| Satheesh_ | https://103.251.108.50/wikid/GSSO?SAMLRequest=fVLJTsMwEL0j8Q%2BR781SIYSsJqi0qqhUIKKBAzfXmcQGL8HjtPD3uGkr4ACST%2BM3b5mZyfWHVtEWHEprcpLFKYnAcFtL0%2BbkqVqMrsh1cX42QaZVR6e9F%2BYR3ntAH4VOg3T4yEnvDLUMJVLDNCD1nK6ndys6jlPaOestt4pEy3lOWFuDsBtohGi51tLoDRev1tRCSCU6tqmbxnBZk%2Bj5ZGu8t7VE7GFp0DPjQynNLkZpeFdVmtI0o9nlC4nKo9KNNIcE%2F9naHEBIb6uqHJUP62og2Moa3H1A56S1tlUQc6v38iVDlNtQbphCINEUEZwPBmfWYK%2FBrcFtJYenx1VOhPcd0iTZ7XbxN03CksYB1FYLxt9iaRLGkRTDd | 00:01 |
|---|---|---|
| nowen | ok - works for me | 00:03 |
| nowen | does it not work for you? | 00:03 |
| Satheesh_ | no | 00:04 |
| Satheesh_ | is it redirecting back to google? | 00:04 |
| nowen | I'm not logging in | 00:04 |
| Satheesh_ | yup | 00:04 |
| nowen | can you try it in a different browser | 00:04 |
| Satheesh_ | I get wikid login page | 00:05 |
| nowen | ok | 00:05 |
| nowen | that;s good | 00:05 |
| Satheesh_ | after entering token it is not redirecting back to google | 00:05 |
| nowen | is the authentication successful? | 00:05 |
| Satheesh_ | looks like it is not validating the credentials | 00:05 |
| nowen | is the user enabled? | 00:06 |
| Satheesh_ | irrespective of what ever value I give it throws out the same error | 00:06 |
| Satheesh_ | "page not found" | 00:06 |
| Satheesh_ | https://103.251.108.50/wikid/GoogleSSOServlet | 00:06 |
| Satheesh_ | that is the URL | 00:06 |
| Satheesh_ | "error URL" | 00:06 |
| nowen | most likely you need to get another saml token | 00:09 |
| Satheesh_ | sorry I did not get that | 00:10 |
| nowen | If i give you a reg code, can you register my token? | 00:10 |
| Satheesh_ | ok | 00:11 |
| nowen | 7AZK4y1o | 00:11 |
| nowen | you can give me a name like deleteme | 00:12 |
| Satheesh_ | It is Nick | 00:13 |
| nowen | ok | 00:14 |
| nowen | hmm - yep. I see | 00:15 |
| nowen | on the network clients page, what do you have as the ACS url? | 00:18 |
| nowen | it should be https://www.google.com/a/103.251.108.50/acs | 00:19 |
| Satheesh_ | https://www.google.com/a/freedomhack.in/acs | 00:19 |
| nowen | that's probably the issue | 00:21 |
| Satheesh_ | what it should be? | 00:22 |
| nowen | https://www.google.com/a/103.251.108.50/acs | 00:22 |
| Satheesh_ | should I have to restart the server after change? | 00:22 |
| Satheesh_ | I meant service | 00:22 |
| nowen | I don't think so | 00:23 |
| Satheesh_ | it did not work | 00:23 |
| Satheesh_ | I tried after your comment | 00:23 |
| Satheesh_ | changed | 00:23 |
| Satheesh_ | you can try | 00:23 |
| nowen | give it a restart | 00:23 |
| Satheesh_ | ok | 00:24 |
| Satheesh_ | let me restart the service | 00:24 |
| nowen | I wonder if it needs to be a dns entry | 00:24 |
| Satheesh_ | nope no change | 00:27 |
| Satheesh_ | it is same | 00:27 |
| nowen | odd. it is working for me | 00:29 |
| nowen | what's the google apps domain? freedomhack.in? | 00:29 |
| Satheesh_ | yep | 00:30 |
| nowen | it is setup for google apps and mail? | 00:30 |
| Satheesh_ | yep | 00:31 |
| Satheesh_ | is it redirecting back to google? | 00:31 |
| nowen | hmm - google saml uses 443 | 00:31 |
| nowen | yes, I get to the email login page | 00:31 |
| Satheesh_ | strange | 00:32 |
| Satheesh_ | Y it is not for me | 00:32 |
| nowen | you downloaded the cert from the Network Client page and uploaded it gApps? | 00:33 |
| Satheesh_ | yes | 00:34 |
| nowen | do you have "Use a domain specific issuer " checked? | 00:38 |
| Satheesh_ | no | 00:38 |
| nowen | try it with that checked | 00:38 |
| Satheesh_ | no it is same | 00:41 |
| Satheesh_ | but how come you could access the page not in my system | 00:41 |
| nowen | well, let's review the way mine is setup | 00:41 |
| nowen | on google sso. my sign in url is | 00:41 |
| nowen | https://ec2-54-83-42-36.compute-1.amazonaws.com/wikid/GSSO/ | 00:41 |
| nowen | my network client has ip address of 127.0.0.1 and google protocol | 00:42 |
| nowen | my ACS url is https://www.google.com/a/jointradio.com/acs | 00:42 |
| nowen | when you created the network client, did you use the freedomhack.in url? | 00:47 |
| Satheesh_ | yes | 00:47 |
| nowen | is 443 open to the outside? | 00:49 |
| nowen | outbound, that is | 00:51 |
| Satheesh_ | yes | 00:53 |
| Satheesh_ | I have put DNS name in signin URL | 00:53 |
| Satheesh_ | can you check | 00:54 |
| nowen | sure | 00:54 |
| nowen | still nothing | 00:54 |
| nowen | I'm thinking it is the outbound 443 - your server can't respond to google | 00:54 |
| *** Satheesh__ (6a3300ba@gateway/web/freenode/ip.106.51.0.186) has joined #wikid | 00:56 | |
| Satheesh__ | is DNS resolution happening? | 00:56 |
| Satheesh__ | looks like my session got disconnected | 00:57 |
| nowen | I'm still getting the same error | 00:57 |
| nowen | I'm thinking it is the outbound 443 - your server can't respond to google | 00:57 |
| Satheesh__ | @nowen - u there | 00:57 |
| Satheesh__ | ok | 00:57 |
| nowen | is 443 open to the outside? | 00:57 |
| *** Satheesh_ has quit (Ping timeout: 245 seconds) | 00:58 | |
| Satheesh__ | yes 443 outbound is open | 00:59 |
| nowen | hmm | 00:59 |
| nowen | can your run 'wget https://www.google.com' from the command line? | 01:00 |
| Satheesh__ | telnet www.google.com 443 Trying 74.125.236.51... Connected to www.google.com (74.125.236.51). Escape character is '^]'. | 01:01 |
| nowen | hmm | 01:01 |
| nowen | if you look here: https://developers.google.com/google-apps/sso/saml_reference_implementation?csw=1 it looks like we are stuck on 8 | 01:02 |
| nowen | 6 | 01:02 |
| nowen | I mean | 01:02 |
| nowen | any thing in the WiKIDAdmin logs? | 01:03 |
| Satheesh__ | actually log is not working | 01:04 |
| Satheesh__ | whatever I change in configuration I don't see log file updated | 01:04 |
| Satheesh__ | hope /opt/Wi../log is the directory | 01:05 |
| nowen | no, in the WiKIDAdmin UI | 01:05 |
| nowen | top right corner | 01:05 |
| nowen | mine says "GoogleSSO login succeeded for username nowen with acsURL https://www.google.com/a/jointradio.com/acs" | 01:08 |
| nowen | Satheesh__: do you see anything in the logs? | 01:13 |
| Satheesh__ | nope | 01:15 |
| Satheesh__ | any specific filter to check? | 01:15 |
| nowen | on the Configure loggers page, you can set com.wikidsystems and com.wikidsystems.server.wAuth to debug | 01:15 |
| nowen | is the log level set to debug? | 01:16 |
| nowen | you have set it and then hit filter | 01:16 |
| nowen | it's not all javascripty | 01:16 |
| Satheesh__ | which logger should be DEBUG? | 01:16 |
| nowen | leave the loggers at None | 01:17 |
| Satheesh__ | com.wikidsystems.google.GoogleSSOServlet - I have set that logger to DEBUG | 01:17 |
| Satheesh__ | in the logger configuration page | 01:17 |
| Satheesh__ | any other specific logger needs to be in debug? | 01:17 |
| nowen | yes com.wikidsystems and com.wikidsystems.server.wAuth | 01:18 |
| Satheesh__ | it is set to Debug | 01:22 |
| Satheesh__ | no log entries | 01:22 |
| nowen | under Timestamp, I assume 2 hours? Level Debug and source None? | 01:23 |
| Satheesh__ | yep | 01:23 |
| Satheesh__ | I see other log entry | 01:24 |
| nowen | what do you see? | 01:24 |
| Satheesh__ | nothing specific to sso authentication | 01:24 |
| Satheesh__ | com.wikidsystems.server.WikidCode3AES | 01:24 |
| Satheesh__ | Passcode request processing successfully completed. | 01:24 |
| Satheesh__ | that was the last entry | 01:24 |
| nowen | and which loggers are on debug? | 01:25 |
| *** Satheesh_ (6a3300ba@gateway/web/freenode/ip.106.51.0.186) has joined #wikid | 01:28 | |
| *** Satheesh__ has quit (Ping timeout: 245 seconds) | 01:28 | |
| *** coolacid has quit (Ping timeout: 265 seconds) | 01:32 | |
| Satheesh_ | how to go about it | 01:38 |
| nowen | on the logs/configure loggers page | 01:39 |
| nowen | there's a box of Current Log Filter Levels | 01:39 |
| nowen | set all the com.wikidsystems loggers to debug | 01:39 |
| nowen | SELInux isn't enforcing is it? | 01:41 |
| Satheesh_ | SELinux not enforcing | 01:43 |
| nowen | ok | 01:44 |
| *** nowen_phone (~AndChat72@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 01:45 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 01:53 | |
| Satheesh_ | there are few other questions | 01:58 |
| nowen | ok | 01:58 |
| Satheesh_ | lets park the sso issue for sometime now | 01:59 |
| nowen | ok | 01:59 |
| Satheesh_ | is Domain configurable only with IP? | 01:59 |
| Satheesh_ | I meant the DomainIdentifier | 01:59 |
| nowen | mostly - we can create a dns entry in wikidsystems.net and you can use that | 01:59 |
| Satheesh_ | the reason for that I want to implement 2factor across regions | 02:00 |
| Satheesh_ | and with replication I want to point user to respective location based on proximity | 02:00 |
| Satheesh_ | using Global DNS | 02:00 |
| Satheesh_ | how does the DNS entry works? | 02:01 |
| nowen | it does not do what you want it to do. it just points the dns entry to your ip | 02:02 |
| nowen | how many users will you have/ | 02:02 |
| Satheesh_ | so I can register the token clients with DNS entry instead of IP? | 02:02 |
| Satheesh_ | we are around 800 users | 02:02 |
| nowen | no. your domain identifier would still be the number | 02:03 |
| nowen | I think that level of replication would be over kill | 02:03 |
| Satheesh_ | hmm what is the max replication factor | 02:03 |
| nowen | well, currently we have a master/secondary replication | 02:04 |
| nowen | each request is typically 300 bytes or so. 6 digits encrpyted | 02:05 |
| Satheesh_ | if domain identifier can only be number then I have to point all users to 1 IP | 02:06 |
| Satheesh_ | is that correct? | 02:06 |
| Satheesh_ | irrespective where they are | 02:06 |
| nowen | yes. | 02:06 |
| nowen | but we have customers with 10 times that number of users across the globe | 02:10 |
| Satheesh_ | ok | 02:10 |
| Satheesh_ | do they point to 1 server? | 02:10 |
| nowen | yes, then they have replicant ready to take over | 02:11 |
| Satheesh_ | hmm is it hot standby? | 02:11 |
| nowen | essentially, they script the failover | 02:11 |
| Satheesh_ | ok | 02:12 |
| Satheesh_ | hm next is how to disable account registration from external | 02:13 |
| Satheesh_ | Actually 2Factor is for VPN | 02:13 |
| nowen | if you can't do that via the firewall, I can tell you how to do it in tomcat | 02:13 |
| Satheesh_ | yes I would need that | 02:14 |
| nowen | ok - it's 10pm here, so maybe not tonight | 02:14 |
| Satheesh_ | ok np | 02:15 |
| Satheesh_ | send that when you get time | 02:15 |
| nowen | will do | 02:15 |
| Satheesh_ | also I would like to know how to handle SSO error | 02:15 |
| nowen | yeah. me too | 02:15 |
| Satheesh_ | ok. ping me if you get to know the solution | 02:16 |
| nowen | can we do a google hangout tomorrow to revew? | 02:16 |
| Satheesh_ | sure | 02:16 |
| nowen | I think screen sharing is the next step | 02:16 |
| Satheesh_ | we can do that | 02:16 |
| Satheesh_ | ok take rest then. Mail me when we can connect | 02:17 |
| nowen | ok | 02:17 |
| nowen | good night | 02:17 |
| Satheesh_ | then we shall do screen sharing | 02:17 |
| Satheesh_ | good night to you too | 02:17 |
| *** nowen has quit (Quit: Leaving.) | 02:17 | |
| *** Satheesh_ has quit (Ping timeout: 245 seconds) | 02:24 | |
| *** nowen_phone has quit (Quit: Bye) | 03:20 | |
| *** coolacid has quit (*.net *.split) | 10:03 | |
| *** coolacid (~CoolAcid@unaffiliated/coolacid) has joined #wikid | 10:04 | |
| *** Rudy6 (~Rudy6@213.132.115.194) has joined #wikid | 11:29 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:28 | |
| *** Rudy6 has quit (Remote host closed the connection) | 14:00 | |
| *** Troy (329b98a8@gateway/web/freenode/ip.50.155.152.168) has joined #wikid | 14:41 | |
| *** Ajay-Utilyx (55852b1d@gateway/web/freenode/ip.85.133.43.29) has joined #wikid | 14:46 | |
| Ajay-Utilyx | hello Nick | 14:46 |
| nowen | Hi Ajay | 14:46 |
| Ajay-Utilyx | how you doing? | 14:47 |
| nowen | Good, how are you? | 14:47 |
| Ajay-Utilyx | ok the issuw i was talking about is... i already registered my self on domain with one of my device | 14:47 |
| Ajay-Utilyx | and now i have two devices issued to myself and need my second device to be able to use wikid two factor | 14:48 |
| Ajay-Utilyx | and when i am registering my second device i was getting that error message shared with you in email | 14:48 |
| nowen | yes, this is possible, but it must be done through the API. Thus the use of the example.jsp, which shows all the functions of the API | 14:49 |
| Ajay-Utilyx | and if i have more than one user who have more than one or two devices and want all of there devices two use two factor authentication then do i need toedit this file for each and every user or something else? | 14:54 |
| nowen | no - once it is edited, you can use it again and again | 14:55 |
| nowen | also, have you looked at ADRegister at all? | 14:55 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials?searchterm=adregister | 14:55 |
| nowen | it allows users to add themselves after logging in with their AD creds | 14:55 |
| Ajay-Utilyx | hmm | 14:56 |
| Ajay-Utilyx | i will look into this now | 14:56 |
| Ajay-Utilyx | give me some time | 14:56 |
| nowen | ok | 14:57 |
| Troy | Hi Nick | 16:14 |
| nowen | hi Troy | 16:14 |
| Troy | does the root user have to start or restart wikid after updating wikid using the RPMs?? | 16:15 |
| nowen | hmm, it shouldn't | 16:16 |
| Troy | i started as the wikid user.. but I think that was a mistake.. i keep seeing the webapp folders reset back too root:wikid | 16:16 |
| nowen | hmm | 16:16 |
| nowen | it should have chown'd them to wikid | 16:17 |
| Troy | hmmm. hold on. i'll get them change back and restart wikid again | 16:17 |
| nowen | BTW, I'm supposed to go give blood in about 30 mins, Ajay-Utilyx, Troy | 16:22 |
| Troy | I keep getting "The requested page could not be found. "on the lab server where i created the new inter and localhost certificates | 16:22 |
| Troy | but only on a few of the WiKID admin pages | 16:22 |
| Troy | like create or edit new domain | 16:22 |
| nowen | what's in /opt/WiKID/tomcat/webapps? | 16:22 |
| nowen | huh? you mean there is an index page, but not some others? | 16:23 |
| Troy | yea.. strange.. i'm able to login to admin page and get to most of the pages, but a few come back with the error | 16:24 |
| Troy | seems like a permission issue to me | 16:24 |
| Troy | even the wikid/ADRegister/ADRegister.jsp comes back with page not found.. but I know it's there | 16:25 |
| nowen | what are the perms on /var/lib/pgsql/data? | 16:26 |
| Troy | postgres:postgres | 16:28 |
| nowen | ok | 16:28 |
| Troy | not an emergency.. go give blood and i'll investigate the logs / perms | 16:29 |
| nowen | ok | 16:29 |
| nowen | Ajay-Utilyx: are you ok? | 16:29 |
| Troy | FYI.. on the other lab server, i upgrade to b1545 and i'm able to see the pages fine | 16:29 |
| nowen | hmm | 16:29 |
| Troy | only difference is the new certificates were not created | 16:30 |
| nowen | hmm | 16:31 |
| nowen | any errors in the WiKIDAdmin logs or /opt/WiKID/tomcat/logs/catalina.err? | 16:39 |
| nowen | ok - I'm out for about an hour, unless they suck me dry | 16:43 |
| *** nowen has quit (Quit: Leaving.) | 16:44 | |
| *** nowen (~nowen@172.56.20.53) has joined #wikid | 17:58 | |
| *** nowen1 (~nowen@50-194-249-125-static.hfc.comcastbusiness.net) has joined #wikid | 18:02 | |
| *** nowen has quit (Client Quit) | 18:02 | |
| *** nowen1 is now known as nowen | 18:04 | |
| nowen | any progress, Ajay-Utilyx? | 18:17 |
| nowen | or Troy? | 18:17 |
| *** Ajay-Utilyx has quit (Quit: Page closed) | 18:18 | |
| Troy | have any blood left? | 18:30 |
| nowen | a bit | 18:30 |
| Troy | the problem is tomcat scratchdir unusable | 18:30 |
| nowen | what is scratchdir? | 18:30 |
| Troy | i have no idea why. but tomcat creates .jsp pages in /opt/WiKID/tomcat/work/Catalina/localhost | 18:32 |
| nowen | the work dir is the cache, basically | 18:33 |
| Troy | opt/WiKID/tomcat/work/Catalina/localhost/WiKIDAdmin/org/apache/jsp | 18:33 |
| nowen | try stopping the server and delete everything in that dir | 18:33 |
| Troy | yes.. i compared the lab systems we upgrade to production.. and only a few files are in the lab systems | 18:33 |
| Troy | ok | 18:33 |
| Troy | now I can't get the wikid admin login page to display :( | 18:39 |
| nowen | Is there something funky with the networking? like the hostname? | 18:39 |
| Troy | nothing changed on the network side.. just the root user ran the wikid upgrade | 18:41 |
| Troy | rpm -Uvh wikid-.. | 18:41 |
| Troy | rpm -Uvh wikid-utilities.. | 18:42 |
| nowen | and is there anything in catalina.out or .err? | 18:42 |
| Troy | and I had the root user change the permission of the /opt/WiKID back to wikid.. since it changed back to root after the RPM update | 18:42 |
| Troy | i will check.. i need to run pickup my daughter from pre-school.. i'll be back in 45 min | 18:43 |
| nowen | ok | 18:43 |
| Troy | i'm back | 19:36 |
| Troy | Nick, I sent you the catalina.err | 19:36 |
| nowen | hmm - what are the perms on that log file? | 19:37 |
| Troy | java.io.FileNotFoundException: /opt/WiKID/tomcat/work/Catalina/localhost/_/SESSIONS.ser (No such file or directory) | 19:39 |
| Troy | i see that in the catalina.out | 19:39 |
| Troy | perms are wikid:wikid for all files in tomcat/logs | 19:39 |
| Troy | when root user upgraded wikid and wikid utilities via RPMs, the perms changed to root for most of /opt/WiKID to root | 19:41 |
| nowen | hmm | 19:42 |
| Troy | tomcat seemed to get hosed up when when I started wikid as the wikid user | 19:42 |
| Troy | maybe the root user needs to start wikid first time to compete the setup | 19:43 |
| Troy | but I'm just guessing at this point | 19:43 |
| nowen | that could be - or re-run setup | 19:43 |
| Troy | do you think I should I try re-running the setup as the root user or wikid? | 19:44 |
| Troy | I believe I did run setup again as wikid | 19:44 |
| Troy | is there a way I can re-install or re-build wikid without touching the db? | 19:52 |
| Troy | i did run a backup of the db before the upgrade | 19:52 |
| nowen | I'm spinning up some new 1216 images | 19:53 |
| Troy | ok | 19:54 |
| nowen | it looks like /opt/WiKID/sbin/setup_wikid_user.sh is only run on install, not upgrade | 20:17 |
| nowen | but when I ran it, it starts, but I still get som chown errors | 20:18 |
| nowen | actually, I get the errors when i su - wikid | 20:18 |
| Troy | ok | 20:20 |
| nowen | do you get any errors on su'ing to wikid? | 20:20 |
| nowen | or on login | 20:21 |
| Troy | let me check | 20:23 |
| Troy | no.. but I do remember getting some errors when I logged in after updating the secondary lab server | 20:25 |
| Troy | i don't get them now when I login to either | 20:25 |
| nowen | want to run that command and see if it does the trick? | 20:26 |
| Troy | sure | 20:26 |
| Troy | sure I run that while wikid is up and running or stopped? | 20:28 |
| Troy | should | 20:28 |
| nowen | I would say stopped | 20:28 |
| Troy | ok | 20:28 |
| Troy | got a bunch of permission errors | 20:31 |
| Troy | and wikid is not able to sudo that script | 20:31 |
| nowen | so, did you run it as root? | 20:32 |
| nowen | or can you? | 20:32 |
| Troy | no.. sorry.. i'll have to get another guy to run it as root.. one min | 20:34 |
| Troy | useradd: user wikid exists usermod: unknown group sudo Changing password for user wikid. | 20:46 |
| Troy | asked to change the password next | 20:47 |
| nowen | yeah, sounds like it is assuming the user doesn't exist. most likely does a check for it | 20:49 |
| Troy | does the wikid user need permission to run the scripts in /bin and /sbin as root? | 20:50 |
| nowen | I think so | 20:52 |
| nowen | I would also think that however you had it set up before would still work | 20:54 |
| nowen | what do you'll have in sudoers for the wikid user? | 21:10 |
| Troy | ok.. i'll check that | 21:22 |
| Troy | sorry for the delay.. got a million things going on today | 21:23 |
| nowen | np | 21:23 |
| Troy | did you hear about that openssl heartbleed vulnerability http://heartbleed.com/ ? | 21:25 |
| nowen | yes | 21:26 |
| nowen | we don't use openssl. just java | 21:26 |
| Troy | we are scrambling to update all that | 21:26 |
| nowen | oh | 21:26 |
| nowen | sorry to hear | 21:26 |
| nowen | and it's XP day too | 21:26 |
| Troy | yes.. never a dull moment | 21:26 |
| Troy | so i'm going to pick this back up in the morning.. i know it's getting late for you | 21:27 |
| nowen | ok | 21:27 |
| nowen | If you can let me know the specifics for the user wikid, I can test that better | 21:27 |
| Troy | ok.. i'll get that sent to you in an e-mail soon | 21:27 |
| nowen | cool | 21:28 |
| nowen | ok - heading home | 21:38 |
| *** nowen has quit (Quit: Leaving.) | 21:38 | |
| *** Troy has quit (Quit: Page closed) | 22:06 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 22:09 | |
| *** Satheesh (6a3300ba@gateway/web/freenode/ip.106.51.0.186) has joined #wikid | 23:28 | |
| Satheesh | Hey Nick | 23:28 |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!