Domino AppDev Pack

1.0.0

Troubleshooting

There's many steps to make the Domino server ready for IAM using. Error would occur if missed one or more steps. Here's some troubleshooting items which may help you.

First of all, once you met the DBError in console, you can change the log level in the config/local.properties file to 'debug' level to obtain the detail log stack.

logConfig.logLevel = debug

Error: gRPC client error

  • Error message: gRPC client error

  • Detail error info:

    [12:24:57][error][iamStorage]: Failed to find the document with query { _id: 'IDPSettings' } in collection Settings. Error occurs: gRPC client error
[12:24:57][error][settings]: Error getting IAM settings for IDPSettings : Error: gRPC client error

  • Root cause:

    With the provided CA, client key and certificate, can not connect to the Proton server. There's possibly 2 reasons for this error. One is the Proton SSL configured not correctly, the other one is the dominoConfig credential info provided are not correct.

  • Solution:

    First, please follow the guide of Proton setup to double check the Proton SSL is configured correctly, and Proton process had been launched on Domino server. Double check if Domino server's hostname or IP address is added into the Proton server's certificate, refer to the guide of Name in the server's certificate must be used by domino-db clients for more information.

    Second, please double check if the Proton server's ROOT CA had been added into IAM's CA directory: config/certs/ca/

    Third, check if below settings provided in the config/local.properties file are correct:

    dbConfig.dominoConfig.credential.CLIENT_CERT
dbConfig.dominoConfig.credential.CLIENT_KEY

Error: Proton (65553)

  • Error message: Not authorized to perform that operation

  • Detail error info:

    [13:17:15][error][iamStorage]: Failed to find the document with query { _id: 'IDPSettings' } in collection Settings. Error occurs: Proton (65553): Not authorized to perform that operation
[13:17:15][error][settings]: Error getting IAM settings for IDPSettings : Error: Proton (65553): Not authorized to perform that operation

  • Root cause:

    2 reasons would cause this error:

    • No ACL added in the iam-store.nsf file
    • No client certificate added in the function ID user

  • Solution:

    • Please follow the guide of Add ACL for the database to add ACL for the iam-store.nsf.
    • Need perform the Import Internet Certificates Action on the IAM function ID user document.
      • See below picture to see if the certificate is already in the IAM function ID user document. Add certificate into user

Error: Proton (259)

  • Error message: bulkNote request failed with Proton code 259

  • Detail error info:

    [13:35:39][error][iamStorage]: Failed to find the document with query { _id: 'IDPSettings' } in collection Settings. Error occurs: bulkNote request failed with Proton code 259

  • Root cause:

    The Domino database name might not be correct. Proton can not found the database on Domino.

  • Solution:

    You need check whether the database name in config/local.properties file is correct or not. The dbConfig.dominoConfig.DATABASE setting value shoule be a relative path to Domino's data directory.

    dbConfig.dominoConfig.DATABASE = iam-store.nsf

Error: Proton (65558)

  • Error message: Cannot update encrypted note without decrypting it first

  • Detail error info:

    message: 'Proton (65558): Cannot update encrypted note without decrypting it first.',
code: 'ERR_FORBIDDEN',
cause: { ProtonError: Proton (65558): Cannot update encrypted note without decrypting it first.
.... }

  • Root cause:

    This error should be rare, and it probably occurs after you re-setup the Proton SSL during the first setup stage. Since the encrypted data stored in the iam-store.nsf file can not be decrypted with your new SSL CA, cert and key files.

  • Solution: You need to clean the existed data in your iam-store.nsf.

Error: Proton (22792)

  • Error message: bulkNote request failed with Proton code 22792

  • Detail error info:

    [11:05:54][error][iamStorage]: Failed to find the document with query { _id: 'IDPSettings' } in collection Settings. Error occurs: bulkNote request failed with Proton code 22792
[11:05:54][error][settings]: Error getting IAM settings for IDPSettings : Error: bulkNote request failed with Proton code 22792

  • Root cause:

    The ID file password is incorrect.

  • Solution:

    Correct the password of your function ID file in config/local.properties file:

    dbConfig.dominoConfig.credential.IDFILE_PASSWORD = <Your correct password>

Error: Invalid private key

  • Error message: Invalid private key

  • Detail error info:

    E1114 11:19:17.122005000 4528211392 ssl_transport_security.cc:671]     Invalid private key.
E1114 11:19:17.122484000 4528211392 security_connector.cc:1087]        Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1114 11:19:17.122496000 4528211392 secure_channel_create.cc:121]      Failed to create secure subchannel for secure name 'iam-centos7.cwp.pnp-hcl.com:3002'
E1114 11:19:17.122514000 4528211392 secure_channel_create.cc:154]      Failed to create subchannel arguments during subchannel creation.

  • Root cause:

    Your Proton client key passphrase is incorrect.

  • Solution:

    The password is the one you created to protect Proton client private key.

    Please correct the password of your client key passphrase in config/local.properties file:

    dbConfig.dominoConfig.credential.CLIENT_KEY_PASSPHRASE = <Your correct password>

Error: Entry not found in index

  • Error message: Entry not found in index - syntax error

  • Detail error info:

    [13:35:51][error][iamStorage]: Failed to find the document with query { _id: 'IDPSettings' } in collection Settings. Error occurs: Entry not found in index -  syntax error
Error validating view column name - ['Settings'._id]
  ..  incorrect column name or no valid sorted column (bad position, collation or categorized)
(Call hint: NIFFindByKeyExtended2, Core call #0)

  • Root cause:

    No collation index created based on your iam-store.nsf file.

  • Solution:

    Please add the database into design catalog.

Error: listen EACCES 0.0.0.0:443

  • Error message: listen EACCES

  • Detail error info:

    Error: listen EACCES 0.0.0.0:443
    at Server.setupListenHandle [as _listen2] (net.js:1343:19)
    at listenInCluster (net.js:1401:12)
    at Server.listen (net.js:1485:7)
    at Function.createSSLServer (/home/tiantc/github/service/build/public/iam-server.js:1:61370)
    at p (/home/tiantc/github/service/build/public/iam-server.js:1:37669)
    at /home/tiantc/github/service/build/public/iam-server.js:1:38096
    at <anonymous>
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! domino-iam-service@1.0.0 start: `node iam-server.js`
npm ERR! Exit status 1

  • Root cause:

    It might be needing root privileges to bind port less than 1024.

    On Linux, ports less than 1024 are designed to bind only by admin account. So that by access a server via port less than 1024, people can know the service they are accessing is published from an official/admin account.

  • Solution:

    One option is to allow application (Node) to bind port less than 1024. For example, you can allow Node to bind port less than 1024:

    sudo setcap CAP_NET_BIND_SERVICE=+eip <the path of node executable file>

e.g:
sudo setcap CAP_NET_BIND_SERVICE=+eip /bin/node

    Note: By doing this, any user allowed to execute Node can bind other Node.js application on port less than 1024, so the account that can execute Node should be well controlled.

    You can also choose other solutions as you like. Such as to set port-forwarding rule.

Error: invalid_client

You may encounter invalid_client error when your client application authenticated with IAM endpoint by sending its client_id and client_secret in Authorization header.

  • Error message: invalid_client

  • Detail error info:

    error:"invalid_client"
error_description:"client authentication failed"

  • Root cause:

    If it is confirmed that you have copied the client_id and client_secret correctly, it is likely because the Authorization header is not encoded properly. The client_id and client_secret have to be form-encoded additionally.

  • Solution:

    A proper way of submitting client_id and client_secret is like this:

    Authorization: base64(formEncode(client_id):formEncode(client_secret))

    Example:

    const client_id = 'an:identifier';
const client_secret = 'some secure & non-standard secret';

// After formencoding these two tokens
const encoded_id = 'an%3Aidentifier';
const encoded_secret = 'some+secure+%26+non-standard+secret';

// Basic auth header format Authorization: Basic base64(encoded_id + ':' + encoded_secret)
// Authorization: Basic YW4lM0FpZGVudGlmaWVyOnNvbWUrc2VjdXJlKyUyNitub24tc3RhbmRhcmQrc2VjcmV0

    Note: If you are using IAM Client library (node-iam-client) to interact with IAM, the library has already done proper encoding for you.

UI Customization