Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10966

Missing step for upgrade from AM 13 to 14 - CTS

    XMLWordPrintable

    Details

    • Support Ticket IDs:

      Description

      Would be good to properly documented upgrade with external CTS. In the current documentation is only:

      Chapter 2. Upgrading Servers / Procedure 2.1, "To Upgrade From a Supported Version" / Step 9:
      If you want to configure the upgraded system for the Core Token Service (CTS), read Chapter 3, "Implementing the Core Token Service" in the Installation Guide. For a list of supported directory services, see the Section 2.5, "Data Store Requirements" in the Release Notes

      If you use CTS for AM 13 and you want to use it for AM 14 after upgrade, it is necessary to import schemes:

      • cts-add-multivalue.ldif
      • cts-add-multivalue-indices.ldif

      If the schemes are not updated, it is not possible to login and I am getting following error in Session debug log

      CTS: Operation failed:
      Result Code: Object Class Violation
      Diagnostic Message: Entry coreTokenId=-2648033331206376220,ou=famrecords,ou=openam-session,ou=tokens,dc=cts,dc=am violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry
      Matched DN:
              at org.forgerock.openam.cts.impl.LdapAdapter.create(LdapAdapter.java:110)
              at org.forgerock.openam.sm.datalayer.impl.tasks.CreateTask.performTask(CreateTask.java:48)
              at org.forgerock.openam.sm.datalayer.api.AbstractTask.execute(AbstractTask.java:41)
              at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor$AuditRequestContextPropagatingTask.execute(SeriesTaskExecutor.java:209)
              at org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor.execute(SimpleTaskExecutor.java:59)
              at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread.run(SeriesTaskExecutorThread.java:85)
              at org.forgerock.openam.audit.context.AuditRequestContextPropagatingRunnable.run(AuditRequestContextPropagatingRunnable.java:34)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              ... 3 more
      
      amSession:03/24/2017 11:26:36:651 AM GMT: Thread[http-bio-8080-exec-2,5,main]: TransactionId[8478d4da-57b8-40c6-8bc9-ca4e7c7c8c41-82]
      ERROR: Invalid sessionid format:[]
      java.lang.IllegalArgumentException: sid value is null or empty
              at org.forgerock.util.Reject.ifTrue(Reject.java:199)
              at com.iplanet.dpro.session.SessionIDEncoder.decodeSessionID(SessionIDEncoder.java:90)
              at com.iplanet.dpro.session.SessionID.parseSessionString(SessionID.java:348)
              at com.iplanet.dpro.session.SessionID.getSessionServerProtocol(SessionID.java:251)
              at com.sun.identity.authentication.client.AuthClientUtils.getLogoutCookieString(AuthClientUtils.java:458)
              at com.sun.identity.authentication.client.AuthClientUtils.getLogoutCookie(AuthClientUtils.java:440)
              at com.sun.identity.authentication.service.AuthUtils.clearAllCookiesByDomain(AuthUtils.java:1564)
              at com.sun.identity.authentication.service.AuthUtils.clearAllCookies(AuthUtils.java:1552)
              at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:233)
              at org.forgerock.openam.core.rest.authn.core.wrappers.CoreServicesWrapper.getAuthContext(CoreServicesWrapper.java:50)
              at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getAuthContext(LoginAuthenticator.java:200)
              at org.forgerock.openam.core.rest.authn.core.LoginAuthenticator.getLoginProcess(LoginAuthenticator.java:90)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:163)
              at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:112)
              at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:153)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:76)
              at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:64)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:65)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:80)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.openam.rest.RealmRoutingFactory$ChfRealmRouter.handle(RealmRoutingFactory.java:139)
              at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
              at org.forgerock.openam.rest.RealmRoutingFactory$HostnameFilter.filter(RealmRoutingFactory.java:116)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:56)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:193)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$200(AuthenticationFramework.java:56)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework$2.apply(AuthenticationFramework.java:185)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework$2.apply(AuthenticationFramework.java:178)
              at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:247)
              at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:236)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:141)
              at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:133)
              at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:84)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:51)
              at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
              at org.forgerock.http.routing.Router.handle(Router.java:100)
              at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:62)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:52)
              at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
              at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:236)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at org.forgerock.openam.rest.ProtocolVersionFilter.doFilter(ProtocolVersionFilter.java:65)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
              at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
              at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:745)
      

      I did it with following script(used for DJ 3.0.0):

      #!/bin/bash
      
      USER="cn=Directory Manager"
      PASS="password"
      SERVER_PORT=3389
      TOMCAT_OPENAM_WEBAPP=/root/am-war
      ROOT_SUFFIX="dc=cts,dc=am"
      T=/tmp/ldif
      rm -rf $T
      mkdir $T
      cp $TOMCAT_OPENAM_WEBAPP/WEB-INF/template/ldif/sfha/cts-add-multivalue.ldif $T/cts-add-multivalue.ldif
      cat $TOMCAT_OPENAM_WEBAPP/WEB-INF/template/ldif/sfha/cts-add-multivalue-indices.ldif | sed -e 's/@DB_NAME@/userRoot/' > $T/cts-add-multivalue-indices.ldif
      
      bin/ldapmodify --port $SERVER_PORT --bindDN "$USER" --bindPassword "$PASS" --fileName $T/cts-add-multivalue.ldif
      bin/ldapmodify --port $SERVER_PORT --bindDN "$USER" --bindPassword "$PASS" --defaultAdd --fileName $T/cts-add-multivalue-indices.ldif
      
      bin/stop-ds
      bin/rebuild-index --baseDN $ROOT_SUFFIX --rebuildAll
      bin/verify-index --baseDN $ROOT_SUFFIX
      bin/start-ds
      

      Note: For the DJ 4.0.0+ the script is slightly different

      ...
      bin/ldapmodify --port $SERVER_PORT --bindDN "$USER" --bindPassword "$PASS" --fileName $T/cts-add-multivalue.ldif
      bin/ldapmodify --port $SERVER_PORT --bindDN "$USER" --bindPassword "$PASS" --fileName $T/cts-add-multivalue-indices.ldif
      sudo bin/stop-ds
      sudo bin/rebuild-index --baseDN $ROOT_SUFFIX --rebuildAll --offline
      sudo bin/verify-index --baseDN $ROOT_SUFFIX
      sudo bin/start-ds
      

        Attachments

          Activity

            People

            • Assignee:
              austingene Gene Hirayama
              Reporter:
              richard.hruza Richard Hruza
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: