[OPENAM-14862] Need a warning about Configuring CTS in Admin Console Created: 02/May/19  Updated: 11/Sep/19  Resolved: 13/May/19

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 6.5.1, 7.0.0
Fix Version/s: 6.0.0.7, 6.5.2, 5.5.2, 7.0.0

Type: Bug Priority: Minor
Reporter: William Hepler Assignee: Cristina Herraz
Resolution: Fixed Votes: 0
Labels: AME, SHAKESPEARE
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

AM 6.5.1


Rank: 1|hzkh47:
Sprint: AM 2019.7 - Lighthouse
Story Points: 0.5
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
No (add reasons in the comment)

 Description   

Bug description

https://backstage.forgerock.com/docs/am/6.5/install-guide/#cts-openam-gui

This section needs a strong warning, that if you configure this incorrectly, you will be unable to access the AM console. 

How to reproduce the issue

https://backstage.forgerock.com/docs/am/6.5/install-guide/#cts-openam-gui

  1. It should be assumed but we need to warn that If using LDAPS to configure Certificates, The certificate must match the hostname
  2. Bind Account should be checked as well
Expected behaviour
Documentation may want to warn to have a backup available. 
Current behaviour
Multiple customers getting stuck with no console access

Work around

Edit dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig
 ,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org

in the configuration store to remove the improper configurations

 

org.forgerock.$className.java
...


 Comments   
Comment by Cristina Herraz [ 03/May/19 ]

The certificate should match the FQDN of the CTS store exactly, I think. No *.example.com, etc. Can you confirm, William Hepler?

Comment by William Hepler [ 03/May/19 ]

I believe there is a Hostname match that happens now. A wild card cert I'm not sure we don't mention it in the two links:

https://backstage.forgerock.com/docs/ds/6/admin-guide/#generating-and-signing-certs
One step in verifying the certificate's validity is checking that the subject's FQDN matches the FQDN obtained from DNS.

https://backstage.forgerock.com/knowledge/kb/article/a28036667

Comment by Cristina Herraz [ 13/May/19 ]

Fixed in master and backported up to 5.5.x

Generated at Tue Mar 02 14:26:49 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.