opendj rename using ./dsconfig error Unable to connect to the server at "dsa.avantastech.com" 4444

issue:

I have followed forgerock opendj rename instructions and i was getting unable to connect error, even LDAP server was up and running.


./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 5444 --hostname dsa.avantastech.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsb.avantastech.com --trustAll

Unable to connect to the server at "dsa.avantastech.com" on port 5444



instructions i followed

How do I change the hostname for DS/OpenDJ (All versions)?

The purpose of this article is to provide information on changing the hostname for a DS/OpenDJ server. This article covers both replicated and non-replicated servers.

Changing the hostname

This process uses the following example server hostnames:

• Original hostname: dsA.example.com
• New hostname: dsB.example.com
• Hostname of another replicated server: dsZ.example.com

To change the server hostname:

1. Direct client applications to other servers.
2. Prevent the server from accepting updates from client applications using the following command:

   $ ./dsconfig set-global-configuration-prop --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:internal-only --trustAll --no-prompt
   

3. If the server is replicated, disable replication using the dsreplication command applicable to your version:
   • DS 5 and later:

     $ ./dsreplication unconfigure --unconfigureAll --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --adminPassword password --trustAll --no-prompt

   • Pre-DS 5:

     $ ./dsreplication disable --disableAll --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --adminPassword password --trustAll --no-prompt
     

4. Change the hostname details in the /etc/hosts file and/or on the DNS.
5. Change the server-fqdn in the DIGEST-MD5 entry using the following command:

   $ ./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsB.example.com --trustAll
   

6. Restart DS/OpenDJ:

   $ ./stop-ds
   $ ./start-ds

7. Regenerate all self-signed certificates. See Administration Guide › Preparing For Secure Communications and Administration Guide › Changing Server Certificates for further information.
8. Restart DS/OpenDJ:

   $ ./stop-ds
   $ ./start-ds

9. If the server was replicated, enable replication on the new server using the dsreplication command applicable to your version:
   • DS 5 and later:

     $ ./dsreplication configure --adminUid admin --adminPassword password --baseDn dc=example,dc=com --host1 dsZ.example.com --port1 4444 --bindDn1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 dsB.example.com --port2 4444 --bindDn2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt

   • Pre-DS 5:

     $ ./dsreplication enable --adminUID admin --adminPassword password --baseDN dc=example,dc=com --host1 dsZ.example.com --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 dsB.example.com --port2 4444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt

10. If the server was replicated, initialize the new server to ensure it has all the changes that have occurred since you disabled replication:

    $ ./dsreplication initialize --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostSource dsZ.example.com --portSource 4444 --hostDestination dsB.example.com --portDestination 4444 --trustAll --no-prompt

11. Re-enable the server to accept updates from client applications using the following command:

    $ ./dsconfig set-global-configuration-prop --port 4444 --hostname dsA.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:enabled --trustAll --no-prompt

on step 5 i was getting unable to find server error. I was using my local server host file to change dns name. logs was showing serera cant be find.

Solution:

I have changed the command to

./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --port 4444 --hostname dsB.example.com --bindDN "cn=Directory Manager" --bindPassword password --set server-fqdn:dsB.example.com --trustAll

and run the command. I was getting confirmation about the correct name. I selected option "f" to confirm and it worked.

HTTP Status 404 – Not Found Message /openam/config/options.htm

HTTP Status 404 – Not Found

---

Type Status Report

Message /openam/config/options.htm

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

---

Apache Tomcat/9.0.21

Solution:

copy context.xml under ../webapps/openam/META-INF


It should solve your issues

org.apache.tomcat.util.IntrospectionUtils.setProperty Error setting property [allow] to [*] on class [class org.apache.catalina.valves.RemoteAddrValve]

openam error
org.apache.tomcat.util.IntrospectionUtils.setProperty Error setting property [allow] to [*] on class [class org.apache.catalina.valves.RemoteAddrValve]


It is because RemoteAddrValve under ../../conf/Catalina/localhost/manager.xml  is invalid
because you have changed allow="*" in context.xml and this charactor is not present in context.xml

now change

Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$"

to
Valve className="org.apache.catalina.valves.RemoteAddrValve" allow=".*"

it should resolve the issue. you should not allow="*" in Prod environment.

Frogerock OpenAM How to Change the amadmin User's Password in External Configuration Store

from forgerock

If OpenAM is configured to use an external configuration store, perform the following steps to change the amadmin user's password:

1. Log in to the OpenAM console as the administrator, amadmin.
2. Navigate to Realms > Top Level Realm > Subjects, and then click amAdmin.
3. On the Edit User page, select Edit next to Password.
4. On the Change Password page, enter the new password in the New Password field.
5. Click OK to save your changes.
   If your deployment has multiple OpenAM servers, the new password replicates across all servers
   
   

OpenAM Enabling SNMP Monitoring

You can configure OpenAM to allow you to listen on port 8085 for SNMP monitoring. To enable this you can either use the console, or use the ssoadm command:

$ ssoadm \
 set-attr-defs \
 --servicename iPlanetAMMonitoringService \
 --schematype Global \
 --adminid amadmin \
 --password-file /tmp/pwd.txt \
 --attributevalues iplanet-am-monitoring-snmp-enabled=true

monitoring OpenAM HTTP whether OpenAM is up, using isAlive.jsp

You can use below commands as per the your environment to see if OpenAM is live or not

http://host1.example.com:8080/openam/isAlive.jsp
http://lb.example.com:8080/openam/isAlive.jsp

self signing a cert with authroty and error .srl: No such file or directory

openssl x509 -sha256 -req -in avantastech.req -CA authority.example.com.crt -CAkey trust.key  -extensions server -days 1365 -outform PEM -out avantastech.crt
Signature ok
subject=your certificate subject
Getting CA Private Key
authority.srl: No such file or directory
140486363838352:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:p_lib.c:137:
140486363838352:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('authority.srl','r')
140486363838352:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

Solution:
to fix this issue

I have included -CAcreateserial -CAserial authority.seq because when i have created authority.seq i dont know what sequence number i can use



openssl x509 -sha256 -req -in avantastech.req -CA authority.com.crt -CAkey trust.key  -extensions server -days 1365 -outform PEM -out avantastech.crt -CAcreateserial -CAserial authrority.seq


and it worked

opends replication creation command

Here is the command to enable OpenDJ replication

few things to remember when enabling replications
1. make sure you can telnet with the port from one server to another server.
2. user configure command instead of enable, enable is no longer used.
3. host1 is second server not the server where you are running the command. host2 is the server where you are running the command.


./dsreplication configure --adminUid admin --adminPassword mypassword --baseDn dc=orasystemsusa,dc=test,dc=com --host1 orasystemsusa.com --port1 4444 --bindDn1 "cn=Directory Manager" --bindPassword1 mypassword --replicationPort1 8989 --host2 orasystemsusa2.com --port2 4444 --bindDn2 "cn=Directory Manager" --bindPassword2 mypassword --replicationPort2 8989 --trustAll --no-prompt

AWS linux server error "Could not contact CDS load balancer "

It is happening because your nameserver information has been removed from the machine.

do the following

to make the file immutable

chattr -i /etc/resolv.conf

vi /etc/resolv.conf
nameserver yournameserverip


save the changes and exit. Now you should be able to run linux commands to access outside of AWS

REST API Calls error {"code":501,"reason":"Not Implemented","message":"Not Implemented"} and solutions openam 6.5

getting error while running below command

curl \
> --request POST \
> --header "Content-Type: application/json" \
> --header "X-OpenAM-Username: demo" \
> --header "X-OpenAM-Password: changeit" \
> --data "{}" \
> http://avantastech.com:8080/openam/json/realms/root/authenticate



{"code":501,"reason":"Not Implemented","message":"Not Implemented"}

Solution:


I have included Version information in the curl command


curl \
> --request POST \
> --header "Content-Type: application/json" \
> --header "X-OpenAM-Username: demo" \
> --header "X-OpenAM-Password: changeit" \
> --header "Accept-API-Version: resource=2.0, protocol=1.0" \
> --data "{}" \
> http://avantastech.com:8080/openam/json/realms/root/authenticate

AWS Cloudformation uploading error "unresolved resource dependencies in the resources block of the template"

Error

unresolved resource dependencies in the resources block of the template

Solution:

You are refering to attribute using !Ref but the attribute does not exists in the file

AWS Cloudformation uploading error "invalid template resource property vpcid"

invalid template resource property vpcid


Solution:

fixed spacing issue around vpcid value

forgerock openam console error "HTTP Status 500 – Internal Server Error" resovled

HTTP Status 500 – Internal Server Error

---

Type Exception Report
Message An error occurred while processing this request. Contact your administrator.
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception

javax.servlet.ServletException: An error occurred while processing this request. Contact your administrator.
 com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:148)
 org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)

Note The full stack trace of the root cause is available in the server logs.

---

Apache Tomcat/9.0.21

  Caution: below step will delete your configuration. Make sure you copy the original file. If you delete this mistake. This file only have location of your amConfiguration file, you can recreate file and include configuration file path

 Solution:

Go to users home directory and see the hidden file

there should be a file .openamcfg remove that file and restart the tomcat. 

rm .openamcfg/

after starting the Tomcat you should be able to see the openam console, it will require you to reconfigure the openam

 

 

 

 

 

Sailpoint iiq configuration with ms Sql Server

Sailpoint Configuration Steps:

• Create an \idenityiq directory under the Tomcat webapps directory: for example, C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq
• Unzip the identityiq-7.3.zip file.

Copy iidentityiq.war file to the C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq

Run below command to extract identityiq.war

jar -xvf C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\identityiq.war

• Create the database schema:
• In the command prompt window, change to the C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin   directory
• Enter iiq schema to create the schema
• Create the database from the schema
• In the command prompt window, change to the C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\WEB-INF\database   directory
• Log in to SQL Server thru "Sql Server Management Studio" and click on the new query and 
  copy contents from  source create_identityiq_tables.sqlserver
• Run this command to load the schema into SQL Server:

        Check that the database was created by typing  show databases; You should see identityiq listed among the databases (there will be other databases listed; these don't matter for IdentityIQ).

• Type quit to exit SQL Server.
• Navigate to the \tomcat\webapps\identityiq\WEB-INF\bin directory
• Launch the iiq console by running this command:  iiq console
  Allow the console a few moments to launch. The console is running when you see a > symbol in the command prompt.
• In the IdentityIQ console, run this command:  

import init.xml

Import init-lcm.xml

• When the import is complete, type quit to exit from the IdentityIQ console.
• Restart Tomcat Server

Login to Identity IQ at http://localhost:8080/identityiq/ with spadmin/admin credentials

HTTP Status 500 – Internal Server Error, ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)

15:47:04.657 SEVERE [http-nio-8080-exec-9] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [/openam] threw exception [An error occurred while processing this request. Contact your administrator.] with root cause

        javax.servlet.ServletException: An error occurred while processing this request. Contact your administrator.

                at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:148)

error from Catalina.log

ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)

org.forgerock.openam.upgrade.UpgradeException: Unable to parse product versions for comparison. Current: null war: ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)

HTTP Status 500 – Internal Server Error

---

Type Exception Report

Message An error occurred while processing this request. Contact your administrator.

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException: An error occurred while processing this request. Contact your administrator.

com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:148)

org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)

Note The full stack trace of the root cause is available in the server logs.

---

Apache Tomcat/9.0.21

Solution:

unfortunatily the only way to resolve this issues was i have remove openam under webapps and remove .openamcfg under users home directory .openamcfg is hidden file

openam ERROR: Failed to locate IDP Entity ID

  Check to see if EntityID you are sending is correct.   IT should be exactly same as you get from IDP file. Make sure there is no trailing spaces of extra slashes at the end.

Tomcat Manager App error HTTP Status 404 – Not Found /manager/html

HTTP Status 404 – Not Found

---

Type Status Report
Message /manager/html
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.



add the following under

cd ../../conf/Catalina/localhost

vi manager.xml

and add the below lines

<Context privileged="true" antiResourceLocking="false"

         docBase="${catalina.home}/webapps/manager">

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />

</Context>

 

RESOLVED AWS configure: error: no acceptable C compiler found in $PATH

run ./configure

got error

configure: error: no acceptable C compiler found in $PATH

searched and find that i need gcc libraries.



When i run  yum install gcc

i got error that i cant reach outside to download the gcc libraries my AWS environment is locked. open the environment and change the file from immutable

to check if your file is immutable run below command. If you see "i" on the left side between ----i---- it means it is immutable

lsattr /etc/resolv.conf

below command will change the file from immutable


chattr -i /etc/resolv.conf

now add nameserver for the machine to reach outside 

vi /etc/resolv.conf
add below line as per your DNS server ip

nameserver yourDNSserverip

now run the command to install gcc libraries

 yum install gcc


Finally run

./configure


and it worked

OpenIDM error org.forgerock.openidm.repo-jdbc [8] FrameworkEvent ERROR org.apache.felix.log.LogException: org.osgi.framework.BundleException: Activator start error in bundle org.forgerock.openidm.repo-jdbc [8]

OpenIDM error:

After installation of OpenIDM when you start the OpenIDM and you get below error:


 Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
[15] Aug 28, 2019 1:11:22.573 AM org.forgerock.openidm.config.logging.LogServiceTracker logEntry
SEVERE: Bundle: org.forgerock.openidm.repo-jdbc [8] FrameworkEvent ERROR
org.apache.felix.log.LogException: org.osgi.framework.BundleException: Activator start error in bundle org.forgerock.openidm.repo-jdbc [8].
        at org.apache.felix.framework.Felix.activateBundle(Felix.java:2290)
        at org.apache.felix.framework.Felix.startBundle(Felix.java:2146)
        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
        at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.felix.log.LogException: com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Communications link failure


Solution:

You have to disable useSSL

go to your config folder ../../openidm/conf
vi datasource.jdbc-default.json

add &useSSL=false at the end of jdbcUrl

i.e

"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=false"