Service broker error when adding Single Sign On service - single-sign-on

In Bluemix, when I try to add the Single Sign On service to a Java app, I get this error:
Service broker error: {"description"=>"CTJSO0015E The service instance with ID \"XXXXXXXXXX\" must be configured before the operation can be performed."}
The key parts of the error message are:
Service broker error ...
CTJSO0015E The service instance ...
must be configured before the operation can be performed.
My app is a new, empty Java runtime. The service instance gets created but doesn't get bound to the app. When I try to bind the service myself, I get the same error.
How do I get around this problem and bind the SSO service to the app?

Unlike other Bluemix services, the Single Sign On service must be configured before it can be bound to an app. That process is explained in Single Sign On/Configuring the service.
As the docs explain, you must create the service unbound (not bound to an app), configure it, then you can bind the configured service instance to the application.
This is also explained here: Service Broken error While adding Single Sign On service.

Related

Service to service authentication/authorization within same space

We've deployed 2 java services on SAP CF and both are deployed in the same space and bound to the same Xsuaa instance.
Now Service A needs to call service B with the access token of the user. Service A already has the current access token available in the current user context. I'd like to use the destination service for this, instead of calling the service B exposed URL directly. But I'm having trouble setting this up.
What do I need to put in the destination? An OAuth2JwtBearer?
If using an OAuth2JwtBearer, then what are the proper clientId/clientSecret, the ones from XSUAA?
When using a JWT Bearer destination, I get the following error: "Unable to map issuer, http://gvrn-development.localhost:8080/uaa/oauth/token , to a single registered provider"
Any help on this would be great.

How do we register a PCF Service Broker as reachable from two spaces in the same PCF Org (with org admin permissions)?

How do I register a Pivotal Cloud Foundry Service Broker to make it accessible from multiple spaces within the same Organization, if I have Org-level permissions?
We tried to register a PCF Service broker (cf create-service-broker ...) in one space, then use it as a 'service instance' (cf create-service ...) in another space.
To illustrate the problem, consider the following work flow, from a HashiCorp Vault guide:
$ cf create-space examplespace
$ cf target -s examplespace
$ cf create-service-broker vault-broker "${AUTH_USERNAME}" "${AUTH_PASSWORD}" "https://${BROKER_URL}" --space-scoped
$ cf marketplace
service plans description
hashicorp-vault shared HashiCorp Vault Service Broker
# ...
$ cf create-service hashicorp-vault shared my-vault
The above works fine. The problem comes up when we have an app in a different space that we want to consume the HashiCorp Vault API:
$ cf target -s myappspace
$ cf bind-service my-app my-vault
This last part fails.
Also, now that I'm in the space myappspace, cf marketplace does **notCC show the new service broker.
Now, we have someone on our team with org-admin permissions.
I figured that we could just register the new service broker at the org level, using enable-service-access subcommand:
https://docs.cloudfoundry.org/services/access-control.html#enable-access-to-service-plans
$ cf enable-service-access my-vault -o WebOrg
This failed as well, because, even though he had Admin permissions for the entire org, he got a permission denied error.
If we then go on to registering the service broker in the second space, myappspace, we get a
All three of these methods failed, but there has to be some way to make a service from one space available to the others, within an Org., if I have administrative permissions for that PCF Org.
How?
A similar (although more specific) type of this issue is documented in the following two github issues for PCF's cloud_controller_ng repository:
https://github.com/cloudfoundry/cloud_controller_ng/issues/935
https://github.com/cloudfoundry/cloud_controller_ng/issues/837
I've done the following research:
https://docs.cloudfoundry.org/services/managing-service-brokers.html#register-broker
https://docs.cloudfoundry.org/services/access-control.html
https://docs.cloudfoundry.org/services/access-control.html#enable-access-to-service-plans
https://starkandwayne.com/blog/register-your-own-service-broker-with-any-cloud-foundry/
(We ran variations of every command on this page.)
The most similar of the existing questions on Stack Overflow were these:
WebSphere Message Broker - how to send a PCF message
Need help on Registering App on PCF with Spring Cloud Data Flow which is also on PCF
They don't seem to have much to do with name spacing issues in the PCF marketplace, or with PCF permissions management.
Note: At first I wanted to post this to serverfault.com, because this has more to do with the infrastructure for an application, rather than just programming. But, while serverfault.com has no tag for Pivotal Cloud Foundry, Stack Overflow has a pivotal-cloud-foundry tag with 588 uses, already.
How do I register a Pivotal Cloud Foundry Service Broker to make it accessible from multiple spaces within the same Organization, if I have Org-level permissions?
I don't think you can do this. You'd need to be a platform admin/operator. Then you'd need to register the service broker with the platform & mark that broker as accessible to select orgs & spaces. You could then create services instances & if the broker permits share them across spaces.
If you only have org/space permissions, you can only register the service broker with a specific space. It's then only visible in that space.
Without platform admin/operator permissions, I think the best you could do would be this:
register the broker in a specific space
create a service instance in that space
bind that to your apps in this space
create a service key for your app in the second space
switch to the second space
create a user provided service in that space and enter the service key info
Repeat steps 4-6 for each app in the second service (this ensure you get unique credentials per app, you could use one service key for all apps if you don't care about this).
Happy to be corrected, but I think that is the state of things as I write this.
Assuming you are using PCF 2.1 or above.
Service brokers must explicitly enable service instance sharing by setting a flag in their service-level metadata object. This allows service instances, of any service plan, to be shared across orgs and spaces.
This is from Enabling Service Instance Sharing
Looks like you have already followed the rest of steps from Sharing Service Intances

Cannot delete the mogolab service or the app with the message 401 Unauthorized

I tried to delete an old app bound with a mongolab service which is out of service. I can neither delete the app nor the mongolab service because the endpoint of the mongolab doesn't exist anymore. Do IBM Cloud or Bluemix people have a solution to this?
An error (10001) occurred while deleting the service.
Description:
Service instance MongoLab-NF: Service broker error: {"description"=>"TRANSPORT_ERROR - Received error with message \"401 Unauthorized\" while calling integration endpoint https://api.mongolab.com/api/appdirect/1/partners/IbmCloud/events?eventUrl=https%3A%2F%2Fbluemix.marketplace.ibmcloud.com%2Fapi%2Fintegration%2Fv1%2Fevents%2F4a1b66dd-531d-43e6-966d-0939fade9fa5 (1272 / MongoLab). Received response:\n"}
Visit IBM Cloud Support and open a support ticket.
We users can't do much about it. Even, it won't allow deletion of app/service.
Once, the same is removed, bind new mLab service to your app.

BXNUI0035E “service could not be deleted”

I'm trying to unbind & delete a Mongolabs service instance from my app in IBM Bluemix. Unfortunately, Bluemix displays the error:
BXNUI0035E The 'Mongolab-cv' service could not be deleted.
And leaves the service allocated and bound to my app.
How do I fix this?
Mike
The MongoLab service was deprecated last year. Service instances created before it were not deleted, but since the service broker is not available anymore you will not be able to delete or unbind this service.
Please raise a support ticket to get this service removed from your space.
To open a ticket check the link below:
ibm.biz/bluemixsupport
When opening a ticket provide your organization name, space and service name.

API Management service in Bluemix can't be bound to CF application

I'm building a CloudFoundry application in Bluemix using the API Management service. For this I'm following this tutorial http://www.ibm.com/developerworks/cloud/library/cl-bluemix-api-mgmt-app/index.html.
I can successfully create an API Plan for a custom REST API application (running on a Liberty server on Bluemix as well) and it is published.
I can also create a service in my Bluemix dashboard using the new Custom API, which I take as the API plan was successfully deployed on Bluemix.
Whenever I try to bind this new service I get the following message:
BXNUI2055E: Unable to connect to Cloud Foundry because of the
following exception: "Read timed out." If the problem persists, see
the Troubleshooting topics in the IBM Bluemix Documentation to check
service status, review troubleshooting information, or for information
about getting help.
From time to time I also get this message
The service broker returned an invalid response for the request to
https://apimasv1-stage.stage1.mybluemix.net/d118dceb-edbf-4a7f-9bab-d44371b0c9f9/privateservices/v2/service_instances/1a60830c-0796-4105-afb4-e3477424acf9/service_bindings/ebb853dc-ec88-4987-b8f2-e9acd38d1741.
Status Code: 502 Bad Gateway, Body: 502 Bad Gateway: Registered
endpoint failed to handle the request.
Also, I can open the API portal and see the services listed in there. However, whenever I try to test the service, I get the following error
A security error has occurred. If using a self-signed certificate on
your gateway, you will need to accept it in your browser, which you
can do by clicking the following link.
https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1
Also, below in the response I get this message:
NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to
load
'https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1'.
I must clarify this service (the liberty app) doesn't have any security constraint to access the REST service nor I added some kind of security in the API Management portal.
Another thing to clarify is that I can bind other services, but not this one.
Does anyone know how I can fix those problems? Is there a known issue with IBM API Management service?
this seems to be an error with the service API Management instance you are trying to bind to.
You could open a ticket to support team following the link you can find here:
https://developer.ibm.com/bluemix/support/
Click on 'Contact IBM' and open a 'Support ticket'