| *** frankbutt (~frankbutt@66.172.11.32) has joined #wikid | 01:46 | |
| *** frankbutt has parted #wikid (None) | 01:46 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 14:14 | |
| *** RichardY (46c140ae@gateway/web/freenode/ip.70.193.64.174) has joined #wikid | 14:43 | |
| RichardY | Hi Nick, after regenerating the certificates I was able to get the client to register. Following the install instructions the example.jsp is failing to connect | 14:45 |
|---|---|---|
| RichardY | It says "The wClient connection to the server was NOT successfully established" The catalina.out shows a "broken pipe" java.next.SocketException | 14:46 |
| nowen | that's great progress! | 14:55 |
| nowen | did you restart wikid after editing example.jsp? | 14:55 |
| *** RichardY has quit (Ping timeout: 245 seconds) | 15:02 | |
| *** RichardY (46c140ae@gateway/web/freenode/ip.70.193.64.174) has joined #wikid | 15:35 | |
| RichardY | I responded via email. Sorry I lost my network, when I have to take a call | 15:35 |
| nowen | np | 15:35 |
| nowen | and in the file, you just changed the domain id and the localhost passphrase? and you didn't change 'changeit' ? | 15:36 |
| RichardY | I changed the "defaultservercode" to my zero padded IP | 15:37 |
| RichardY | And I changed the "passphrase" to mine | 15:37 |
| RichardY | I did NOT change "changeit" | 15:37 |
| nowen | hmm | 15:37 |
| nowen | do you see an error in the WiKIDAdmin logs? | 15:37 |
| RichardY | Where do those logs reside? | 15:38 |
| RichardY | tomcat/logs ? | 15:38 |
| nowen | in the web ui, top right corner | 15:38 |
| RichardY | two different errors | 15:39 |
| RichardY | 1) broken pipe javan.net.socketexception | 15:39 |
| RichardY | 2) couldn't validate the client certificate. Verity the validaty and dates of the client cert | 15:40 |
| RichardY | (Not sure where it is getting the client cert from) | 15:40 |
| nowen | can you test your passphrase: keytool -list -v -keystore /opt/WiKID/private/intCAKeys.p12 -storetype pkcs12 -storepass yourpassphrase | 15:40 |
| nowen | oops | 15:40 |
| nowen | wrong line | 15:40 |
| nowen | keytool -list -v -keystore /opt/WiKID/private/localhost.p12 -storetype pkcs12 -storepass yourpassphrase | 15:40 |
| nowen | the client cert is /opt/WiKID/private/localhost.p12 | 15:40 |
| RichardY | yes it displayed the cert | 15:43 |
| RichardY | The alias is localhost | 15:43 |
| RichardY | I am not sure if it should be the actual host name | 15:43 |
| nowen | that's right | 15:43 |
| nowen | hmm. I'm guessing that tomcat is serving a cached version for some reason | 15:44 |
| nowen | can you try shift-reload? | 15:44 |
| RichardY | Sure | 15:44 |
| RichardY | same results | 15:44 |
| RichardY | I think I have a rogue tomcat instance hanging around | 15:45 |
| nowen | ok - stop the service and then run 'killall -9 java' | 15:46 |
| nowen | oh, and you're not using jsvc are you? | 15:46 |
| RichardY | Same results | 15:47 |
| RichardY | I had all the processes killed, restarted tomcat and I have the same error | 15:48 |
| RichardY | Even with shift reload | 15:48 |
| nowen | hmm | 15:48 |
| nowen | ok, stop the service and killall again | 15:49 |
| nowen | then 'cd /opt/WiKID/tomcat/work' | 15:49 |
| nowen | and 'rm -Rf *' | 15:49 |
| nowen | then start | 15:49 |
| nowen | if it is being cached this will kill it | 15:49 |
| RichardY | ok | 15:49 |
| RichardY | The catalina.out shows conenction refused | 15:51 |
| RichardY | on the Wclient.init | 15:51 |
| RichardY | I think wikidctl must start other stuff, as I do see that 8xxx port as a listener now | 15:52 |
| nowen | yes, it does. we need to get you jsvc some how | 15:52 |
| RichardY | port 8388 | 15:53 |
| RichardY | Ok, the listener is back, I have my broken pipe and client certificate validaty error messages again | 15:56 |
| nowen | hmm | 16:01 |
| nowen | do you have radius client you can test with? | 16:01 |
| RichardY | Well, I tested with the java client and it seems to work | 16:03 |
| nowen | yes, but i assume you will want to use radius with your VPN or whatever you will be authenticating to. | 16:03 |
| nowen | if radius works, then it narrows down the issue with example.jsp | 16:04 |
| RichardY | We want to use an ldap repostitory in conjunction with either SSH and/or Apache basic auth | 16:05 |
| RichardY | My next question was going to be where to look for those instructions | 16:05 |
| nowen | you'll want to use radius in front of ldap | 16:05 |
| nowen | ldap doesn't do proxying, but a radius server will do the authorization in ldap and then authentication to WiKID | 16:06 |
| RichardY | ok, then I have to setup a radius server | 16:08 |
| nowen | I use radlogin to test without having to set up a whole server: http://www.iea-software.com/products/radlogin4.cfm | 16:08 |
| nowen | a very worthwhile step | 16:09 |
| nowen | also: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius | 16:09 |
| nowen | so, ssh and apache would talk to your radius server, and then it would talk to wikid/ldap. additional services can easily be added. | 16:10 |
| RichardY | I have to try and stick with what they have on the SuSE SlES distro | 16:10 |
| RichardY | ok | 16:10 |
| nowen | I'd be surprised if they didn't have freeradius | 16:10 |
| RichardY | Yes it is on the distro | 16:10 |
| nowen | mod-auth-radius is another question | 16:10 |
| RichardY | But the radlogin4.cfm about is not | 16:11 |
| nowen | ? | 16:11 |
| RichardY | There is a pam_radius package | 16:11 |
| nowen | that's good | 16:11 |
| nowen | you setup radlogin on your PC, then create a network client on WiKID for it. just to test wikid radius. then set up freeradius | 16:12 |
| nowen | unit testing, ftw | 16:12 |
| nowen | brb - got a brief call | 16:27 |
| *** RichardY has quit (Ping timeout: 245 seconds) | 16:36 | |
| *** nowen is now known as nowen_lunch | 17:45 | |
| *** nowen_lunch is now known as nowen_got_to_get | 18:09 | |
| *** nowen_got_to_get is now known as nowen_getting_ki | 18:10 | |
| nowen_getting_ki | hmm | 18:10 |
| nowen_getting_ki | anyway, got to get the kids from school. biab | 18:10 |
| *** nowen_getting_ki is now known as nowen_away | 18:10 | |
| nowen_away | /nowen nowen | 19:59 |
| *** nowen_away is now known as nowen | 19:59 | |
| nowen | I'm back, but only until sledding time ;-) | 20:03 |
| *** estrang3r is now known as estranger | 20:23 | |
| *** bman (~burrutia@64.19.224.6) has joined #wikid | 22:49 | |
| bman | anyone have expierience with a fw that had its token deleted from the server or ip changed so that wikid is rejecting connections to it? and how to clear that? | 22:50 |
| bman | nm i figurd it out | 23:00 |
| *** bman has parted #wikid (None) | 23:00 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!