Can't understand error messages

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't understand error messages

Daniele Albrizio
Platform: shibboleth-identity-provider-3.4.6

IdP (does not) starts with this error:

Nov 18 12:01:49 idemtico jetty9[24680]: 2019-11-18
12:01:49.153:WARN:oejw.WebAppContext:main: Failed startup of context
o.e.j.w.WebAppContext@3403e2ac{Shibboleth Identity
Provider,/idp,[file:///tmp/jetty-localhost-8080-idp.war-_idp-any-9350620434377289455.dir/webinf/,
jar:file:///opt/shibboleth-idp/war/idp.war!/],UNAVAILABLE}{/opt/shibboleth-idp/war/idp.war}

Nov 18 12:01:49 idemtico jetty9[24680]:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.metrics.RegisterMetricSets$child#0' defined
in file [/opt/shibboleth-idp/system/conf/../../conf/admin/metrics.xml]:
Cannot resolve reference to bean 'shibboleth.metrics.MetadataGaugeSet'
while setting bean property 'arguments' with key [4]; nested exception
is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'shibboleth.metrics.MetadataGaugeSet' defined in
file [/opt/shibboleth-idp/system/conf/general-admin-system.xml]:
Invocation of init method failed; nested exception is
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
Injected service was null or not a MetadataResolver

Responsible metadata-providers.xml configuration (without this conf the
IdP starts successfully):

     <MetadataProvider id="Jobiri-MD"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/jobiri-metadata.xml"
             metadataURL="https://<SOME_URL_OF_MINE>">
             <MetadataFilter xsi:type="EntityRoleWhiteList">
                 <!-- Consume all and only SP metadata in the aggregate -->
<RetainedRole>md:SPSSODescriptor</RetainedRole>
             </MetadataFilter>
     </MetadataProvider>

If I configure a FilesystemMetadataProvider with a static downloaded
version of the url, all works smoothly.

I don't know where to search for a solution. Any ideas?

What "Injected service" is shibboleth talking about?

--
Daniele ALBRIZIO - [hidden email]
          Tel. +39-040.558.3319
   UNIVERSITY OF TRIESTE - Network Services
      Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't understand error messages

Peter Schober
* Daniele Albrizio <[hidden email]> [2019-11-18 12:23]:

> Responsible metadata-providers.xml configuration (without this conf the IdP
> starts successfully):
>
>     <MetadataProvider id="Jobiri-MD"
> xsi:type="FileBackedHTTPMetadataProvider"
> backingFile="/opt/shibboleth-idp/metadata/jobiri-metadata.xml"
>             metadataURL="https://<SOME_URL_OF_MINE>">
>             <MetadataFilter xsi:type="EntityRoleWhiteList">
>                 <!-- Consume all and only SP metadata in the aggregate -->
> <RetainedRole>md:SPSSODescriptor</RetainedRole>
>             </MetadataFilter>
>     </MetadataProvider>

Does your surrounding chaining MetadataProvider in
conf/metadata-providers.xml define the "md" XML namespace prefix
(xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata")?
Otherwise the above isn't valid XML.

If that's not it I'd look for earlier WARN and/or ERROR messages in
the log.

Also (and fully unrelated) note that without a signature validation
filter the above is possibly not really secure (with only TLS as
protection, which does not provide integrity and authenticity on the
document level).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Can't understand error messages

Rod Widdowson
In reply to this post by Daniele Albrizio
> Cannot resolve reference to bean 'shibboleth.metrics.MetadataGaugeSet'
> while setting bean property 'arguments' with key [4]; nested exception
> is org.springframework.beans.factory.BeanCreationException: Error

> I don't know where to search for a solution. Any ideas?

That’s code for "The real error is further up the log".  So that’s you first port of call.

        /Rod

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can't understand error messages

Daniele Albrizio
In reply to this post by Peter Schober
Yes, the full metadata-providers.xml is

<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata"
xsi:type="ChainingMetadataProvider"
     xmlns="urn:mace:shibboleth:2.0:metadata"
     xmlns:resource="urn:mace:shibboleth:2.0:resource"
     xmlns:security="urn:mace:shibboleth:2.0:security"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata
http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
                         urn:mace:shibboleth:2.0:resource
http://shibboleth.net/schema/idp/shibboleth-resource.xsd
                         urn:mace:shibboleth:2.0:security
http://shibboleth.net/schema/idp/shibboleth-security.xsd
                         urn:oasis:names:tc:SAML:2.0:metadata
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">

       <MetadataProvider id="Jobiri-MD"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="/opt/shibboleth-idp/metadata/jobiri-metadata.xml"
metadataURL="https://units.jobiri.com/simplesaml/module.php/saml/sp/metadata.php/units-sp">
             <MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
                 </MetadataFilter>
      </MetadataProvider>
</MetadataProvider>

This is the full jetty log.

https://pastebin.com/pfwmW9Nc

It seems no other things concerning directly shibboleth are up the log.


On 18/11/19 14:04, Peter Schober wrote:

> * Daniele Albrizio <[hidden email]> [2019-11-18 12:23]:
>> Responsible metadata-providers.xml configuration (without this conf the IdP
>> starts successfully):
>>
>>      <MetadataProvider id="Jobiri-MD"
>> xsi:type="FileBackedHTTPMetadataProvider"
>> backingFile="/opt/shibboleth-idp/metadata/jobiri-metadata.xml"
>>              metadataURL="https://<SOME_URL_OF_MINE>">
>>              <MetadataFilter xsi:type="EntityRoleWhiteList">
>>                  <!-- Consume all and only SP metadata in the aggregate -->
>> <RetainedRole>md:SPSSODescriptor</RetainedRole>
>>              </MetadataFilter>
>>      </MetadataProvider>
> Does your surrounding chaining MetadataProvider in
> conf/metadata-providers.xml define the "md" XML namespace prefix
> (xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata")?
> Otherwise the above isn't valid XML.
>
> If that's not it I'd look for earlier WARN and/or ERROR messages in
> the log.
>
> Also (and fully unrelated) note that without a signature validation
> filter the above is possibly not really secure (with only TLS as
> protection, which does not provide integrity and authenticity on the
> document level).
>
> -peter
--
Daniele ALBRIZIO - [hidden email]
          Tel. +39-040.558.3319
   UNIVERSITY OF TRIESTE - Network Services
      Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Can't understand error messages

Rod Widdowson
> This is the full jetty log.

And idp-process.log?  Something should be in there.  In general idp-process should be your first port of call.  In general I only go to the jetty log if the idp-process log is missing.

R

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can't understand error messages

Peter Schober
* Rod Widdowson <[hidden email]> [2019-11-18 15:01]:
> In general I only go to the jetty log if the idp-process log is
> missing.

+1 (only s/jetty/tomcat/ in my case)

Why one would search for application errors in the web server (or
servlet container) logs instead of the application logs is beyond me.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can't understand error messages

Daniele Albrizio
idp-process log is indeed missing and the whole logs directory is empty

I'll try to solve this this dilemma first.

On 18/11/19 15:49, Peter Schober wrote:
> * Rod Widdowson <[hidden email]> [2019-11-18 15:01]:
>> In general I only go to the jetty log if the idp-process log is
>> missing.
> +1 (only s/jetty/tomcat/ in my case)
>
> Why one would search for application errors in the web server (or
> servlet container) logs instead of the application logs is beyond me.
>
> -peter

--
Daniele ALBRIZIO - [hidden email]
          Tel. +39-040.558.3319
   UNIVERSITY OF TRIESTE - Network Services
      Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't understand error messages

Peter Schober
* Daniele Albrizio <[hidden email]> [2019-11-19 14:20]:
> idp-process log is indeed missing and the whole logs directory is empty

Does remote metadata get written to the configured directory? Or is
that missing, too?

File system permissions?
ReadWritePaths from systemd service units?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]