aaa-cert-rpc 503 Service Unavailable


Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...>
 

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


Mohamed ElSerngawy
 

Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev



Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...>
 

Hi Mohamed,

Yes, I changed it and now the first lines look as follows:

  ...
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  ...

I have seen that after changing the <use-config> option to true, and restarting the opendaylight service, the two .jks files were created under configuration/ssl/. However, the issue with the RPC mechanism remains. Still getting 503 Unavailable.

Thanks in advance,


Best regards,

Ignacio.





On 18.01.2018 15:38, Mohamed El-Serngawy wrote:
Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev




Mohamed ElSerngawy
 

Hi,

Can you provide karaf logs, did u see any error messages?

BR

On Thu, Jan 18, 2018 at 9:46 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi Mohamed,

Yes, I changed it and now the first lines look as follows:

  ...
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  ...

I have seen that after changing the <use-config> option to true, and restarting the opendaylight service, the two .jks files were created under configuration/ssl/. However, the issue with the RPC mechanism remains. Still getting 503 Unavailable.

Thanks in advance,


Best regards,

Ignacio.





On 18.01.2018 15:38, Mohamed El-Serngawy wrote:
Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev





Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...>
 

Hi,

I configured full logging for AAA:

log:set TRACE org.opendaylight.aaa

When I send the REST request to /restconf/operations/aaa-cert-rpc:getNodeCertifcate, karaf.log just shows the following lines:

2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth
2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt successful
2018-01-18 15:55:02,604 | DEBUG | tp2130490805-969 | AuthenticationListener           | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Successful authentication attempt by admin from 138.150.194.90

Any suggestions for deeper debugging? I'm not sure if this could be related to the RPM release of Carbon SR2.

Thanks in advance,


Best regards,

Ignacio.

On 18.01.2018 15:51, Mohamed El-Serngawy wrote:

Hi,

Can you provide karaf logs, did u see any error messages?

BR

On Thu, Jan 18, 2018 at 9:46 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi Mohamed,

Yes, I changed it and now the first lines look as follows:

  ...
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  ...

I have seen that after changing the <use-config> option to true, and restarting the opendaylight service, the two .jks files were created under configuration/ssl/. However, the issue with the RPC mechanism remains. Still getting 503 Unavailable.

Thanks in advance,


Best regards,

Ignacio.





On 18.01.2018 15:38, Mohamed El-Serngawy wrote:
Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev






Mohamed ElSerngawy
 

This not showing any helpful info. Would you try use the cli to make sure that the issue in aaa-cert service not restconf service

try below command let me know what is the output 

aaa:get-odl-cert -storepass <store_password>

On Thu, Jan 18, 2018 at 10:04 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi,

I configured full logging for AAA:

log:set TRACE org.opendaylight.aaa

When I send the REST request to /restconf/operations/aaa-cert-rpc:getNodeCertifcate, karaf.log just shows the following lines:

2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth
2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt successful
2018-01-18 15:55:02,604 | DEBUG | tp2130490805-969 | AuthenticationListener           | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Successful authentication attempt by admin from 138.150.194.90

Any suggestions for deeper debugging? I'm not sure if this could be related to the RPM release of Carbon SR2.

Thanks in advance,


Best regards,

Ignacio.

On 18.01.2018 15:51, Mohamed El-Serngawy wrote:
Hi,

Can you provide karaf logs, did u see any error messages?

BR

On Thu, Jan 18, 2018 at 9:46 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi Mohamed,

Yes, I changed it and now the first lines look as follows:

  ...
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  ...

I have seen that after changing the <use-config> option to true, and restarting the opendaylight service, the two .jks files were created under configuration/ssl/. However, the issue with the RPC mechanism remains. Still getting 503 Unavailable.

Thanks in advance,


Best regards,

Ignacio.





On 18.01.2018 15:38, Mohamed El-Serngawy wrote:
Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev







Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...>
 

Hi Mohamed,

The suggested command returns the ODL certificate. Something strange is going on since I can perform the available operations in the RPC such as getODLCertificate or setNodeCertificate through the aaa CLI but not through the RESTCONF service.

Thank you very much,

Best regards,
Ignacio.

On 18.01.2018 16:19, Mohamed El-Serngawy wrote:

This not showing any helpful info. Would you try use the cli to make sure that the issue in aaa-cert service not restconf service

try below command let me know what is the output 

aaa:get-odl-cert -storepass <store_password>

On Thu, Jan 18, 2018 at 10:04 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi,

I configured full logging for AAA:

log:set TRACE org.opendaylight.aaa

When I send the REST request to /restconf/operations/aaa-cert-rpc:getNodeCertifcate, karaf.log just shows the following lines:

2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt using org.opendaylight.aaa.basic.HttpBasicAuth
2018-01-18 15:55:02,603 | DEBUG | tp2130490805-969 | TokenAuthRealm                   | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Authentication attempt successful
2018-01-18 15:55:02,604 | DEBUG | tp2130490805-969 | AuthenticationListener           | 261 - org.opendaylight.aaa.shiro - 0.5.2.Carbon | Successful authentication attempt by admin from 138.150.194.90

Any suggestions for deeper debugging? I'm not sure if this could be related to the RPM release of Carbon SR2.

Thanks in advance,


Best regards,

Ignacio.

On 18.01.2018 15:51, Mohamed El-Serngawy wrote:
Hi,

Can you provide karaf logs, did u see any error messages?

BR

On Thu, Jan 18, 2018 at 9:46 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hi Mohamed,

Yes, I changed it and now the first lines look as follows:

  ...
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  ...

I have seen that after changing the <use-config> option to true, and restarting the opendaylight service, the two .jks files were created under configuration/ssl/. However, the issue with the RPC mechanism remains. Still getting 503 Unavailable.

Thanks in advance,


Best regards,

Ignacio.





On 18.01.2018 15:38, Mohamed El-Serngawy wrote:
Hi Ignacio,

Did you change the <use-config> to true.  The aaa-cert service config file under  etc/opendaylight/datastore/initial/config/aaa-cert-config.xml 

BR 

On Thu, Jan 18, 2018 at 5:17 AM, Ignacio Dominguez Martinez-Casanueva <i.dominguezm@...> wrote:

Hello,

I'm testing AAA project for Carbon SR2 (opendaylight-6.2.0-1.el7.rpm). I was working on the Certificate Management System in order to enable TLS/SSL for both RESTconf and OVS/OF communications, however, I spotted some strange behavior in this system.

After a fresh new installation of ODL, the "odl-aaa-cert" module should come installed by default according to this guide http://docs.opendaylight.org/en/stable-carbon/user-guide/authentication-and-authorization-services.html#id4. Indeed, such module is already installed but it seems the RPC mechanism is not available. When I try to retrieve ODL's certificate through /restconf/operations/aaa-cert-rpc:getODLCertificate I'm getting a 503 Service Unavailable response.

I also found that ctl.jks and truststore.jks files are not created under configuration/ssl/ folder after installing ODL. Is this behavior expected?

Thanks a lot for your help,


Best regards,

Ignacio.


_______________________________________________
aaa-dev mailing list
aaa-dev@...
https://lists.opendaylight.org/mailman/listinfo/aaa-dev