System key error when assigning identity manager to tenant

[Courage Angeh <co...@gmail.com>]

Hello,

Hope this message reaches you well.
I have separate the different microservices and they are running well. I am
currently running provisioner and identity on GKE. I have gone through the
process of creating application and tenants via provisioner endpoint.
Currently, I have initialized just one application, that is identity.
I am trying to set identity as the Identity Manager for a tenant with
identifier, `playground` but I get an error response:

*`The given identity instance didn't recognize the system token as valid.
Perhaps the system keys for the provisioner or for the identity manager are
misconfigured?`*

Here are the logs for provision, https://pastebin.com/QyXc4GHH, and
identity, https://pastebin.com/ermXJPBF

I did an update on provisioner to set RSA public and private keys. Here is
the link to changes made:
https://github.com/Anh3h/fineract-cn-identity/commit/ef969244af082573230a47cd6923a87d212e84a3


I debugged, and I realized the error comes when provisioner tried to
initialize with identity via an HTTP request But I still don't understand
why I get the error.

I will really appreciate some help.

Thanks,
Courage

Re: System key error when assigning identity manager to tenant

[Courage Angeh <co...@gmail.com>]

Hi Myrle,

Thanks for the reply, it was really helpful.

I will like to find if it's a must for the time stamps of all the
microservices to be the same?

Cuz after debugging I realized the error is thrown from line 71 of this
file:
https://github.com/apache/fineract-cn-anubis/blob/develop/library/src/main/java/org/apache/fineract/cn/anubis/provider/SystemRsaKeyProvider.java.
That line
compares the time stamp to two microservices.

Bt then, I realized the time stamps of the two microservices are different.
I went back to check the logs for demo-server
and I realized that the timestamp for all the microservice where the same,
so I think I get the error cuz of the difference in time
stamp (I am not sure yet, still need your confirmation).

Here are the logs:

logs for provisioner on Kubernetes: https://pastebin.com/q9uUFy8d
logs for identity on Kubernetes: https://pastebin.com/jAtr3Mkn
logs for provisioner on demo-server: https://pastebin.com/9t5eadeV
logs for identity on demo-server: https://pastebin.com/eqx26S6b

Thanks,
Courage


On Tue, Aug 21, 2018 at 12:43 PM Myrle Krantz <my...@apache.org> wrote:

> Hi Courage,
>
> Anubis is a library which is included in all of the services.  it uses
> spring security to check the sessionless authentication and
> authorization of users/tenants, and also, as in your case, of system
> calls.
>
> The private key which provisioner uses to sign a token *must* match
> the public key which anubis uses to check the token.  If they don't
> match, then you may not have configured them at all, or you may have
> configured them incorrectly.
>
> So the first thing I would do is check that these properties are set
> in all the services:
> system.publicKey.timestamp
> system.publicKey.modulus
> system.publicKey.exponent
>
> and that these properties are set in the provisioner in addition:
> system.privateKey.module
> system.privateKey.exponent
>
> Unfortunately I can't use your logs to check if you've matched the
> two.  We've deliberately chosen not to output secrets like private
> keys and passwords into the logs.
>
> If you're curious about where to look for the code which does this:
>
> Currently the public and private keys used to check and sign
> (respectively) the system token, are read in via anubis.  This happens
> in the SystemRsaKeyProvider.  You can find the code for reading those
> properties here:
>
> https://github.com/apache/fineract-cn-anubis/blob/develop/library/src/main/java/org/apache/fineract/cn/anubis/provider/SystemRsaKeyProvider.java
>
> The code for reading the private keys exists only in provisioner and
> you can find it here:
>
> https://github.com/apache/fineract-cn-provisioner/blob/develop/service/src/main/java/org/apache/fineract/cn/provisioner/config/SystemProperties.java
>
> I hope that helps you but if it doesn't tell me if there's some other
> way I can help.
>
> Best Regards,
> Myrle
> On Fri, Aug 10, 2018 at 6:38 AM Courage Angeh <co...@gmail.com>
> wrote:
> >
> > Hello,
> >
> > Hope this message reaches you well.
> > I have separate the different microservices and they are running well. I
> am currently running provisioner and identity on GKE. I have gone through
> the process of creating application and tenants via provisioner endpoint.
> Currently, I have initialized just one application, that is identity.
> > I am trying to set identity as the Identity Manager for a tenant with
> identifier, `playground` but I get an error response:
> >
> > `The given identity instance didn't recognize the system token as
> valid.  Perhaps the system keys for the provisioner or for the identity
> manager are misconfigured?`
> >
> > Here are the logs for provision, https://pastebin.com/QyXc4GHH, and
> identity, https://pastebin.com/ermXJPBF
> >
> > I did an update on provisioner to set RSA public and private keys. Here
> is the link to changes made:
> https://github.com/Anh3h/fineract-cn-identity/commit/ef969244af082573230a47cd6923a87d212e84a3
> >
> > I debugged, and I realized the error comes when provisioner tried to
> initialize with identity via an HTTP request But I still don't understand
> why I get the error.
> >
> > I will really appreciate some help.
> >
> > Thanks,
> > Courage
>