Re: Fineract-CN - Invalid system token - Can't assign identity service to tenant
Hi Micael, Thanks so much for the update. I was only able to catch up with this now. The RSA key provisioning process was updated in the Fineract CN microservices, I updated the script accordingly but I forgot to merge the new updates. I haven't been able to continue work on the code base 'cause I don't have the necessary cloud resources. All that put aside, I would recommend you make the PR to the Mifos code-based, then the code can be migrated to apache. Best Regards, Courage. On Sat, Jul 20, 2019 at 5:19 PM Michael E. wrote: > I could submit a PR once I have it all working, just not sure what repo to > submit to. fineract-cn-containers is still on the Mifos GitHub account when > I was under the impression everything was moved to Apache. > > On Sat, Jul 20, 2019, 11:32 PM Michael Vorburger > wrote: > >> On Sat, 20 Jul 2019, 22:22 Michael E., wrote: >> >>> >>> Hi Awasum, Thanks for your response. Since my original email I have done >>> some more investigation and found the source of the issue, at least in my >>> case. The error in my original email (invalid system token) was appearing >>> when using this docker setup: >>> https://github.com/openMF/fineract-cn-containers . I also found a more >>> recent version of this setup which uses a different module to generate the >>> RSA keypair: >>> https://github.com/Anh3h/fineract-cn-containers/tree/develop . >>> Unfortunately this version didn't work either. >>> >>> I investigated the source of the error and found that it occured when >>> assigning the identity service to a tenant through the provisioner. During >>> this process the provisioner calls the /initialize endpoint of identity, >>> which is authenticated by a system key (issued by provisioner). The issue >>> was identity wouldn't accept this key. >>> >>> The key was not accepted because the docker image for the provisioner >>> used in fineract-cn-containers, anh3h/fineract-cn-provisioner, is a >>> modified version of provisioner that generates it's own RSA keypair, >>> instead of using the one provided by environment vairables. The differing >>> keys caused identity to not accept the system token created by provisioner. >>> I'm not sure exaclty why this image was used. I built a new image which >>> runs the latest provisioner from artifactory, and the provisioning process >>> was able to continue. There are a few more issues with the provisioning >>> script in fineract-cn-containers, which I was able to fix. I am currently >>> in the process of creating a new docker-compose configuration, which I >>> might be able to share if anyone is interested. >>> >> >> I'm sure PRs for this would be welcome! >> >> As for the demo server, I didn't investigate the issue I was having with >>> it much further, I find a docker configuration much easier to run, >>> particularly when I can't run the demo server locally anyway since my >>> computer lacks the resources to do so. >>> >>> If anyone has any questions about this let me know, I spent almost a >>> week trying to get this to work so I'd like to make sure nobody else has to >>> repeat my work. >>> >> >> Again, IMHO the best, because it's the most "durable" (much more than >> e.g. emails), is PRs which improve scripts, README etc. >> >> Michael. >>> >>> On Fri, Jul 19, 2019 at 9:42 PM Awasum Yannick >>> wrote: >>> On Mon, Jul 15, 2019 at 11:58 PM Michael E. wrote: > Hello, > > Over the past few days I've been trying to setup a Fineract-CN > instance I can test with. Since my machine doesn't have enough RAM I tried > deploying in Google Cloud Compute. > > Initially I followed this tutorial: > > https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN > > > I got through everything and got demo-server working, but only in > lite-mode. Since I wanted to try out the rest of the services I tried > running the full version. After making sure I had enough RAM I tried the > full version and kept running into failures during provisioning. I think I > have it narrowed down to this error: > Can you provide your full logs. > > 12:19:29.115 [qtp1825419935-15] INFO > o.a.f.c.l.c.ServiceExceptionFilter - Responding with a service error > ServiceError{code=409, message='The given identity instance didnt > recognize > the system token as valid. Perhaps the system keys for the provisioner or > for the identity manager are misconfigured?'} > 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given > identity instance didn't recognize the system token as valid. > org.apache.fineract.cn.api.util.InvalidTokenException: > {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access > Denied","path":"/identity/v1/initialize"} > Is everyone facing this error? I dont know whats goint wrong here? let me run and see whats the problem >
Re: Fineract-CN - Invalid system token - Can't assign identity service to tenant
I could submit a PR once I have it all working, just not sure what repo to submit to. fineract-cn-containers is still on the Mifos GitHub account when I was under the impression everything was moved to Apache. On Sat, Jul 20, 2019, 11:32 PM Michael Vorburger wrote: > On Sat, 20 Jul 2019, 22:22 Michael E., wrote: > >> >> Hi Awasum, Thanks for your response. Since my original email I have done >> some more investigation and found the source of the issue, at least in my >> case. The error in my original email (invalid system token) was appearing >> when using this docker setup: >> https://github.com/openMF/fineract-cn-containers . I also found a more >> recent version of this setup which uses a different module to generate the >> RSA keypair: >> https://github.com/Anh3h/fineract-cn-containers/tree/develop . >> Unfortunately this version didn't work either. >> >> I investigated the source of the error and found that it occured when >> assigning the identity service to a tenant through the provisioner. During >> this process the provisioner calls the /initialize endpoint of identity, >> which is authenticated by a system key (issued by provisioner). The issue >> was identity wouldn't accept this key. >> >> The key was not accepted because the docker image for the provisioner >> used in fineract-cn-containers, anh3h/fineract-cn-provisioner, is a >> modified version of provisioner that generates it's own RSA keypair, >> instead of using the one provided by environment vairables. The differing >> keys caused identity to not accept the system token created by provisioner. >> I'm not sure exaclty why this image was used. I built a new image which >> runs the latest provisioner from artifactory, and the provisioning process >> was able to continue. There are a few more issues with the provisioning >> script in fineract-cn-containers, which I was able to fix. I am currently >> in the process of creating a new docker-compose configuration, which I >> might be able to share if anyone is interested. >> > > I'm sure PRs for this would be welcome! > > As for the demo server, I didn't investigate the issue I was having with >> it much further, I find a docker configuration much easier to run, >> particularly when I can't run the demo server locally anyway since my >> computer lacks the resources to do so. >> >> If anyone has any questions about this let me know, I spent almost a week >> trying to get this to work so I'd like to make sure nobody else has to >> repeat my work. >> > > Again, IMHO the best, because it's the most "durable" (much more than e.g. > emails), is PRs which improve scripts, README etc. > > Michael. >> >> On Fri, Jul 19, 2019 at 9:42 PM Awasum Yannick wrote: >> >>> >>> >>> On Mon, Jul 15, 2019 at 11:58 PM Michael E. >>> wrote: >>> Hello, Over the past few days I've been trying to setup a Fineract-CN instance I can test with. Since my machine doesn't have enough RAM I tried deploying in Google Cloud Compute. Initially I followed this tutorial: https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN I got through everything and got demo-server working, but only in lite-mode. Since I wanted to try out the rest of the services I tried running the full version. After making sure I had enough RAM I tried the full version and kept running into failures during provisioning. I think I have it narrowed down to this error: >>> >>> Can you provide your full logs. >>> 12:19:29.115 [qtp1825419935-15] INFO o.a.f.c.l.c.ServiceExceptionFilter - Responding with a service error ServiceError{code=409, message='The given identity instance didnt recognize the system token as valid. Perhaps the system keys for the provisioner or for the identity manager are misconfigured?'} 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given identity instance didn't recognize the system token as valid. org.apache.fineract.cn.api.util.InvalidTokenException: {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access Denied","path":"/identity/v1/initialize"} >>> >>> Is everyone facing this error? I dont know whats goint wrong here? let >>> me run and see whats the problem >>> Since I couldn't figure out how to fix it, I decided to try running using this docker-compose setup: https://github.com/openMF/fineract-cn-containers Unfortunately, during provisioning the exact same failure occurs. I tried provisioning using the supplied script and manually sending the requests via postman with a configuration I found here: https://github.com/senacor/fineract-setup/tree/master/scripts/postman As far as I can tell, the error occurs when assigning an identity service to the new tenant, but I may be wrong as I just got into this project and don't really understand the
Re: Fineract-CN - Invalid system token - Can't assign identity service to tenant
On Sat, 20 Jul 2019, 22:22 Michael E., wrote: > > Hi Awasum, Thanks for your response. Since my original email I have done > some more investigation and found the source of the issue, at least in my > case. The error in my original email (invalid system token) was appearing > when using this docker setup: > https://github.com/openMF/fineract-cn-containers . I also found a more > recent version of this setup which uses a different module to generate the > RSA keypair: https://github.com/Anh3h/fineract-cn-containers/tree/develop . > Unfortunately this version didn't work either. > > I investigated the source of the error and found that it occured when > assigning the identity service to a tenant through the provisioner. During > this process the provisioner calls the /initialize endpoint of identity, > which is authenticated by a system key (issued by provisioner). The issue > was identity wouldn't accept this key. > > The key was not accepted because the docker image for the provisioner used > in fineract-cn-containers, anh3h/fineract-cn-provisioner, is a modified > version of provisioner that generates it's own RSA keypair, instead of > using the one provided by environment vairables. The differing keys caused > identity to not accept the system token created by provisioner. I'm not > sure exaclty why this image was used. I built a new image which runs the > latest provisioner from artifactory, and the provisioning process was able > to continue. There are a few more issues with the provisioning script in > fineract-cn-containers, which I was able to fix. I am currently in the > process of creating a new docker-compose configuration, which I might be > able to share if anyone is interested. > I'm sure PRs for this would be welcome! As for the demo server, I didn't investigate the issue I was having with it > much further, I find a docker configuration much easier to run, > particularly when I can't run the demo server locally anyway since my > computer lacks the resources to do so. > > If anyone has any questions about this let me know, I spent almost a week > trying to get this to work so I'd like to make sure nobody else has to > repeat my work. > Again, IMHO the best, because it's the most "durable" (much more than e.g. emails), is PRs which improve scripts, README etc. Michael. > > On Fri, Jul 19, 2019 at 9:42 PM Awasum Yannick wrote: > >> >> >> On Mon, Jul 15, 2019 at 11:58 PM Michael E. >> wrote: >> >>> Hello, >>> >>> Over the past few days I've been trying to setup a Fineract-CN instance >>> I can test with. Since my machine doesn't have enough RAM I tried deploying >>> in Google Cloud Compute. >>> >>> Initially I followed this tutorial: >>> >>> https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN >>> >>> >>> I got through everything and got demo-server working, but only in >>> lite-mode. Since I wanted to try out the rest of the services I tried >>> running the full version. After making sure I had enough RAM I tried the >>> full version and kept running into failures during provisioning. I think I >>> have it narrowed down to this error: >>> >> >> Can you provide your full logs. >> >>> >>> 12:19:29.115 [qtp1825419935-15] INFO o.a.f.c.l.c.ServiceExceptionFilter >>> - Responding with a service error ServiceError{code=409, message='The given >>> identity instance didnt recognize the system token as valid. Perhaps the >>> system keys for the provisioner or for the identity manager are >>> misconfigured?'} >>> 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given >>> identity instance didn't recognize the system token as valid. >>> org.apache.fineract.cn.api.util.InvalidTokenException: >>> {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access >>> Denied","path":"/identity/v1/initialize"} >>> >> >> Is everyone facing this error? I dont know whats goint wrong here? let me >> run and see whats the problem >> >>> >>> Since I couldn't figure out how to fix it, I decided to try running >>> using this docker-compose setup: >>> https://github.com/openMF/fineract-cn-containers >>> >>> Unfortunately, during provisioning the exact same failure occurs. I >>> tried provisioning using the supplied script and manually sending the >>> requests via postman with a configuration I found here: >>> https://github.com/senacor/fineract-setup/tree/master/scripts/postman >>> >>> As far as I can tell, the error occurs when assigning an identity >>> service to the new tenant, but I may be wrong as I just got into this >>> project and don't really understand the provisioning process. >>> >>> I did find two previous threads discussing this issue but none of them >>> seem to reach a solution: >>> >>> https://lists.apache.org/thread.html/c89909c56c4b8e500a6802d0601b0dd0f868a64a73e609c7071d3812@%3Cdev.fineract.apache.org%3E >>> >>> >>>
Re: Fineract-CN - Invalid system token - Can't assign identity service to tenant
Hi Awasum, Thanks for your response. Since my original email I have done some more investigation and found the source of the issue, at least in my case. The error in my original email (invalid system token) was appearing when using this docker setup: https://github.com/openMF/fineract-cn-containers . I also found a more recent version of this setup which uses a different module to generate the RSA keypair: https://github.com/Anh3h/fineract-cn-containers/tree/develop . Unfortunately this version didn't work either. I investigated the source of the error and found that it occured when assigning the identity service to a tenant through the provisioner. During this process the provisioner calls the /initialize endpoint of identity, which is authenticated by a system key (issued by provisioner). The issue was identity wouldn't accept this key. The key was not accepted because the docker image for the provisioner used in fineract-cn-containers, anh3h/fineract-cn-provisioner, is a modified version of provisioner that generates it's own RSA keypair, instead of using the one provided by environment vairables. The differing keys caused identity to not accept the system token created by provisioner. I'm not sure exaclty why this image was used. I built a new image which runs the latest provisioner from artifactory, and the provisioning process was able to continue. There are a few more issues with the provisioning script in fineract-cn-containers, which I was able to fix. I am currently in the process of creating a new docker-compose configuration, which I might be able to share if anyone is interested. As for the demo server, I didn't investigate the issue I was having with it much further, I find a docker configuration much easier to run, particularly when I can't run the demo server locally anyway since my computer lacks the resources to do so. If anyone has any questions about this let me know, I spent almost a week trying to get this to work so I'd like to make sure nobody else has to repeat my work. Michael. On Fri, Jul 19, 2019 at 9:42 PM Awasum Yannick wrote: > > > On Mon, Jul 15, 2019 at 11:58 PM Michael E. > wrote: > >> Hello, >> >> Over the past few days I've been trying to setup a Fineract-CN instance I >> can test with. Since my machine doesn't have enough RAM I tried deploying >> in Google Cloud Compute. >> >> Initially I followed this tutorial: >> >> https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN >> >> >> I got through everything and got demo-server working, but only in >> lite-mode. Since I wanted to try out the rest of the services I tried >> running the full version. After making sure I had enough RAM I tried the >> full version and kept running into failures during provisioning. I think I >> have it narrowed down to this error: >> > > Can you provide your full logs. > >> >> 12:19:29.115 [qtp1825419935-15] INFO o.a.f.c.l.c.ServiceExceptionFilter >> - Responding with a service error ServiceError{code=409, message='The given >> identity instance didnt recognize the system token as valid. Perhaps the >> system keys for the provisioner or for the identity manager are >> misconfigured?'} >> 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given >> identity instance didn't recognize the system token as valid. >> org.apache.fineract.cn.api.util.InvalidTokenException: >> {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access >> Denied","path":"/identity/v1/initialize"} >> > > Is everyone facing this error? I dont know whats goint wrong here? let me > run and see whats the problem > >> >> Since I couldn't figure out how to fix it, I decided to try running using >> this docker-compose setup: >> https://github.com/openMF/fineract-cn-containers >> >> Unfortunately, during provisioning the exact same failure occurs. I tried >> provisioning using the supplied script and manually sending the requests >> via postman with a configuration I found here: >> https://github.com/senacor/fineract-setup/tree/master/scripts/postman >> >> As far as I can tell, the error occurs when assigning an identity service >> to the new tenant, but I may be wrong as I just got into this project and >> don't really understand the provisioning process. >> >> I did find two previous threads discussing this issue but none of them >> seem to reach a solution: >> >> https://lists.apache.org/thread.html/c89909c56c4b8e500a6802d0601b0dd0f868a64a73e609c7071d3812@%3Cdev.fineract.apache.org%3E >> >> >> https://lists.apache.org/thread.html/c726cd1161e61096c65bc51a5afd5db18f1b4e60c6dcc3e8b2fb9c3a@%3Cdev.fineract.apache.org%3E >> >> >> Any help would be greatly appreciated. >> Michael. >> > -- מיכאל אלגאוי michael elgavi
Re: Fineract-CN - Invalid system token - Can't assign identity service to tenant
On Mon, Jul 15, 2019 at 11:58 PM Michael E. wrote: > Hello, > > Over the past few days I've been trying to setup a Fineract-CN instance I > can test with. Since my machine doesn't have enough RAM I tried deploying > in Google Cloud Compute. > > Initially I followed this tutorial: > > https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN > > > I got through everything and got demo-server working, but only in > lite-mode. Since I wanted to try out the rest of the services I tried > running the full version. After making sure I had enough RAM I tried the > full version and kept running into failures during provisioning. I think I > have it narrowed down to this error: > Can you provide your full logs. > > 12:19:29.115 [qtp1825419935-15] INFO o.a.f.c.l.c.ServiceExceptionFilter - > Responding with a service error ServiceError{code=409, message='The given > identity instance didnt recognize the system token as valid. Perhaps the > system keys for the provisioner or for the identity manager are > misconfigured?'} > 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given > identity instance didn't recognize the system token as valid. > org.apache.fineract.cn.api.util.InvalidTokenException: > {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access > Denied","path":"/identity/v1/initialize"} > Is everyone facing this error? I dont know whats goint wrong here? let me run and see whats the problem > > Since I couldn't figure out how to fix it, I decided to try running using > this docker-compose setup: > https://github.com/openMF/fineract-cn-containers > > Unfortunately, during provisioning the exact same failure occurs. I tried > provisioning using the supplied script and manually sending the requests > via postman with a configuration I found here: > https://github.com/senacor/fineract-setup/tree/master/scripts/postman > > As far as I can tell, the error occurs when assigning an identity service > to the new tenant, but I may be wrong as I just got into this project and > don't really understand the provisioning process. > > I did find two previous threads discussing this issue but none of them > seem to reach a solution: > > https://lists.apache.org/thread.html/c89909c56c4b8e500a6802d0601b0dd0f868a64a73e609c7071d3812@%3Cdev.fineract.apache.org%3E > > > https://lists.apache.org/thread.html/c726cd1161e61096c65bc51a5afd5db18f1b4e60c6dcc3e8b2fb9c3a@%3Cdev.fineract.apache.org%3E > > > Any help would be greatly appreciated. > Michael. >
Fineract-CN - Invalid system token - Can't assign identity service to tenant
Hello, Over the past few days I've been trying to setup a Fineract-CN instance I can test with. Since my machine doesn't have enough RAM I tried deploying in Google Cloud Compute. Initially I followed this tutorial: https://cwiki.apache.org/confluence/display/FINERACT/How+To+Build+Apache+Fineract+CN I got through everything and got demo-server working, but only in lite-mode. Since I wanted to try out the rest of the services I tried running the full version. After making sure I had enough RAM I tried the full version and kept running into failures during provisioning. I think I have it narrowed down to this error: 12:19:29.115 [qtp1825419935-15] INFO o.a.f.c.l.c.ServiceExceptionFilter - Responding with a service error ServiceError{code=409, message='The given identity instance didnt recognize the system token as valid. Perhaps the system keys for the provisioner or for the identity manager are misconfigured?'} 12:20:29.192 [qtp1825419935-16] WARN provisioner-logger - The given identity instance didn't recognize the system token as valid. org.apache.fineract.cn.api.util.InvalidTokenException: {"timestamp":1563193229188,"status":403,"error":"Forbidden","message":"Access Denied","path":"/identity/v1/initialize"} Since I couldn't figure out how to fix it, I decided to try running using this docker-compose setup: https://github.com/openMF/fineract-cn-containers Unfortunately, during provisioning the exact same failure occurs. I tried provisioning using the supplied script and manually sending the requests via postman with a configuration I found here: https://github.com/senacor/fineract-setup/tree/master/scripts/postman As far as I can tell, the error occurs when assigning an identity service to the new tenant, but I may be wrong as I just got into this project and don't really understand the provisioning process. I did find two previous threads discussing this issue but none of them seem to reach a solution: https://lists.apache.org/thread.html/c89909c56c4b8e500a6802d0601b0dd0f868a64a73e609c7071d3812@%3Cdev.fineract.apache.org%3E https://lists.apache.org/thread.html/c726cd1161e61096c65bc51a5afd5db18f1b4e60c6dcc3e8b2fb9c3a@%3Cdev.fineract.apache.org%3E Any help would be greatly appreciated. Michael.