SSO configuration looks good.

Can you please share any additional httpd configuration in
/etc/httpd/conf.d. Anything to do with LocationMatch for ovirt-engine urls.

On Fri, Oct 14, 2016 at 12:52 PM, Yaniv Kaul <yk...@redhat.com> wrote:

>
>
> On Fri, Oct 14, 2016 at 3:50 PM, Ravi Nori <rn...@redhat.com> wrote:
>
>> Hi Yaniv,
>>
>> Can you check the output of https:://<engine>/ovirt-engine/sso/status in
>> your browser and see if the SSO service is active.
>>
>> If SSO is deployed, you should see an output similar to the one below.
>> Also are you able to login to webadmin using the browser?
>>
>
> I am able to login using the webui.
>
>
>>
>> {"status_description":"SSO Webapp Deployed","version":"0","statu
>> s":"active"}
>>
>
> Indeed:
> {"status_description":"SSO Webapp Deployed","version":"0","
> status":"active"}
>
> (not sure what 'version 0' means?)
>
>
>>
>> Please share the content of /etc/ovirt-engine/engine.conf.
>> d/11-setup-sso.conf
>>
>
> [root@lago-basic-suite-master-engine ~]# cat
> /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
> ENGINE_SSO_CLIENT_ID="ovirt-engine-core"
> ENGINE_SSO_CLIENT_SECRET="bsOabtD7gE2McwLe80P109UV800XLx4O"
> ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso";
> ENGINE_SSO_SERVICE_URL="https://localhost:443/ovirt-engine/sso";
> ENGINE_SSO_SERVICE_SSL_VERIFY_HOST=false
> ENGINE_SSO_SERVICE_SSL_VERIFY_CHAIN=true
> SSO_ALTERNATE_ENGINE_FQDNS=""
> SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/";
>
>
> Thanks,
> Y.
>
>
>
>>
>> Thanks
>>
>> Ravi
>>
>>
>>
>>
>>
>> On Fri, Oct 14, 2016 at 7:57 AM, Juan Hernández <jhern...@redhat.com>
>> wrote:
>>
>>> On 10/14/2016 01:45 PM, Yaniv Kaul wrote:
>>> >
>>> >
>>> > On Thu, Oct 13, 2016 at 11:13 AM, Juan Hernández <jhern...@redhat.com
>>> > <mailto:jhern...@redhat.com>> wrote:
>>> >
>>> >     On 10/13/2016 12:04 AM, Yaniv Kaul wrote:
>>> >     > On Fri, Oct 7, 2016 at 10:44 PM, Yaniv Kaul <yk...@redhat.com
>>> <mailto:yk...@redhat.com>
>>> >     > <mailto:yk...@redhat.com <mailto:yk...@redhat.com>>> wrote:
>>> >     >
>>> >     >     I'm trying on FC24, using
>>> >     >
>>> >      python-ovirt-engine-sdk4-4.1.0-0.0.20161003git056315d.fc24.x86_64
>>> to
>>> >     >     add a DC, and failing - against master. The client is
>>> unhappy:
>>> >     >     File
>>> >     >
>>> >      "/home/ykaul/ovirt-system-tests/basic-suite-master/test-scen
>>> arios/002_bootstrap.py",
>>> >     >     line 98, in add_dc4
>>> >     >         version=sdk4.types.Version(ma
>>> jor=DC_VER_MAJ,minor=DC_VER_MIN),
>>> >     >       File "/usr/lib64/python2.7/site-pac
>>> kages/ovirtsdk4/services.py",
>>> >     >     line 4347, in add
>>> >     >         response = self._connection.send(request)
>>> >     >       File "/usr/lib64/python2.7/site-pac
>>> kages/ovirtsdk4/__init__.py",
>>> >     >     line 276, in send
>>> >     >         return self.__send(request)
>>> >     >       File "/usr/lib64/python2.7/site-pac
>>> kages/ovirtsdk4/__init__.py",
>>> >     >     line 298, in __send
>>> >     >         self._sso_token = self._get_access_token()
>>> >     >       File "/usr/lib64/python2.7/site-pac
>>> kages/ovirtsdk4/__init__.py",
>>> >     >     line 460, in _get_access_token
>>> >     >         sso_response = self._get_sso_response(self._sso_url,
>>> >     post_data)
>>> >     >       File "/usr/lib64/python2.7/site-pac
>>> kages/ovirtsdk4/__init__.py",
>>> >     >     line 498, in _get_sso_response
>>> >     >         return json.loads(body_buf.getvalue().decode('utf-8'))
>>> >     >       File "/usr/lib64/python2.7/json/__init__.py", line 339,
>>> in loads
>>> >     >         return _default_decoder.decode(s)
>>> >     >       File "/usr/lib64/python2.7/json/decoder.py", line 364, in
>>> decode
>>> >     >         obj, end = self.raw_decode(s, idx=_w(s, 0).end())
>>> >     >       File "/usr/lib64/python2.7/json/decoder.py", line 382, in
>>> >     raw_decode
>>> >     >         raise ValueError("No JSON object could be decoded")
>>> >     >     ValueError: No JSON object could be decoded
>>> >     >
>>> >     >
>>> >     >     Surprisingly, I now can't find that RPM of this SDK in
>>> >     >     resources.ovirt.org <http://resources.ovirt.org>
>>> >     <http://resources.ovirt.org> now.
>>> >     >
>>> >     >     I've tried
>>> >     >     with
>>> >     http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc
>>> 24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94e
>>> eb5.fc24.x86_64.rpm
>>> >     <http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/f
>>> c24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94
>>> eeb5.fc24.x86_64.rpm>
>>> >     >
>>> >      <http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/fc
>>> 24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94e
>>> eb5.fc24.x86_64.rpm
>>> >     <http://resources.ovirt.org/pub/ovirt-master-snapshot/rpm/f
>>> c24/x86_64/python-ovirt-engine-sdk4-4.0.0-0.1.20161004gitf94
>>> eeb5.fc24.x86_64.rpm>>
>>> >     >
>>> >     >     - same result.
>>> >     >
>>> >     >     Did not see anything obvious on server or engine logs.
>>> >     >     The code:
>>> >     >     def add_dc4(api):
>>> >     >         nt.assert_true(api != None)
>>> >     >         dcs_service = api.system_service().data_cent
>>> ers_service()
>>> >     >         nt.assert_true(
>>> >     >             dc = dcs_service.add(
>>> >     >                 sdk4.types.DataCenter(
>>> >     >                     name=DC_NAME4,
>>> >     >                     description='APIv4 DC',
>>> >     >                     local=False,
>>> >     >
>>> >     >     version=sdk4.types.Version(major=DC_VER_MAJ,minor=DC_VER_MI
>>> N),
>>> >     >                 ),
>>> >     >             )
>>> >     >         )
>>> >     >
>>> >     >
>>> >     >     And the api object is from:
>>> >     >                 return sdk4.Connection(
>>> >     >                     url=url,
>>> >     >                     username=constants.ENGINE_USER,
>>> >     >
>>> >      password=str(self.metadata['ovirt-engine-password']),
>>> >     >                     insecure=True,
>>> >     >                     debug=True,
>>> >     >                 )
>>> >     >
>>> >     >
>>> >     > The clue is actually on the HTTPd logs:
>>> >     > 192.168.203.1 - - [12/Oct/2016:17:56:27 -0400] "POST
>>> >     > /ovirt-engine/sso/oauth/token HTTP/1.1" 404 74
>>> >     >
>>> >     > And indeed, from the deubg log:
>>> >     > begin captured logging << --------------------\n
>>> >     > root: DEBUG: Trying 192.168.203.3...\n
>>> >     > root: DEBUG: Connected to 192.168.203.3 (192.168.203.3) port 443
>>> >     (#0)\n
>>> >     > root: DEBUG: Initializing NSS with certpath: sql:/etc/pki/nssdb\n
>>> >     > root: DEBUG: skipping SSL peer certificate verification\n
>>> >     > root: DEBUG: ALPN/NPN, server did not agree to a protocol\n
>>> >     > root: DEBUG: SSL connection using
>>> >     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n
>>> >     > root: DEBUG: Server certificate:\n
>>> >     > root: DEBUG: subject: CN=engine,O=Test,C=US\n
>>> >     > root: DEBUG: start date: Oct 11 21:55:29 2016 GMT\n
>>> >     > root: DEBUG: expire date: Sep 16 21:55:29 2021 GMT\n
>>> >     > root: DEBUG: common name: engine\nroot: DEBUG: issuer:
>>> >     > CN=engine.38998,O=Test,C=US\n
>>> >     > *root: DEBUG: POST /ovirt-engine/sso/oauth/token HTTP/1.1\n*
>>> >     > *root: DEBUG: Host: 192.168.203.3\n*
>>> >     > *root: DEBUG: User-Agent: PythonSDK/4.1.0a0\n*
>>> >     > *root: DEBUG: Accept: application/json\n*
>>> >     > *root: DEBUG: Content-Length: 78\n*
>>> >     > *root: DEBUG: Content-Type: application/x-www-form-urlenco
>>> ded\nroot:
>>> >     > DEBUG:
>>> >     >
>>> >     username=admin%40internal&scope=ovirt-app-api&password=123&
>>> grant_type=password\n*
>>> >     > *root: DEBUG: upload completely sent off: 78 out of 78 bytes\n*
>>> >     > *root: DEBUG: HTTP/1.1 404 Not Found\n*
>>> >     > *root: DEBUG: Date: Wed, 12 Oct 2016 21:56:27 GMT\n*
>>> >     > *root: DEBUG: Server: Apache/2.4.6 (CentOS)
>>> OpenSSL/1.0.1e-fips\n*
>>> >     > *root: DEBUG: Content-Length: 74\n*
>>> >     > *root: DEBUG: Content-Type: text/html; charset=UTF-8\n*
>>> >     > *root: DEBUG: \n*
>>> >     > *root: DEBUG: <html><head><title>Error</title></head><body>404
>>> - Not
>>> >     > Found</body></html>\n*
>>> >     > root: DEBUG: Connection #0 to host 192.168.203.3 left intact\n
>>> >     > --------------------- >> end captured logging
>>> >     >
>>> >
>>> >     That definitively looks like version 3 of the engine. Either that
>>> or
>>> >     version 4 of the engine with web server configuration modified so
>>> that
>>> >     the SSO doesn't work as expected.
>>> >
>>> >     What do you get if you run this against that server?
>>> >
>>> >
>>> > Attached.
>>> > Y.
>>> >
>>>
>>> OK, that is version 4.1 of the engine, so next question is why the SSO
>>> service is not responding. Do you see any message in
>>> /var/log/ovirt-engine/server.log about "enginesso.war" not being
>>> deployed? Did you do any modification to the
>>> /etc/httpd/conf.d/z-ovirt-engine.conf file?
>>>
>>> Ravi, Martin, any idea of why the SSO service may not be working?
>>>
>>> >
>>> >
>>> >       curl \
>>> >       --verbose \
>>> >       --insecure \
>>> >       --request GET \
>>> >       --user "admin@internal:yourpassword" \
>>> >       --header "Version: 4" \
>>> >       --header "Accept: application/xml" \
>>> >       "https://thatserver/ovirt-engine/api
>>> >     <https://thatserver/ovirt-engine/api>"
>>> >
>>>
>>>
>>> --
>>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>>> 3ºD, 28016 Madrid, Spain
>>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
>>>
>>
>>
>
_______________________________________________
Devel mailing list
Devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel

Reply via email to