-
Notifications
You must be signed in to change notification settings - Fork 16
SaslAuthenticationException after installation on ICP 3.1.1 #18
Comments
Hi Johannes, The error that you have supplied suggests that the certificate presented by the web server serving Would you be able to provide the public certificate that you supplied when installing ICP, and the public certificate you supplied when installing Event Streams? Additionally, could you provide the output from Additionally, when you installed ICP, how was the certificate signed? Was it through a known CA, self signed, or signed by your own CA? |
Hi Nic, I have installed the ICP with a icp-router.crt containing the complete certificate chain (according to https://www.ibm.com/support/knowledgecenter/en/SSBS6K_3.1.1/installing/create_ca_cert.html#existing). The certificate is a wildcard certificate for our domain (*.yyy.zzz) that was signed by an known CA (thawte). The management console does seamlessly work with this certificate. For installation of eventstreams I used the following settings in ´values.yaml`
Nevertheless the output of the Thanks in advance |
Hi Johannes, Thank you for the update, it is very useful to see that the Please could you post the output of the following command: I am digging further to understand why the cluster-ca-cert is pointing to a self signed certificate. |
Hi Nic, please find attached the masked output of the curl. I replaced the values in a consistent way. Hope this helps. Maybe we will end up in a general ICP installation/configuration issue for the cluster-ca-cert... |
Hi Johannes, That is showing that the server itself is responding with the expected certificate, and not the selfsigned as seen in Also, please could you provide the output of so that I can confirm whether the signed certificate is visible to
|
In addition could you please provide the public certificate you supplied to ICP on install, so that I can verify the certificate chain. |
To put the output in a nutshell
I will provide the files later on (tomorrow in Germany). Perhaps there is a more private way of sharing the certificates - knowing that sharing a public certificate should be no security issue at all. |
Please find attached the additional required files Thanks! |
Hi Johannes, Thank you for that output - one more thing I request, could you please send the output of |
Hi Nic, the access-controller seems to have the full certificate chain. Please double-check it with the provided output |
Hi Johannes, Given that
This should then allow the connection between access controller and the |
I have opened #19 to track this issue through to resolution inside the product. Please continue to use this thread to confirm whether your particular Event Streams install is functional. |
Hi Nic, I folllowed the suggested steps to replace the cacert part of the secret - but unfortunately it did not help at all. I'm still facing the problem that the call to |
Hi Johannes, Could you please provide the output of the following command to confirm that access controller has now picked up the correct cert:
Then execute
If this certificate is not the correct certificate, the next step is to let the container verify the certificate using its default public CA list. Please could you edit the -ibm-es-access-controller-deploy deployment to remove the volumeMount entry inside the You can either edit the deployment in place via |
Hi Johannes, I'm afraid I mistyped in my comment above : #18 (comment). Please can you attempt the following before the steps in the previous post. When editing Please could you perform the following steps:
|
Hi Nic, |
Hi,
I just installed the IBM Event Streams Community Edition-2018.3.1 into a fresh installation of ICP 3.1.1 (CE) and get a
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed, invalid credentials
when I'm trying to access the UI.Checking the logs (as noted in #10) lead me to the fact, that the log of the
eventstreams-ibm-es-access-controller
is full of errors like thisThe installation seems to be correct, since there are no failed jobs or other obvious strange pods.
I installed the ICP with having a valid singed certificate and a custom domain name (not only published with an IP address). I also installed the eventstreams with a provided certificate/ private key (section
Kafka external access configuration
in the values.yaml).Is there any chance to import the certificate of the iam service to a keystore, so it is considered as a valid certificate?
Any help is highly appreciated.
The text was updated successfully, but these errors were encountered: