[OPENAM-10554] AM installation fails if BASE_DIR is different from the path in .openamcfg Created: 06/Feb/17  Updated: 11/Sep/19

Status: Reopened
Project: OpenAM
Component/s: configurator
Affects Version/s: 14.0.0, 14.0.0-M17, 14.1.0, 14.1.1, 14.5.0, 6.1.0, 7.0.0
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: Nemanja Lukic Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: AME, Backlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzsvuf:
Support Ticket IDs:

 Description   

OpenAM 14.0.0-M17 seems to have hardcoded path for Amster keys. If a user tries to install OpenAM in a location other then default (for example, /root/openam14, the following error is observed:

Could not write Amster keys, refer to install.log under /root/openam14 for more information. 

and

AMSetupServlet.processRequest: errorjava.lang.IllegalStateException: Could not write Amster keys
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:87)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.doPostConfiguration(AuthorizedKeyConfiguratorPlugin.java:68)
	at com.sun.identity.setup.AMSetupServlet.handlePostPlugins(AMSetupServlet.java:990)
	at com.sun.identity.setup.AMSetupServlet.configure(AMSetupServlet.java:912)
	at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:509)
	at com.sun.identity.config.wizard.Wizard.createConfig(Wizard.java:296)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.apache.click.util.ClickUtils.invokeMethod(ClickUtils.java:3317)
	at org.apache.click.util.ClickUtils.invokeListener(ClickUtils.java:2088)
	at org.apache.click.control.AbstractControl$1.onAction(AbstractControl.java:228)
	at org.apache.click.ActionEventDispatcher.fireActionEvent(ActionEventDispatcher.java:259)
	at org.apache.click.ActionEventDispatcher.fireActionEvents(ActionEventDispatcher.java:236)
	at org.apache.click.ActionEventDispatcher.fireActionEvents(ActionEventDispatcher.java:180)
	at org.apache.click.ClickServlet.performOnProcess(ClickServlet.java:746)
	at org.apache.click.ClickServlet.processAjaxPageEvents(ClickServlet.java:1860)
	at org.apache.click.ClickServlet.processPage(ClickServlet.java:559)
	at org.apache.click.ClickServlet.handleRequest(ClickServlet.java:383)
	at org.apache.click.ClickServlet.doGet(ClickServlet.java:276)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:88)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:123)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.FileNotFoundException: /root/openam/amster_rsa (No such file or directory)
	at java.io.FileOutputStream.open(Native Method)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:206)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:156)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.writePrivateKey(AuthorizedKeyConfiguratorPlugin.java:92)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:82)
	... 55 more


 Comments   
Comment by Nemanja Lukic [ 07/Feb/17 ]

I have found the root cause of this issue. Contrary to my original thought that the value had to be hard-coded somewhere, the issue is somewhere else. When OpenAM boots it looks for a file in ~/.openamcfg which identifies the container where OpenAM runs as it's name in form of a path. For example, if I use a container in /opt/tomcat8, then the file would be: AMConfig_opt_tomcat8_webapps_openam_

If this file exists prior to the OpenAM deployment and differs from the BASE_DIR used in the configurator, the error in the description can be observed.

To reproduce:

  • make sure .openamcfg does not exist and install OpenAM normally
  • stop the container, remove the data directory
  • make sure the file in .openamcfg exists
  • deploy OpenAM once again and provide a different directory for BASE_DIR
  • observe the error message
Comment by Nemanja Lukic [ 07/Feb/17 ]

Changing the priority to minor

Comment by Mark de Reeper [ 04/Apr/17 ]

I came across this one today when moving between Temper and using amster to re-configuring the same local instance.

During installation, the AMSetupServlet calls out to any configured ConfiguratorPlugin plugins of which the Amster AuthorizedKeyConfiguratorPlugin is one. This plugin call back into AMSetupServlet.getBaseDir() which does not reference the currently configured value but tries to work it out from known values so any entry that matches from the ~/.openamcfg directory is used and if this is different to the one being used by the configuration, things can fail as seen in the original report.

Proposed fix is to pass in the current baseDir into the doPostConfiguration() method so the plugins can use it and avoid this issue.

Comment by Phill Cunnington [ 04/Apr/18 ]

Moving issues to the "backlog" that do not have a customer ticket attached.

Comment by Phill Cunnington [ 04/Apr/18 ]

Closing issues affecting versions that have reached their EOSL. Please re-test against a supported version and re-open and update ticket if needed.

Comment by Bernhard Thalmayr [ 10/Jul/18 ]

The bug also exists in AM 5.1.1 + security patch AM-sec-201801-v511

Comment by Vineet Tiwari [ 13/Jul/18 ]

Ran into issue while installing AM 5.1.1 

 

Comment by Robert Wapshott [ 22/May/19 ]

Still valid in AM 6.1.0 and latest Master (scheduled to be AM 7.0)

Reproduction steps:

  • Starting from a clean install (no AM home directory)
  • Copy AM war to Tomcat webapps folder
  • Start Tomcat
  • Configure the settings we want for installation. BASE_DIR is the one we are interested in:
    export ADMINPWD="administrator"
    export DEMOPWD="changeit"
    export SERVER="http://$(hostname):8080"
    export BASE_DIR=/tmp/openam
    export CONFIG_STORE_PORT=1389
    export USER_STORE_PORT=2389
    
  • Using HTTP Configurator issue the following CURL command:
    curl --verbose "$SERVER/openam/config/configurator" \
    --header "Content-Type:application/x-www-form-urlencoded" \
    --data-urlencode "SERVER_URL=$SERVER" \
    --data-urlencode "DEPLOYMENT_URI=openam" \
    --data-urlencode "BASE_DIR=$BASE_DIR" \
    --data-urlencode "locale=en_GB" \
    --data-urlencode "PLATFORM_LOCALE=en_US" \
    --data-urlencode "ADMIN_PWD=$ADMINPWD" \
    --data-urlencode "ADMIN_CONFIRM_PWD=$ADMINPWD" \
    --data-urlencode "AMLDAPUSERPASSWD=$DEMOPWD" \
    --data-urlencode "AMLDAPUSERPASSWD_CONFIRM=$DEMOPWD" \
    --data-urlencode "COOKIE_DOMAIN=forgerock.com" \
    --data-urlencode "DATA_STORE=dirServer" \
    --data-urlencode "DIRECTORY_SSL=SIMPLE" \
    --data-urlencode "DIRECTORY_SERVER=localhost" \
    --data-urlencode "DIRECTORY_PORT=$CONFIG_STORE_PORT" \
    --data-urlencode "DIRECTORY_ADMIN_PORT=4444" \
    --data-urlencode "DIRECTORY_JMX_PORT=1689" \
    --data-urlencode "ROOT_SUFFIX=ou=am-config" \
    --data-urlencode "DS_DIRMGRDN=cn=Directory Manager" \
    --data-urlencode "DS_DIRMGRPASSWD=$ADMINPWD" \
    --data-urlencode "USERSTORE_PORT=$USER_STORE_PORT" \
    --data-urlencode "USERSTORE_SSL=SIMPLE" \
    --data-urlencode "USERSTORE_MGRDN=cn=Directory Manager" \
    --data-urlencode "USERSTORE_TYPE=LDAPv3ForOpenDS" \
    --data-urlencode "USERSTORE_SUFFIX=ou=identities" \
    --data-urlencode "USERSTORE_HOST=localhost" \
    --data-urlencode "USERSTORE_PASSWD=$ADMINPWD" \
    --data-urlencode "acceptLicense=true"
    

The installation will fail with the following error in install.log:

AMSetupServlet.processRequest: error java.lang.IllegalStateException: Could not write Amster keys
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:79)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.doPostConfiguration(AuthorizedKeyConfiguratorPlugin.java:60)
	at com.sun.identity.setup.AMSetupServlet.handlePostPlugins(AMSetupServlet.java:1032)
	at com.sun.identity.setup.AMSetupServlet.configure(AMSetupServlet.java:956)
	at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:521)
	at com.sun.identity.setup.AMSetupServlet.doPost(AMSetupServlet.java:455)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:129)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.FileNotFoundException: /Users/robert.wapshott/openam/amster_rsa (No such file or directory)
	at java.io.FileOutputStream.open0(Native Method)
	at java.io.FileOutputStream.open(FileOutputStream.java:270)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.writePrivateKey(AuthorizedKeyConfiguratorPlugin.java:84)
	at org.forgerock.openam.authentication.modules.amster.AuthorizedKeyConfiguratorPlugin.createLocalAmsterKey(AuthorizedKeyConfiguratorPlugin.java:74)
	... 43 more
Generated at Sat Feb 27 21:11:18 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.