ERROR {org.wso2.carbon.idp.mgt.util.IdPManagementUtil} - Error when accessing the IdentityProviderManager for tenant

Question

Getting this exception in WSO2IS 5.1.0 on signin.

[2017-01-28 20:12:22,384] ERROR {org.wso2.carbon.idp.mgt.util.IdPManagementUtil} -  Error when accessing the IdentityProviderManager for tenant : xyz.com org.wso2.carbon.idp.mgt.IdentityProviderManagementException: Error retrieving primary certificate for tenant : xyz.com
        at org.wso2.carbon.idp.mgt.IdentityProviderManager.getResidentIdP(IdentityProviderManager.java:214)
        at org.wso2.carbon.idp.mgt.util.IdPManagementUtil.getRememberMeTimeout(IdPManagementUtil.java:98)
        at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.setAuthCookie(DefaultAuthenticationRequestHandler.java:347)
        at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.concludeFlow(DefaultAuthenticationRequestHandler.java:284)
        at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:120)
        at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:135)
        at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
        at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
        at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Answer 1

Issue is with client-truststore.jks

Step 1

replace wso2appm-1.2.1-SNAPSHOT/repository/resources/security/wso2carbon.jks with jks file generated from pfx file (SSL files sent by provider)

Change jks file name, keystore password and alias in carbon.xml

replace client-truststore.jks with one you create in folder wso2appm-1.2.1-SNAPSHOT/repository/resources/security/client-truststore.jks

To create client-truststore.jks file please follow below steps

keytool -export -alias certalias -keystore your_jks.jks -file .pem

This will generate .pem file

If you don't know certalias name please find it by following steps and run abve command with correct alias

on Linux

keytool -list -v -keystore your_jks.jks | grep "Alias name\|Creation date"

on Windows

keytool -list -v -keystore your_jks.jks | findstr "Alias Creation"

step 2

keytool -import -alias certalias -file .pem -keystore client-truststore.jks -storepass wso2carbon

This will generate client-truststore.jks and replace the old (wso2appm-1.2.1-SNAPSHOT/repository/resources/security/client-truststore.jks) with this

Now change keystore alias in carbon.xml (wso2appm-1.2.1-SNAPSHOT/repository/conf/carbon.xml)

Run the application and check.

If still error comes change identityAlias in below line in "repository/deployment/server/jaggeryapps/publisher/controllers/acs.jag"

var identityAlias = configs.ssoConfiguration.identityAlias;

change to var identityAlias = "your identity alias name"

Answer 2

Its kind of harassment the way this code is written. When you create a tenant, default key store is created and stored in registry. You obviously don't want that so you'll end up in replacing the keystore by updating te registry and uploading the new keystore. Trick is the way you create the keystore, Here is what you need to do

• Tenant Domain: "xyz.com"
• Name of the Keystore: "xyz-com.jks"
• Name of the private key entry alias: "xyz.com"

Now everything will work alright.

Answer 3

I checked the source code [1] related to the error. According to that, the issue is coming when it tries to initialize the registry [2].

When a tenant is created, the server creates a keystore for that tenant and stores it in the following registry path.

/_system/governance/repository/security/key-stores/

If the tenant name is xyz.com, in above registry path it creates a java keystore file with the name xyz-com.jks .

The registry objects are stored in the backend database. Therefore is there any possibility that above keystore file is not found or registry file path cannot be accessed ?

[1] https://github.com/wso2/carbon-identity/blob/v5.0.7/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManager.java#L213

[2] https://github.com/wso2/carbon-identity/blob/v5.0.7/components/idp-mgt/org.wso2.carbon.idp.mgt/src/main/java/org/wso2/carbon/idp/mgt/IdentityProviderManager.java#L197