[OPENDJ-6239] Proxy: Error message in server.out and RC=0 Created: 26/Apr/19  Updated: 31/Jul/20

Status: Dev in Progress
Project: OpenDJ
Component/s: proxy, tools
Affects Version/s: 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: carole forel Assignee: Cedric Tran-Xuan
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Found with rev 054825e4d76bff67e031554f373ac7e40e9aa745

When the configuration is erroneous while setting up a proxy, the proxy starts prompting an error in server.out but runs anyway and RC=0.

1. bad setup (use-mutual-tls is defaulting to true but rsConnectionSecurity is none):
./PROXY1/opendj/setup --profile ds-proxy-server --set ds-proxy-server/rsConnectionSecurity:none --set ds-proxy-server/replicationServers:"nameserver.example.com:4448" --set ds-proxy-server/primaryGroupId:"1" --set ds-proxy-server/rsBindDn:"uid=admin" --set ds-proxy-server/rsBindPassword:"password" --set ds-proxy-server/proxyUserBindPassword:"password" --trustAll  -h nameserver.example.com -p 1392 -D "uid=admin" -w password --adminConnectorPort 4447 --monitorUserDn "uid=Monitor" --monitorUserPassword password  -O 


2. start:
 ./PROXY1/opendj/bin/start-ds 
[26/Apr/2019:16:27:06 +0200] category=CORE severity=NOTICE msgID=134 msg=ForgeRock Directory Services 7.0.0-SNAPSHOT (build 20190425081527, revision number 054825e4d76bff67e031554f373ac7e40e9aa745) starting up
[26/Apr/2019:16:27:06 +0200] category=JVM severity=NOTICE msgID=21 msg=Installation Directory:  /local/GIT/pyforge/results/20190426-161811/proxy_group/ReplicationDiscovery/PROXY1/opendj
[26/Apr/2019:16:27:06 +0200] category=JVM severity=NOTICE msgID=23 msg=Instance Directory:      /local/GIT/pyforge/results/20190426-161811/proxy_group/ReplicationDiscovery/PROXY1/opendj
[26/Apr/2019:16:27:06 +0200] category=JVM severity=NOTICE msgID=17 msg=JVM Information: 1.8.0_151-b12 by Oracle Corporation, 64-bit architecture, 3717201920 bytes heap size
[26/Apr/2019:16:27:06 +0200] category=JVM severity=NOTICE msgID=18 msg=JVM Host: cforel-Dell-Precision-M3800, running Linux 4.4.0-21-generic amd64, 16725336064 bytes physical memory size, number of processors available 8
[26/Apr/2019:16:27:06 +0200] category=JVM severity=NOTICE msgID=19 msg=JVM Arguments: "-Dorg.opends.server.scriptName=start-ds"
[26/Apr/2019:16:27:08 +0200] category=ACCESS_CONTROL severity=NOTICE msgID=103 msg=The global access control engine has been initialized with 5 policies
[26/Apr/2019:16:27:08 +0200] category=EXTENSIONS severity=NOTICE msgID=221 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: nameserver.example.com
[26/Apr/2019:16:27:09 +0200] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on Administration Connector 0.0.0.0 port 4447
[26/Apr/2019:16:27:09 +0200] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAP 0.0.0.0 port 1392
[26/Apr/2019:16:27:09 +0200] category=CORE severity=NOTICE msgID=135 msg=The Directory Server has started successfully
[26/Apr/2019:16:27:09 +0200] category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully
[26/Apr/2019:16:27:09 +0200] category=CORE severity=ERROR msgID=762 msg=Could not retrieve the list of replicas from replication server 'nameserver.example.com:4448' for replication server group 'Replication Service Discovery Mechanism'. Exception : Invalid Credentials

$ echo $?
0



 Comments   
Comment by Cedric Tran-Xuan [ 30/Apr/19 ]

Since by default, the profile of proxy-server is configured to use mutual tls, we can simply remove the value none as possible values for ds-proxy-server/rsConnectionSecurity.
In this case, this would imply some doc changes in the install guide (docs/ds/7/install-guide/#setup-proxy) for setting up a proxy server with static discovery mechanism. Indeed, we use in this case a fake configuration with ds-proxy-server/rsConnectionSecurity set to none.

Comment by Cedric Tran-Xuan [ 30/Apr/19 ]

OPENDJ-6238 will prevent from having this issue. But it can happen with a different scenario:

  1. install 2 DJs with the replication
  2. install proxy with a truststore that is not configured with the certificates of the 2 DJs to be proxified
[30/Apr/2019:14:59:17 +0200] category=ACCESS_CONTROL severity=NOTICE msgID=103 msg=The global access control engine has been initialized with 5 policies
[30/Apr/2019:14:59:18 +0200] category=EXTENSIONS severity=NOTICE msgID=221 msg=DIGEST-MD5 SASL mechanism using a server fully qualified domain name of: opendj.example.com
[30/Apr/2019:14:59:18 +0200] category=CORE severity=ERROR msgID=762 msg=Could not retrieve the list of replicas from replication server 'opendj.example.com:4444' for replication server group 'Replication Service Discovery Mechanism'. Exception : Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[30/Apr/2019:14:59:18 +0200] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on Administration Connector 0.0.0.0 port 54444
[30/Apr/2019:14:59:18 +0200] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAP 0.0.0.0 port 51389
[30/Apr/2019:14:59:18 +0200] category=PROTOCOL severity=NOTICE msgID=276 msg=Started listening for new connections on LDAPS 0.0.0.0 port 51639
[30/Apr/2019:14:59:18 +0200] category=CORE severity=NOTICE msgID=135 msg=The Directory Server has started successfully
[30/Apr/2019:14:59:18 +0200] category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully

After discussion with QA, ideally this kind of error should prevent the server from starting.

Comment by Cedric Tran-Xuan [ 30/Apr/19 ]

It seems to be "wrong good" idea to prevent the proxy from starting. Indeed, a proxy could have been started before the DJs to be proxified or started more quickly than the DJs. In these cases, the proxy has a cron to refresh regularly its list of DJs. Thus, preventing the proxy from starting if it hasn't detected any DJ running is a bit too much (especially if we think about Cloud environments where server can vanish or appear at anytime).

After another discussion with QA, we led to conclusion that the current behavior should not change but may be the message should change.
QA would favor for a warning rather than an error and may be a more friendly message than Could not retrieve the list of replicas from replication server ....
What do you think Ludovic Poitou?

Comment by Matthew Swift [ 30/Apr/19 ]

I agree with the analysis so far. Depending on the specific type of error it would be nice if the message indicated whether the connect problem is likely due to a misconfiguration (eg. connected successfully, but SSL failed) or perhaps due to components starting up in an unpredictable order (e.g. proxy first then backend servers).

Comment by Ludovic Poitou [ 01/May/19 ]

I agree with Matthew Swift

 

Generated at Mon Sep 21 15:55:37 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.