Hi Myrle, Thanks for the reply, it was really helpful.
I will like to find if it's a must for the time stamps of all the microservices to be the same? Cuz after debugging I realized the error is thrown from line 71 of this file: https://github.com/apache/fineract-cn-anubis/blob/develop/library/src/main/java/org/apache/fineract/cn/anubis/provider/SystemRsaKeyProvider.java. That line compares the time stamp to two microservices. Bt then, I realized the time stamps of the two microservices are different. I went back to check the logs for demo-server and I realized that the timestamp for all the microservice where the same, so I think I get the error cuz of the difference in time stamp (I am not sure yet, still need your confirmation). Here are the logs: logs for provisioner on Kubernetes: https://pastebin.com/q9uUFy8d logs for identity on Kubernetes: https://pastebin.com/jAtr3Mkn logs for provisioner on demo-server: https://pastebin.com/9t5eadeV logs for identity on demo-server: https://pastebin.com/eqx26S6b Thanks, Courage On Tue, Aug 21, 2018 at 12:43 PM Myrle Krantz <[email protected]> wrote: > Hi Courage, > > Anubis is a library which is included in all of the services. it uses > spring security to check the sessionless authentication and > authorization of users/tenants, and also, as in your case, of system > calls. > > The private key which provisioner uses to sign a token *must* match > the public key which anubis uses to check the token. If they don't > match, then you may not have configured them at all, or you may have > configured them incorrectly. > > So the first thing I would do is check that these properties are set > in all the services: > system.publicKey.timestamp > system.publicKey.modulus > system.publicKey.exponent > > and that these properties are set in the provisioner in addition: > system.privateKey.module > system.privateKey.exponent > > Unfortunately I can't use your logs to check if you've matched the > two. We've deliberately chosen not to output secrets like private > keys and passwords into the logs. > > If you're curious about where to look for the code which does this: > > Currently the public and private keys used to check and sign > (respectively) the system token, are read in via anubis. This happens > in the SystemRsaKeyProvider. You can find the code for reading those > properties here: > > https://github.com/apache/fineract-cn-anubis/blob/develop/library/src/main/java/org/apache/fineract/cn/anubis/provider/SystemRsaKeyProvider.java > > The code for reading the private keys exists only in provisioner and > you can find it here: > > https://github.com/apache/fineract-cn-provisioner/blob/develop/service/src/main/java/org/apache/fineract/cn/provisioner/config/SystemProperties.java > > I hope that helps you but if it doesn't tell me if there's some other > way I can help. > > Best Regards, > Myrle > On Fri, Aug 10, 2018 at 6:38 AM Courage Angeh <[email protected]> > wrote: > > > > Hello, > > > > Hope this message reaches you well. > > I have separate the different microservices and they are running well. I > am currently running provisioner and identity on GKE. I have gone through > the process of creating application and tenants via provisioner endpoint. > Currently, I have initialized just one application, that is identity. > > I am trying to set identity as the Identity Manager for a tenant with > identifier, `playground` but I get an error response: > > > > `The given identity instance didn't recognize the system token as > valid. Perhaps the system keys for the provisioner or for the identity > manager are misconfigured?` > > > > Here are the logs for provision, https://pastebin.com/QyXc4GHH, and > identity, https://pastebin.com/ermXJPBF > > > > I did an update on provisioner to set RSA public and private keys. Here > is the link to changes made: > https://github.com/Anh3h/fineract-cn-identity/commit/ef969244af082573230a47cd6923a87d212e84a3 > > > > I debugged, and I realized the error comes when provisioner tried to > initialize with identity via an HTTP request But I still don't understand > why I get the error. > > > > I will really appreciate some help. > > > > Thanks, > > Courage >
