>
> My environment:
>
> client --> HTTPS --> LB Nginx  --> HTTP (or HTTPS or AJP, same issue) --> OpenAM.
>
> Activating the second OpenAM server, I try to connect to the Nginx front, I have the same behavior as described previously I return to login screen after trying to log in. Making a Ctrl+f5 (Firefox), I am able to connect.
>
> After disconnection, same issue.
>
> Starting a private session in Firefox I am able to connect at first attempt. After disconnection, same issue.
>
> I think there is something related with cookie or session somewhere.

Indeed it seems Nginx is messing around with the cookies (but this is not done by default; at least not when I used it lately).

You may check http trace with 'liveHttpHeaders' plugin for Firefox.

-Bernhard

>
> Thanks
>
> Franck
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mercredi 20 janvier 2016 11:00
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 20/01/16 um 09:36 schrieb Franck Richard:
>> Hi Bernhard,
>>
>> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.
>
> most likely
>
>>
>> - Ryan- I guess that's you were meaning in your message.
>>
>> There is a chance that login issue is provided by the balancer.
>
> Could be,
>>
>> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.
>
>
> so your are actually doing SSL offloading at the LB.
>
> It seems your env looks like
>
>
> client --> HTTPS --> LB (which product?) --> HTTP --> HTTP
> Reverse-Proxy (which product?) --> HTTP --> OpenAM
>
> correct?
>
> does HTTP Host header 'rewriting' happen at LB or RP?
>
> the next step to try is
>
> Client --> HTTP RP --> OpenAM
>
> and check access log of OpenAM deployment container for cross talk
>
>
>  As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.
>
> It's not needed , see my reply.
>
> -Bernhard
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 18:56
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Hi Franck, leave out the lb first.
>>
>> If you use domain cookies do ...
>>
>> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM
>> console)
>>
>> 2) in browser navigation bar relace FQDN (and port) of instance 1....
>> you must not be prompted for authentication
>>
>>
>> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>>
>> -Bernhard
>>
>>
>> Am 19/01/16 um 17:46 schrieb Franck Richard:
>>> Hi ,
>>>
>>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>>
>>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>>
>>> Thanks
>>>
>>> Franck
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>>> Sent: mardi 19 janvier 2016 09:41
>>> To: [hidden email]
>>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>>> When you use sticky load balancing you don't need SFO, as the user
>>>> will every time end up at the same openam instance (except when the
>>>> instance is down which means the user has to reauthenticate at
>>>> another openam
>>>> instance) So wether you want to use SFO depends on the requirements
>>>> you have! But if you insist on using a round robin load balancer
>>>> then you need SFO as you never know at which openam instance the request will end up.
>>>
>>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>>
>>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>>
>>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>>
>>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>>
>>> -Bernhard
>>>
>>>>
>>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>>> <[hidden email]
>>>> <mailto:[hidden email]>>:
>>>>
>>>>     Hi Cyril,
>>>>
>>>>     I am not able configure high availability when adding a server, I
>>>>     get the same error :
>>>>
>>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>>
>>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>>     able to connect with a round robin balancer because on my case after
>>>>     submitting user and password I  return to the login screen...?
>>>>
>>>>     Thanks
>>>>
>>>>     Franck
>>>>
>>>>     -----Original Message-----
>>>>     From: [hidden email]
>>>>     <mailto:[hidden email]>
>>>>     [mailto:[hidden email]
>>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>>     Sent: lundi 11 janvier 2016 11:46
>>>>     To: Users
>>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>>
>>>>     Frank,
>>>>
>>>>     The easiest way to configure SFO is to do it when you install your
>>>>     second, third, .., nth server, either with the configurator or from
>>>>     the wizard ..
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Visit the OpenAM forum at
>>>> https://forgerock.org/forum/fr-projects/openam/
>>>> OpenAM mailing list
>>>> [hidden email]
>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>
>>>
>>> --
>>> Painstaking Minds
>>> IT-Consulting Bernhard Thalmayr
>>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> Tel: +49 (0)8062 7769174
>>> Mobile: +49 (0)176 55060699
>>>
>>> [hidden email] - Solution Architect
>>> http://www.xing.com/profile/Bernhard_Thalmayr
>>> http://de.linkedin.com/in/bernhardthalmayr
>>>
>>> This e-mail may contain confidential and/or privileged
>>> information.If you are not the intended recipient (or have received
>>> this email in
>>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
Hi,

In addition I have this error message in debug/Authentication on the first node:

ERROR: Error creating logFailed message
java.lang.NullPointerException
        at com.sun.identity.authentication.service.LoginState.getSSOToken(LoginState.java:1926)
        at com.sun.identity.authentication.service.LoginState.logFailed(LoginState.java:4892)
        at com.sun.identity.authentication.service.LoginState.logFailed(LoginState.java:4849)
        at com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:1843)
        at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:278)
        at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:178)

It seems to happen everytime I try to connect.

Thanks

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Franck Richard
Sent: mercredi 20 janvier 2016 17:33
To: Users
Subject: Re: [OpenAM] Adding secondary configuration instance

Hi Bernhard ,

Looking at the connections with liveHttpHeaders everything seems ok. I can see that when accessing the login page a cookie names AMAuthCookie is set in the header with a value.
A series of Set-Cookie are also set because there are several domains.

When a session is opened I can see also that the cookie session is in the header too until logout.

If not it loops to the login screen with AMAuthCookie filled with the same value.


Franck


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mercredi 20 janvier 2016 11:25
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 20/01/16 um 11:21 schrieb Franck Richard:

> Hi Bernhard,
>
> My environment:
>
> client --> HTTPS --> LB Nginx  --> HTTP (or HTTPS or AJP, same issue) --> OpenAM.
>
> Activating the second OpenAM server, I try to connect to the Nginx front, I have the same behavior as described previously I return to login screen after trying to log in. Making a Ctrl+f5 (Firefox), I am able to connect.
>
> After disconnection, same issue.
>
> Starting a private session in Firefox I am able to connect at first attempt. After disconnection, same issue.
>
> I think there is something related with cookie or session somewhere.

Indeed it seems Nginx is messing around with the cookies (but this is not done by default; at least not when I used it lately).

You may check http trace with 'liveHttpHeaders' plugin for Firefox.

-Bernhard

>
> Thanks
>
> Franck
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mercredi 20 janvier 2016 11:00
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 20/01/16 um 09:36 schrieb Franck Richard:
>> Hi Bernhard,
>>
>> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.
>
> most likely
>
>>
>> - Ryan- I guess that's you were meaning in your message.
>>
>> There is a chance that login issue is provided by the balancer.
>
> Could be,
>>
>> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.
>
>
> so your are actually doing SSL offloading at the LB.
>
> It seems your env looks like
>
>
> client --> HTTPS --> LB (which product?) --> HTTP --> HTTP
> Reverse-Proxy (which product?) --> HTTP --> OpenAM
>
> correct?
>
> does HTTP Host header 'rewriting' happen at LB or RP?
>
> the next step to try is
>
> Client --> HTTP RP --> OpenAM
>
> and check access log of OpenAM deployment container for cross talk
>
>
>  As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.
>
> It's not needed , see my reply.
>
> -Bernhard
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 18:56
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Hi Franck, leave out the lb first.
>>
>> If you use domain cookies do ...
>>
>> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM
>> console)
>>
>> 2) in browser navigation bar relace FQDN (and port) of instance 1....
>> you must not be prompted for authentication
>>
>>
>> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>>
>> -Bernhard
>>
>>
>> Am 19/01/16 um 17:46 schrieb Franck Richard:
>>> Hi ,
>>>
>>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>>
>>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>>
>>> Thanks
>>>
>>> Franck
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>>> Sent: mardi 19 janvier 2016 09:41
>>> To: [hidden email]
>>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>>> When you use sticky load balancing you don't need SFO, as the user
>>>> will every time end up at the same openam instance (except when the
>>>> instance is down which means the user has to reauthenticate at
>>>> another openam
>>>> instance) So wether you want to use SFO depends on the requirements
>>>> you have! But if you insist on using a round robin load balancer
>>>> then you need SFO as you never know at which openam instance the request will end up.
>>>
>>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>>
>>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>>
>>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>>
>>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>>
>>> -Bernhard
>>>
>>>>
>>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>>> <[hidden email]
>>>> <mailto:[hidden email]>>:
>>>>
>>>>     Hi Cyril,
>>>>
>>>>     I am not able configure high availability when adding a server, I
>>>>     get the same error :
>>>>
>>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>>
>>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>>     able to connect with a round robin balancer because on my case after
>>>>     submitting user and password I  return to the login screen...?
>>>>
>>>>     Thanks
>>>>
>>>>     Franck
>>>>
>>>>     -----Original Message-----
>>>>     From: [hidden email]
>>>>     <mailto:[hidden email]>
>>>>     [mailto:[hidden email]
>>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>>     Sent: lundi 11 janvier 2016 11:46
>>>>     To: Users
>>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>>
>>>>     Frank,
>>>>
>>>>     The easiest way to configure SFO is to do it when you install your
>>>>     second, third, .., nth server, either with the configurator or from
>>>>     the wizard ..
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Visit the OpenAM forum at
>>>> https://forgerock.org/forum/fr-projects/openam/
>>>> OpenAM mailing list
>>>> [hidden email]
>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>
>>>
>>> --
>>> Painstaking Minds
>>> IT-Consulting Bernhard Thalmayr
>>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> Tel: +49 (0)8062 7769174
>>> Mobile: +49 (0)176 55060699
>>>
>>> [hidden email] - Solution Architect
>>> http://www.xing.com/profile/Bernhard_Thalmayr
>>> http://de.linkedin.com/in/bernhardthalmayr
>>>
>>> This e-mail may contain confidential and/or privileged
>>> information.If you are not the intended recipient (or have received
>>> this email in
>>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Adding secondary configuration instance

Franck Richard
In reply to this post by Franck Richard
Hi,

After changing the Jboss profile to a light standard profile, load balancing is working fine. I think that OpenAM 11.0 is not fully compatible with Jboss mod_cluster and full-ha profile.

For SFO I was unable to add the site in UI so I have imported the missing keys in opends and it seems to work fine too now.

Cheers

Franck

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Franck Richard
Sent: mercredi 20 janvier 2016 17:33
To: Users
Subject: Re: [OpenAM] Adding secondary configuration instance

Hi Bernhard ,

Looking at the connections with liveHttpHeaders everything seems ok. I can see that when accessing the login page a cookie names AMAuthCookie is set in the header with a value.
A series of Set-Cookie are also set because there are several domains.

When a session is opened I can see also that the cookie session is in the header too until logout.

If not it loops to the login screen with AMAuthCookie filled with the same value.


Franck


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: mercredi 20 janvier 2016 11:25
To: [hidden email]
Subject: Re: [OpenAM] Adding secondary configuration instance

Am 20/01/16 um 11:21 schrieb Franck Richard:

> Hi Bernhard,
>
> My environment:
>
> client --> HTTPS --> LB Nginx  --> HTTP (or HTTPS or AJP, same issue) --> OpenAM.
>
> Activating the second OpenAM server, I try to connect to the Nginx front, I have the same behavior as described previously I return to login screen after trying to log in. Making a Ctrl+f5 (Firefox), I am able to connect.
>
> After disconnection, same issue.
>
> Starting a private session in Firefox I am able to connect at first attempt. After disconnection, same issue.
>
> I think there is something related with cookie or session somewhere.

Indeed it seems Nginx is messing around with the cookies (but this is not done by default; at least not when I used it lately).

You may check http trace with 'liveHttpHeaders' plugin for Firefox.

-Bernhard

>
> Thanks
>
> Franck
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: mercredi 20 janvier 2016 11:00
> To: [hidden email]
> Subject: Re: [OpenAM] Adding secondary configuration instance
>
> Am 20/01/16 um 09:36 schrieb Franck Richard:
>> Hi Bernhard,
>>
>> Actually when I open a session on the first server, when typing URL of the second OpenAM server I don't need to authenticate. I think it means crosstalk communication is available.
>
> most likely
>
>>
>> - Ryan- I guess that's you were meaning in your message.
>>
>> There is a chance that login issue is provided by the balancer.
>
> Could be,
>>
>> Actually access to the balancer is made with 'https' scheme but the reverse proxy use 'http' scheme.
>
>
> so your are actually doing SSL offloading at the LB.
>
> It seems your env looks like
>
>
> client --> HTTPS --> LB (which product?) --> HTTP --> HTTP
> Reverse-Proxy (which product?) --> HTTP --> OpenAM
>
> correct?
>
> does HTTP Host header 'rewriting' happen at LB or RP?
>
> the next step to try is
>
> Client --> HTTP RP --> OpenAM
>
> and check access log of OpenAM deployment container for cross talk
>
>
>  As OpenAM instances are able to communicate each other in http, I am not sure a trust between OpenAM's JVM is needed, but maybe I am wrong.
>
> It's not needed , see my reply.
>
> -Bernhard
>>
>> Thanks
>>
>> Franck
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>> Sent: mardi 19 janvier 2016 18:56
>> To: [hidden email]
>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>
>> Hi Franck, leave out the lb first.
>>
>> If you use domain cookies do ...
>>
>> 1) authenticate to OpenAM instance 1 as amadmin (to get to OpenAM
>> console)
>>
>> 2) in browser navigation bar relace FQDN (and port) of instance 1....
>> you must not be prompted for authentication
>>
>>
>> OpenAM uses the instance URLs for cross talk, (if you have scheme 'https' there, you need to configure a proper trust on OpenAM's JVM).
>>
>> -Bernhard
>>
>>
>> Am 19/01/16 um 17:46 schrieb Franck Richard:
>>> Hi ,
>>>
>>> Thanks for explanation. In my case I have two OpenAM behind a round robin load balancer. When I start one OpenAM, the connection to the console is fine. When I start the second one, when I try to connect to the console, after validating user and password I come back immediately to the login screen...
>>>
>>> Bernhard you were talking about crosstalk, is there a simple way to check this communication between the OpenAM instances?
>>>
>>> Thanks
>>>
>>> Franck
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
>>> Sent: mardi 19 janvier 2016 09:41
>>> To: [hidden email]
>>> Subject: Re: [OpenAM] Adding secondary configuration instance
>>>
>>> Am 18/01/16 um 17:55 schrieb Sarris Overbosch:
>>>> When you use sticky load balancing you don't need SFO, as the user
>>>> will every time end up at the same openam instance (except when the
>>>> instance is down which means the user has to reauthenticate at
>>>> another openam
>>>> instance) So wether you want to use SFO depends on the requirements
>>>> you have! But if you insist on using a round robin load balancer
>>>> then you need SFO as you never know at which openam instance the request will end up.
>>>
>>> This is not correct. You don't need sticky loadbalancing at all as OpenAM uses crosstalk to validate the SSO session on the 'authoritative OpenAM instance'.
>>>
>>> Sticky loadbalancing may only reduce crosstalk in specific cases.
>>>
>>> You only need SFO if you do not want users to re-authenticate when the 'authoritative OpenAM instance' for a given SSO Session wents down.
>>>
>>> However IMHO then every business application protected my OpenAM also would need 'HA' (session failover)....
>>>
>>> -Bernhard
>>>
>>>>
>>>> 2016-01-18 17:32 GMT+01:00 Franck Richard
>>>> <[hidden email]
>>>> <mailto:[hidden email]>>:
>>>>
>>>>     Hi Cyril,
>>>>
>>>>     I am not able configure high availability when adding a server, I
>>>>     get the same error :
>>>>
>>>>     "The service iPlanetAMSessionService does not have organization schema"
>>>>
>>>>     But for load balancing does SFO absolutely necessary? Does a user
>>>>     able to connect with a round robin balancer because on my case after
>>>>     submitting user and password I  return to the login screen...?
>>>>
>>>>     Thanks
>>>>
>>>>     Franck
>>>>
>>>>     -----Original Message-----
>>>>     From: [hidden email]
>>>>     <mailto:[hidden email]>
>>>>     [mailto:[hidden email]
>>>>     <mailto:[hidden email]>] On Behalf Of Cyril Grosjean
>>>>     Sent: lundi 11 janvier 2016 11:46
>>>>     To: Users
>>>>     Subject: Re: [OpenAM] Adding secondary configuration instance
>>>>
>>>>     Frank,
>>>>
>>>>     The easiest way to configure SFO is to do it when you install your
>>>>     second, third, .., nth server, either with the configurator or from
>>>>     the wizard ..
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>     _______________________________________________
>>>>     Visit the OpenAM forum at
>>>>     https://forgerock.org/forum/fr-projects/openam/
>>>>     OpenAM mailing list
>>>>     [hidden email] <mailto:[hidden email]>
>>>>     https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Visit the OpenAM forum at
>>>> https://forgerock.org/forum/fr-projects/openam/
>>>> OpenAM mailing list
>>>> [hidden email]
>>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>>
>>>
>>>
>>> --
>>> Painstaking Minds
>>> IT-Consulting Bernhard Thalmayr
>>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>>> Tel: +49 (0)8062 7769174
>>> Mobile: +49 (0)176 55060699
>>>
>>> [hidden email] - Solution Architect
>>> http://www.xing.com/profile/Bernhard_Thalmayr
>>> http://de.linkedin.com/in/bernhardthalmayr
>>>
>>> This e-mail may contain confidential and/or privileged
>>> information.If you are not the intended recipient (or have received
>>> this email in
>>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>> _______________________________________________
>>> Visit the OpenAM forum at
>>> https://forgerock.org/forum/fr-projects/openam/
>>> OpenAM mailing list
>>> [hidden email]
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>>
>>
>>
>> --
>> Painstaking Minds
>> IT-Consulting Bernhard Thalmayr
>> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
>> Tel: +49 (0)8062 7769174
>> Mobile: +49 (0)176 55060699
>>
>> [hidden email] - Solution Architect
>> http://www.xing.com/profile/Bernhard_Thalmayr
>> http://de.linkedin.com/in/bernhardthalmayr
>>
>> This e-mail may contain confidential and/or privileged information.If
>> you are not the intended recipient (or have received this email in
>> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect
> http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam