SAM-OIDC configuration change for NDI Migration
NDI migration (Windows version)
1. Changing Configuration
-Locate to the sam-oidc config folder
(Note: the folder will be located within C drive if there is only C drive within the server. Else it will be located within other 'Drive")
(Note: the sam oidc config folder can be named as either sam-oidc-config-uat or sam-oidc-config-prod as it depends on which server is being accessed to)
-Within the sam-oidc folder, locate the sam-oidc-config.ini file
-Right click and select 'Edit with Notepad++'
(Note: In the event where the option of Edit with Notepad++ is unavailable, do proceed to edit with notepad)
-Change the SPLoginAuthenticationMethod and CPLoginAuthenticationMethod from SPCP_OIDC_SECRET to NDI_OIDC_JWKS_AUTH
change to
-Ensure that the following configuration are accurate
(Note: The existing configurations for keyStoreFilePath, keyStorePassword, keyPairAlias, signingKeyPairAlias, SP Proxy settings and CP Proxy settings can be used for a new setup)
-Ensure that the pathing for the following are correct
(Note: For sam-oidc-exceptions.properties, license.txt, transaction.txt and log4j2.xml, these files are at the same location as the sam-oidc-config.ini file)
-Save
(Note: In the event where there is an update for any files, for example SPCP truststore pfx, do take note to backup the existing one and place in the updated file within the sam-oidc-config folder)
2. Restart Tomcat Service
-Select the Search icon on the taskbar, key in Services and select the Services App
-Locate the Tomcat Service
-Right click on the Tomcat Service and select restart
NDI migration (linux version)
1. Changing Configuration
-Locate to the sam-oidc config folder
(example command)
cd /opt/Netrust/sam-oidc-config-uat
(Note: press the "tab" button twice to view what are the files available
for example, after typing /opt/, press "tab" twice and system will show the files/folders located within /opt, and you will be able to select the folder you need)
for example, after typing /opt/, press "tab" twice and system will show the files/folders located within /opt, and you will be able to select the folder you need)
key in command "ll" (small L) to list out the files within sam-oidc-config folder to ensure that sam-oidc-config.ini is available in the folder
-edit the sam-oidc-config.ini file
(example command)
sudo vi sam-oidc-config.ini
press the "i" button to enable editing
change the SPLoginAuthenticationMethod and CPLoginAuthenticationMethod from SPCP_OIDC_SECRET_AUTH TO NDI_OIDC_JWKS_AUTH
change to
Ensure that the pathing and details for spcp truststore, sam-oidc encryption and signing certificate, and proxy settings are correct
(example)
press "Esc" button to stop editing function and press ":qw!" to save
(Note: In the event where there is an update for any files, for example SPCP truststore pfx, do take note to backup the existing one and place in the updated file within the sam-oidc-config folder)
2) Restart Tomcat service
(example command)
sudo systemctl restart tomcat
sudo systemctl restart tomcat
(Note: tomcat is the service name, it will be different depending on what the user set. To verify, proceed with the following command:
cd /etc/systemd/system
ll (small L)
This will list out the available service. look for the tomcat service and carry out the example command to restart service)
Testing
Open up Postman application and run "sam-oidc/.well-known/keys" script
The result should be:
(Note: Ensure that the IP address and the port number are correct)
(Note: Values for "kid", "x", "y" and "alg" should not be blank)
In the event that there is no Postman application or script available, do proceed to run the API on a browser
Run "Test staging Connection (CP)" and/or "Test Prod Connection (CP)" script within Postman
(Note: the result should be "Test Connection OK 200")
In the event that there is no Postman application or script, do run the follow curl command:
UAT: curl https://stg-id.corppass.gov.sg/mga/sps/oauth/oauth20/token
PROD: https://id.corppass.gov.sg/mga/sps/oauth/oauth20/token
Run "SAM OIDC ID Token (CP)" script within Postman
(Note: the result should be error0400: Failed to send authorization code and associated information to SPCP OOB Endpoint)
In the event that there is no Postman application or script, do run the follow curl command:
curl --header "Content-Type: application/json" --request POST --data "{\"code\" : \"placeholder\", \"grant_type\" : \"authorization_code\", \"client_id\" : \"<Actual Client Id>\", \"client_secret\" : \"placeholder\", \"redirect_uri\" : \"placeholder\"}" http://<SAM OIDC Server URL>:<SAM OIDC PORT>/sam-oidc/corppass/resolveTokens
Related Articles
[SAM] Tomcat Upgrade Guide for Windows
1 Download latest version of Apache Tomcat Select 32-bit/64-bit Windows Service Installer Transfer Installer into Windows Server Hosting Netrust Application 2. Tomcat Upgrade 2.1. Files and Configuration Backup Create a folder ‘<Netrust ...[nSeal/SAM] Vulnerability in Apache Log4j Library (CVE-2021-44228)
Summary On December 9, 2021, the following vulnerability in the Apache Log4j Java logging library affecting all Log4j versions prior to 2.15.0 was disclosed: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP ...License Update
This document serves as a general guide to update a new license into existing license.txt. 1. Stop Tomcat Service - Select the Search icon on taskbar, key in Services and press Enter. - Locate the Tomcat Service. - Right click the Tomcat Service and ...[SAM] Generating Certificate Signing Request (CSR) & Importing CA Reply
Generate CSR Using KeyStore Explorer 1. Open the keystore (pfx) file using KeyStore Explorer 2. Right click on the Entry Name with 'enc' and click Generate CSR 3. Enter your password 4. Save the file as .csr extension 5. Send the .csr file to Netrust ...[nSign] Tomcat Upgrade Guide for Windows
1 Download latest version of Apache Tomcat Select 32-bit/64-bit Windows Service Installer Transfer Installer into Windows Server Hosting Netrust Application 2. Tomcat Upgrade 2.1. Files and Configuration Backup Create a folder ‘<Netrust ...