[Setup Identity Platform 7.3] Connection refused in IDM

nguyennb · September 30, 2023, 10:01am

Hi everyone,
I’m trying setup an Identity Platform using Separate identity stores sample by below guide:
https://backstage.forgerock.com/docs/platform/7.3/platform-setup-guide/deployment1.html

Every things seem be good until I test access to the Admin UI http://login.example.com:8083/?realm=/, the website can not load uiconfig from IDM, response receive “500 Server Error”.
The IDM log has below error:

2023-09-30 16:46:25 [106] Sep 30, 2023 9:46:25.807 AM org.forgerock.http.servlet.HttpFrameworkServlet lambda$service$1
2023-09-30 16:46:25 SEVERE: RuntimeException caught - rootId:c1610fe9-5e7c-4597-b3fd-a7dbdc0e4d83-2776
2023-09-30 16:46:25 java.lang.RuntimeException: java.net.ConnectException: Connection refused
2023-09-30 16:46:25     at org.forgerock.http.apache.async.AsyncResponseHttpClient$EntityCompletionPromiseResponseConsumer.failed(AsyncResponseHttpClient.java:169)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:99)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.connectionRequestFailed(AbstractClientExchangeHandler.java:348)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.access$100(AbstractClientExchangeHandler.java:62)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.AbstractClientExchangeHandler$1.failed(AbstractClientExchangeHandler.java:392)
2023-09-30 16:46:25     at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
2023-09-30 16:46:25     at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager$1.failed(PoolingNHttpClientConnectionManager.java:316)
2023-09-30 16:46:25     at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
2023-09-30 16:46:25     at org.apache.http.nio.pool.RouteSpecificPool.failed(RouteSpecificPool.java:162)
2023-09-30 16:46:25     at org.apache.http.nio.pool.AbstractNIOConnPool.requestFailed(AbstractNIOConnPool.java:613)
2023-09-30 16:46:25     at org.apache.http.nio.pool.AbstractNIOConnPool$InternalSessionRequestCallback.failed(AbstractNIOConnPool.java:893)
2023-09-30 16:46:25     at org.apache.http.impl.nio.reactor.SessionRequestImpl.failed(SessionRequestImpl.java:177)
2023-09-30 16:46:25     at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvent(DefaultConnectingIOReactor.java:176)
2023-09-30 16:46:25     at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvents(DefaultConnectingIOReactor.java:148)
2023-09-30 16:46:25     at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:351)
2023-09-30 16:46:25     at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:221)
2023-09-30 16:46:25     at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64)
2023-09-30 16:46:25     at java.base/java.lang.Thread.run(Unknown Source)
2023-09-30 16:46:25 Caused by: java.net.ConnectException: Connection refused
2023-09-30 16:46:25     at java.base/sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
2023-09-30 16:46:25     at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source)
2023-09-30 16:46:25     at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvent(DefaultConnectingIOReactor.java:174)
2023-09-30 16:46:25     ... 5 more

I think the reason in AM introspection.
I checked /path/to/openidm/conf/authentication.json and idm-resource-server, but not found any issues. In AM server logs, don’t have any errors.
Could some explain how to troubleshoot it and how to enable log to show reason in the AM server?
Thank you for helping!

patrickdiligent · October 1, 2023, 10:36pm

Hi @nguyennb,

Not sure it is an introspection problem, looks rather a connection issue, which would explain well why you don’t see anything in the AM logs?

e.g 2023-09-30 16:46:25 Caused by: java.net.ConnectException: Connection refused

Regards
Patrick

nguyennb · October 3, 2023, 2:41am

Hi @patrick_diligent

Not sure it is an introspection problem, looks rather a connection issue, which would explain well why you don’t see anything in the AM logs?

You are right. It is my fault.
I’m using docker to set up the platform. The AM container is using a mapping ports 8081:8080, and I used port 8081 to all AM settings.
It’s wrong because IDM call AM APIs from it’s container
=> AM introspection setting should be used container port 8080.

Solution: Update tokenIntrospecUrl in /path/to/openidm/conf/authentication.json then restart IDM

"rsFilter": {
        "clientId": "idm-resource-server",
        "clientSecret": "&{rs.client.secret|password}",
        "tokenIntrospectUrl": "http://am.example.com:8081/am/oauth2/introspect",
        "scopes": [
            "fr:idm:*"
        ],
       ....
}

should be changed to:

"rsFilter": {
        "clientId": "idm-resource-server",
        "clientSecret": "&{rs.client.secret|password}",
        "tokenIntrospectUrl": "http://am.example.com:8080/am/oauth2/introspect",
        "scopes": [
            "fr:idm:*"
        ],
       ....
}

After updated authentication config, the platform sample works perfectly.

Thank you a lot of your helping.