Re: System key error when assigning identity manager to tenant
Thanks for the reply, it was really helpful.
I will like to find if it's a must for the time stamps of all the
microservices to be the same?
Cuz after debugging I realized the error is thrown from line 71 of this
compares the time stamp to two microservices.
Bt then, I realized the time stamps of the two microservices are different.
I went back to check the logs for demo-server
and I realized that the timestamp for all the microservice where the same,
so I think I get the error cuz of the difference in time
stamp (I am not sure yet, still need your confirmation).
Here are the logs:
logs for provisioner on Kubernetes: https://pastebin.com/q9uUFy8d
logs for identity on Kubernetes: https://pastebin.com/jAtr3Mkn
logs for provisioner on demo-server: https://pastebin.com/9t5eadeV
logs for identity on demo-server: https://pastebin.com/eqx26S6b
On Tue, Aug 21, 2018 at 12:43 PM Myrle Krantz <myrle@xxxxxxxxxx> wrote:
> Hi Courage,
> Anubis is a library which is included in all of the services. it uses
> spring security to check the sessionless authentication and
> authorization of users/tenants, and also, as in your case, of system
> The private key which provisioner uses to sign a token *must* match
> the public key which anubis uses to check the token. If they don't
> match, then you may not have configured them at all, or you may have
> configured them incorrectly.
> So the first thing I would do is check that these properties are set
> in all the services:
> and that these properties are set in the provisioner in addition:
> Unfortunately I can't use your logs to check if you've matched the
> two. We've deliberately chosen not to output secrets like private
> keys and passwords into the logs.
> If you're curious about where to look for the code which does this:
> Currently the public and private keys used to check and sign
> (respectively) the system token, are read in via anubis. This happens
> in the SystemRsaKeyProvider. You can find the code for reading those
> properties here:
> The code for reading the private keys exists only in provisioner and
> you can find it here:
> I hope that helps you but if it doesn't tell me if there's some other
> way I can help.
> Best Regards,
> On Fri, Aug 10, 2018 at 6:38 AM Courage Angeh <courageangeh@xxxxxxxxx>
> > Hello,
> > Hope this message reaches you well.
> > I have separate the different microservices and they are running well. I
> am currently running provisioner and identity on GKE. I have gone through
> the process of creating application and tenants via provisioner endpoint.
> Currently, I have initialized just one application, that is identity.
> > I am trying to set identity as the Identity Manager for a tenant with
> identifier, `playground` but I get an error response:
> > `The given identity instance didn't recognize the system token as
> valid. Perhaps the system keys for the provisioner or for the identity
> manager are misconfigured?`
> > Here are the logs for provision, https://pastebin.com/QyXc4GHH, and
> identity, https://pastebin.com/ermXJPBF
> > I did an update on provisioner to set RSA public and private keys. Here
> is the link to changes made:
> > I debugged, and I realized the error comes when provisioner tried to
> initialize with identity via an HTTP request But I still don't understand
> why I get the error.
> > I will really appreciate some help.
> > Thanks,
> > Courage