You are here

GCF /misc/noauth.html

Submitted by Jason on Wed, 02/01/2012 - 13:05

I got the code for a GCF to Touchnet from another school, but I can't seem to get it to work. It isn't writing anything to the cp.log, or cpip.log on either the front-end web server or the cpip server (we have one cpip server on the resource/ldap server, and traffic to 8008 is directed there via our load balancer).

When I execute this sso URL:
https://ourschool.pcc.edu/cp/ip/login?sys=ebill&url=https://test.secure....

It instantly takes me to /misc/noauth.html without writing anything to either cp.log or cpip.log. What type of problem might that indicate? It's hard to debug with no error messages:)

All logging is set to debug.

I should mention that this is the first time I've tried to setup a cpip connector by hand, so the issue might be something very simple.

Luminis Version:

Did you do these two steps? I think yours would say ebill where I have touchnet.

* Edit /opt/luminis/webapps/cpipconnector/WEB-INF/config/cpipconnector.properties
Add touchnet.properties to end of line:
property.files = comexp.properties,messengerexpress.properties,mowa.properties,touchnet.properties
Note there should not be any line breaks in this line but it is okay for it to wrap.

* Add to configman setting es.system:
$configman -g es.systems > es.systems.configman
Edit file: add es.systems to front and add touchnet to end of list:
es.systems sct cal comexp sctinb sctssb mowa epstu ephr touchnet
$configman -i es.systems.configman
$configman -g es.systems
sct cal comexp sctinb sctssb mowa epstu ephr touchnet

Yup. cpipconnector.properties modified, xml and properties files placed in config/, and configman settings set. I didn't get an example of the configman settings, so I based them on connectors we already have. Ebill's (touchnet's) are set like:

-bash-3.00$ configman -g es.ebill*
es.ebill.autosync=false
es.ebill.configURL=http://ourschool.edu:8008/cpipconnector/ebill/GetConfigVersion2
es.ebill.configattempts=60
es.ebill.configsleeptime=100
es.ebill.shortcircuitlogin=false

GetConfigVersion2 does return a string of data.

Well odd....

Based on some threads here, some people had set
ebill.cpipconnector.getconfig.sendlogin = false
And others said true.

At any rate, ours was true, I set it to false, restarted, and now I see debug logging...

I think I can take it from here. The log sent the proper credentials, but said 'authentication failed', which is likely because Touchnet currently cannot reach our self-service dad because of some networking issues.

Still not working. Could someone please post their configman settings for Touchnet? I assumed that it should follow the format of other connectors, but I might be wrong.

Thanks. That matches my settings.

Unfortunately, I'm not getting any errors. A sso link takes me to https://ourschool.edu/misc/noauth.html. I have a ticket open with Sungard to double check my cplog4j settings.

A sungard consultant set them up for a prior project, so I assume they are correct.

### creates a cpip.log ####
log4j.logger.com.pipeline.sdk = DEBUG, com-pipeline-sdk
log4j.logger.com.pipeline.gist = DEBUG, com-pipeline-sdk
log4j.logger.com.pipeline.web.DefaultURLRequestBroker = DEBUG, com-pipeline-sdk
log4j.logger.com.pipeline.extsys.MMServlet = DEBUG, com-pipeline-sdk
log4j.appender.com-pipeline-sdk =org.apache.log4j.RollingFileAppender
log4j.appender.com-pipeline-sdk.File=${util.logservice.log4j.directory}/cpip.log
log4j.appender.com-pipeline-sdk.MaxFileSize=1MB
log4j.appender.com-pipeline-sdk.MaxBackupIndex=2
log4j.appender.com-pipeline-sdk.layout=org.apache.log4j.PatternLayout
log4j.appender.com-pipeline-sdk.layout.ConversionPattern=[%d{ISO8601}] [%p] (%t) ${application.name} [%c]:%x %m%n
log4j.logger.com.pipeline.schoolsvc.SchoolServicesServlet = DEBUG, com-pipeline-sdk
log4j.logger.com.sct.pipeline.sis = DEBUG, com-pipeline-sdk

I also have this line right above your first one:
log4j.logger.com.pipeline.sdk.cpip.ExternalSystemV2=DEBUG,file

I normally find most of my debugging info in the cp.log. After that I look at cpipconnector and finally cpip.

Support helped. That cpip.log stuff was only for cpip-style connectors, not for GCF. I had to add this stuff:

log4j.rootCategory=ERROR, file, console
#log4j.category.com.campuspipeline=DEBUG
#log4j.category.campuspipeline=DEBUG
#log4j.category.org.apache.commons.httpclient=DEBUG
log4j.category.com.campuspipeline.sso.authenticator.HttpSteps=DEBUG
log4j.category.com.campuspipeline.sso.authenticator.SSOOperations=DEBUG
log4j.category.com.campuspipeline.sso.SSOUtil=DEBUG

Now I see logging again. It was complaining about certs. Sure enough, I had forgotten to import touchnet's cert into our front-end web servers.

So now the cpipconnector.log says:
>>> returned pickup URL is http://front-end-server1.domain.edu:8008/cpipconnector/ebill/Pickup?sid=...
[2012-02-07 15:30:56,248] [DEBUG] http-8008-Processor23:/ebill/Authenticate com.campuspipeline.sso.authenticator.SSOOperat
ions.authenticateUser:224
>>> successful login to external system
[2012-02-07 15:30:56,250] [DEBUG] http-8008-Processor23:/ebill/Authenticate com.campuspipeline.sso.authenticator.SSOOperat
ions.authenticateUser:227
>>> }}}} authenticateUser

And the browser is left sitting at pickup URL http://front-end-server1.domain.edu:8008/cpipconnector/ebill/Pickup?sid=.......

Our setup is 2 front-end servers behind a load balancer. The load balancer redirects all port 8008 traffic to the resource/ldap tier, which is the single cpip server. I must be getting confused between GCF and cpip-style connectors, as http://front-end-server1.domain.edu:8008 in a client browser would never work.

Given that our cpipconnector.properties file on the front end web server1 says cpipconnector.host = front-end-server1.domain.edu
I'm unsure how our other connectors are working. Like self-service and desire 2 learn. No client should ever be redirected to front-end-server1.domain.edu:8008. cpip-style connectors must not use the cpipconnector.host property on front-end web servers, but GCF connectors do?

I am not familiar with writing a straight CPIP, but GCF works by something along the
lines of:

luminis server (i.e. not client browser) (on receiving /ip/login?sys=A&url=B )

calls internal URL for Authenticate.1
(cf cpipconnector.properties: cpipconnector.host, cpipconnector.port)
i.e. front-end-server1.domain.edu:8008/cpipconnector/A/Authenticate

calls internal URL for Authenticate.2
i.e. front-end-server1.domain.edu:8008/cpipconnector/A/Authenticate

then (if Success) redirects the browser to the external URL for Pickup
(cf cpipconnector.properties: cpipconnector.virtual.host, cpipconnector.virtual.port)
i.e. myvirtualPortalCpip.domain.edu:443/cpipconnector/A/Pickup

and the load balancer makes
myvirtualPortalCpip:443 go to front-end-server1:8008

I guess that you need to check a couple of things:
1) what is cpipconnector.virtual.host set to
2) is the cpip using the correct property to generate the URL for redirecting the client?

Derek
University of Leeds, UK

"2) is the cpip using the correct property to generate the URL for redirecting the client?"

Where is that located? pickup.destURLParameter in the properties file? Mines is equal to the value "url". As I said, I received the xml and properties from another school. Maybe that "url" should be some real value and they sanitized it?

edit: I think I found it. The
touchnet.urlBase = ${cpipconnector.urlBase}/blah blah

So that school maybe wasn't behind a load balancer. I changed it to:
touchnet.urlBase = ${cpipconnector.virtual.urlBase}/blah blah

edit2: That worked. Thanks everyone. We normally do sso to systems using a custom method, so this was a learning experience:)

You definitely want to use ${cpipconnector.virtual.*} for anything that get sent
to the client browser.

That was what I was trying to hint towards.

Glad that you have found a solution.

We always find that there is one more thing that we don't know about SSO
whenever even a minor thing changes.

Derek
University of Leeds, UK