Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16282

Upgrade may fails during upgrading SAML2 secret

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0, 6.5.3
    • Fix Version/s: 7.0.0
    • Component/s: SAML, upgrade
    • Environment:
      6.5.3->7
    • Target Version/s:
    • Rank:
      1|i0129r:
    • Needs backport:
      Yes

      Description

      Bug description

      As there are AM 7 now and some of the changes or updates may be backport to 6.5.x (presumably if there is 6.5.3), then updates need to work. It is seen that
      AME-18347 there is failure to upgrade

      Error logs:

      Updating existing delegation privileges; Done.
      Upgrading service attribute validator whitelist; Done.
      Upgrading i18nKeys in AgentService; Done.
      Creating secret mapping for Auth Tree encryption; Done.
      Creating default file system secret for SAML2 JWT encryption; Failed!
      
      c.s.i.c.u.Upgrade: 2020-05-23 14:51:58,214: Thread[http-nio-8080-exec-2]: TransactionId[8bf661e2-eec2-40ed-bad2-161e50cc8acc-3565]
      ERROR: Error occured while upgrading OpenAM
      org.forgerock.openam.upgrade.UpgradeException: Unable to upgrade SAML2 to secrets API.
              at org.forgerock.openam.upgrade.steps.secrets.Saml2SecretsApiStep.perform(Saml2SecretsApiStep.java:153)
              at org.forgerock.openam.upgrade.UpgradeServices.upgrade(UpgradeServices.java:159)
      
      ....
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      ....
      Caused by: java.nio.file.AccessDeniedException: //B-AMSUST-891/ws-7xx/cfg/secrets/./encrypted_base64/am.global.services.saml2.client.storage.jwt.encryption
              at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
              at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
              at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
              at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
      

      How to reproduce the issue

      1. Install AM 6.5.2
      2. Upgrade AM 6.5.3 snapshot
      3. Upgrade to AM 7
      4. Fail to upgrade.
      Expected behaviour
      Upgrade should have no issues
      
      Current behaviour
      upgrade fails
      

      Work around

      Before upgrade set the file to be writable

        chmod u+w /secrets/encrypted_base64/am.global.services.saml2.client.storage.jwt.encryption
      

      Code analysis

      When testing 6.5.2->6.5.3->7.0.0, it seems it fails update in Saml2SecretsApiStep. The backport of this assume there is no 6.5.3 (from 7) and so fails to cater upgrade code from 7). Seems like all things that has AM 7 check may need to ensure they 6.5.3 is not an issue.

      (isCurrentVersionLessThan(AM_7, false)) {
      

      This may need changes for all code that detect AM_7 to see if there is any need to refine all the upgrade checks. In the SAML casem, after the install 6.5.3 have create

      secrets/encrypted_base64/
          am.global.services.saml2.client.storage.jwt.encryption
      with read only access and not writable so this breaks on
      upgrade.
      

      is created and later cannot be read and written by upgrade. This may need the upgrade.

        Attachments

        1. image.png
          image.png
          234 kB
        2. screenshot-1.png
          screenshot-1.png
          232 kB

          Activity

            People

            Assignee:
            kevin.umebolu Kevin Umebolu
            Reporter:
            chee-weng.chea C-Weng C
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: