[#OPENAM-14862] Need a warning about Configuring CTS in Admin Console

[OPENAM-14862] Need a warning about Configuring CTS in Admin Console Created: 02/May/19 Updated: 11/Sep/19 Resolved: 13/May/19
Status:	Resolved
Project:	OpenAM
Component/s:	documentation
Affects Version/s:	6.5.1, 7.0.0
Fix Version/s:	6.0.0.7, 6.5.2, 5.5.2, 7.0.0

Type:

Bug

Priority:

Minor

Reporter:

William Hepler

Assignee:

Cristina Herraz

Resolution:

Fixed

Votes:

Labels:

AME, SHAKESPEARE

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

AM 6.5.1

Rank:

1|hzkh47:

Sprint:

AM 2019.7 - Lighthouse

Story Points:

0.5

Needs backport:

Support Ticket IDs:

Needs QA verification:

Functional tests:

Are the reproduction steps defined?:

No (add reasons in the comment)

Description

Bug description

https://backstage.forgerock.com/docs/am/6.5/install-guide/#cts-openam-gui

This section needs a strong warning, that if you configure this incorrectly, you will be unable to access the AM console.

How to reproduce the issue

https://backstage.forgerock.com/docs/am/6.5/install-guide/#cts-openam-gui

It should be assumed but we need to warn that If using LDAPS to configure Certificates, The certificate must match the hostname
Bind Account should be checked as well

Expected behaviour

Documentation may want to warn to have a backup available.

Current behaviour

Multiple customers getting stuck with no console access

Work around

Edit dn: ou=server-default,ou=com-sun-identity-servers,ou=default,ou=GlobalConfig
,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc=openam,dc=forgerock,dc=org

in the configuration store to remove the improper configurations

org.forgerock.$className.java

...

Comments

Comment by Cristina Herraz [ 03/May/19 ]

The certificate should match the FQDN of the CTS store exactly, I think. No *.example.com, etc. Can you confirm, William Hepler?

Comment by William Hepler [ 03/May/19 ]

I believe there is a Hostname match that happens now. A wild card cert I'm not sure we don't mention it in the two links:

https://backstage.forgerock.com/docs/ds/6/admin-guide/#generating-and-signing-certs
One step in verifying the certificate's validity is checking that the subject's FQDN matches the FQDN obtained from DNS.

https://backstage.forgerock.com/knowledge/kb/article/a28036667

Comment by Cristina Herraz [ 13/May/19 ]

Fixed in master and backported up to 5.5.x

Generated at Tue Mar 02 14:26:49 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.