wiki:ndg_security/Installation/Troubleshooting

Troubleshooting

  1. WSGIScriptAlias doesn't appear to load the application at the required path. This can happen if a previous entry takes precedence e.g. in Apache SSL conf file:
    WSGIScriptAlias / /var/www/wsgi-scripts/ndg_security_relyingparty_authn_services.wsgi
    WSGIScriptAlias /AuthorisationService /var/www/wsgi-scripts/authorisationservice.wsgi
    
    The authorisation service will not load because requests to the path /AuthorisationService will be first intercepted by the Relying Party application. To fix, swap around the statements:
    WSGIScriptAlias /AuthorisationService /var/www/wsgi-scripts/authorisationservice.wsgi
    WSGIScriptAlias / /var/www/wsgi-scripts/ndg_security_relyingparty_authn_services.wsgi
    
  2. SSL permission errors - ownership of files. Files accessed by the security middleware need to be readable by the Apache process owner. Problems can be manifested for example with ownership of certificates and keys used for HTTPS requests:
         m2.ssl_ctx_use_cert_chain(self.ctx, certchainfile)
     [client 128.115.184.49] SSLError: Permission denied
    
    In this case the error has been caused at the point where the authorisation filter calls out to the authorisation service. It needs to read in a certificate and private key from files in order to set these to authenticate itself with the authorisation service. To fix change the ownership of the files. In general, all files under the /usr/local/myapp directory should be readable by the Apache process owner. e.g. for RedHat systems:
    chown -R apache:apache /usr/local/myapp
    
  3. Clock skew errors. Servers running security services needed to be sync'd with NTP. Without this clock skew errors can occur in SAML/SOAP requests and responses. The SAML libraries check the issue instant of received requests and reject them if they occur after the host's clock time. This can be manifest for example:
    ResponseIssueInstantInvalid: SAML Attribute Response issueInstant [2012-05-24 14:14:45.015592] is after the clock time [2012-05-24T14:14:44.914446Z] (skewed +0:00:00)
    
    To correct, ensure NTP is running on both host and peer machines and if necessary set an allowable clock skew in the setting file for the host service:
    pep.authzDecisionQuery.clockSkewTolerance = 1.
    
    This sets a tolerance of 1 second either side of the host clock's time for response received back from the authorisation service.