You are here

GCF /misc/noauth.html

Submitted by Jason on Wed, 02/01/2012 - 13:05

I got the code for a GCF to Touchnet from another school, but I can't seem to get it to work. It isn't writing anything to the cp.log, or cpip.log on either the front-end web server or the cpip server (we have one cpip server on the resource/ldap server, and traffic to 8008 is directed there via our load balancer).

When I execute this sso URL:

It instantly takes me to /misc/noauth.html without writing anything to either cp.log or cpip.log. What type of problem might that indicate? It's hard to debug with no error messages:)

All logging is set to debug.

I should mention that this is the first time I've tried to setup a cpip connector by hand, so the issue might be something very simple.

Luminis Version:

Did you do these two steps? I think yours would say ebill where I have touchnet.

* Edit /opt/luminis/webapps/cpipconnector/WEB-INF/config/
Add to end of line:
property.files =,,,
Note there should not be any line breaks in this line but it is okay for it to wrap.

* Add to configman setting es.system:
$configman -g >
Edit file: add to front and add touchnet to end of list: sct cal comexp sctinb sctssb mowa epstu ephr touchnet
$configman -i
$configman -g
sct cal comexp sctinb sctssb mowa epstu ephr touchnet

Yup. modified, xml and properties files placed in config/, and configman settings set. I didn't get an example of the configman settings, so I based them on connectors we already have. Ebill's (touchnet's) are set like:

-bash-3.00$ configman -g es.ebill*

GetConfigVersion2 does return a string of data.

Well odd....

Based on some threads here, some people had set
ebill.cpipconnector.getconfig.sendlogin = false
And others said true.

At any rate, ours was true, I set it to false, restarted, and now I see debug logging...

I think I can take it from here. The log sent the proper credentials, but said 'authentication failed', which is likely because Touchnet currently cannot reach our self-service dad because of some networking issues.

Still not working. Could someone please post their configman settings for Touchnet? I assumed that it should follow the format of other connectors, but I might be wrong.

Thanks. That matches my settings.

Unfortunately, I'm not getting any errors. A sso link takes me to I have a ticket open with Sungard to double check my cplog4j settings.

A sungard consultant set them up for a prior project, so I assume they are correct.

### creates a cpip.log #### = DEBUG, com-pipeline-sdk = DEBUG, com-pipeline-sdk = DEBUG, com-pipeline-sdk = DEBUG, com-pipeline-sdk =org.apache.log4j.RollingFileAppender${}/cpip.log[%d{ISO8601}] [%p] (%t) ${} [%c]:%x %m%n = DEBUG, com-pipeline-sdk = DEBUG, com-pipeline-sdk

I also have this line right above your first one:,file

I normally find most of my debugging info in the cp.log. After that I look at cpipconnector and finally cpip.

Support helped. That cpip.log stuff was only for cpip-style connectors, not for GCF. I had to add this stuff:

log4j.rootCategory=ERROR, file, console

Now I see logging again. It was complaining about certs. Sure enough, I had forgotten to import touchnet's cert into our front-end web servers.

So now the cpipconnector.log says:
>>> returned pickup URL is
[2012-02-07 15:30:56,248] [DEBUG] http-8008-Processor23:/ebill/Authenticate com.campuspipeline.sso.authenticator.SSOOperat
>>> successful login to external system
[2012-02-07 15:30:56,250] [DEBUG] http-8008-Processor23:/ebill/Authenticate com.campuspipeline.sso.authenticator.SSOOperat
>>> }}}} authenticateUser

And the browser is left sitting at pickup URL

Our setup is 2 front-end servers behind a load balancer. The load balancer redirects all port 8008 traffic to the resource/ldap tier, which is the single cpip server. I must be getting confused between GCF and cpip-style connectors, as in a client browser would never work.

Given that our file on the front end web server1 says =
I'm unsure how our other connectors are working. Like self-service and desire 2 learn. No client should ever be redirected to cpip-style connectors must not use the property on front-end web servers, but GCF connectors do?

I am not familiar with writing a straight CPIP, but GCF works by something along the
lines of:

luminis server (i.e. not client browser) (on receiving /ip/login?sys=A&url=B )

calls internal URL for Authenticate.1
(cf, cpipconnector.port)

calls internal URL for Authenticate.2

then (if Success) redirects the browser to the external URL for Pickup
(cf, cpipconnector.virtual.port)

and the load balancer makes
myvirtualPortalCpip:443 go to front-end-server1:8008

I guess that you need to check a couple of things:
1) what is set to
2) is the cpip using the correct property to generate the URL for redirecting the client?

University of Leeds, UK

"2) is the cpip using the correct property to generate the URL for redirecting the client?"

Where is that located? pickup.destURLParameter in the properties file? Mines is equal to the value "url". As I said, I received the xml and properties from another school. Maybe that "url" should be some real value and they sanitized it?

edit: I think I found it. The
touchnet.urlBase = ${cpipconnector.urlBase}/blah blah

So that school maybe wasn't behind a load balancer. I changed it to:
touchnet.urlBase = ${cpipconnector.virtual.urlBase}/blah blah

edit2: That worked. Thanks everyone. We normally do sso to systems using a custom method, so this was a learning experience:)

You definitely want to use ${cpipconnector.virtual.*} for anything that get sent
to the client browser.

That was what I was trying to hint towards.

Glad that you have found a solution.

We always find that there is one more thing that we don't know about SSO
whenever even a minor thing changes.

University of Leeds, UK