My end goal for this project is to use the ziti spring-boot sample to zitify an azure web application I’ve blocked my ip from accessing the service
However, before I jump into zitifying the azure web app I’d like to test the spring-boot sample by trial and error. I’ve cloned the code then I ran gradle bootRun. This came back with
Failed to parse keystore
This was because the application.properties file was missing
ziti.id <ziti.id>
ziti.serviceName <ziti.serviceName>
@ekoby helped me get past this issue.
For mac users you will want to visit. Download the correct version of the ziti cli. Then move the binaries to /usr/local/bin (make sure the binaries are executable). Then you’ll want to run
ziti edge enroll \
--jwt my_file.jwt \
--out my_config
This should return
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: my_config
Next you’ll need to update the application.properties file
ziti.id = /Users/evangertis/Downloads/my_config
ziti.serviceName = core-management-service
After completing those steps I ran
gradle bootRun again and I ran into Caused by: java.net.BindException: no permission to bind to service[core-management-sandbox]. This is most likely related to a policy error. Any help with this would be greatly appreciated.
That would seem to me like you don't have a "Bind" service-policy. Using the ziti CLI tool - issue: ziti edge policy-advisor identities and look for the "server" identity. Does that identity have bind ?
Here's an example of that looks like for reference:
OKAY : reflectServerId (1) -> reflect (1) Common Routers: (1/1) Dial: N Bind: Y
1 Like
I did not receive
OKAY : reflectServerId (1) -> reflect (1) Common Routers: (1/1) Dial: N Bind: Y
I ran
evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ziti edge policy-advisor identities
Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:
- The identity must have access to the service via a service policy of the correct type (dial or bind)
- The identity must have acces to at least one on-line edge router via an edge router policy
- The service must have access to at least one on-line edge router via a service edge router policy
- There must be at least one on-line edge router that both the identity and service have access to.
Then I checked that if the identity has access to the listed service.
Then I checked if the identity had access to at least one online edge router.
{limitations on media prevented the screenshot from being uploaded}
Screen Shot 2021-12-29 at 9.02.06 AM|690x413
Then I checked if the service had access to an online edge-router via service policy.
{limitations on media prevented the screenshot from being uploaded}
Screen Shot 2021-12-29 at 9.05.38 AM|690x413
Finally, I checked
panic: no identity 'default' found in cli config /Users/evangertis/.ziti/ziti-cli.json
via
evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ls /Users/evangertis/.ziti/
ziti-cli.json
full policy advisor output
evangertis@Evans-MacBook-Pro-2 ziti-spring-boot % ziti edge policy-advisor identities
Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:
- The identity must have access to the service via a service policy of the correct type (dial or bind)
- The identity must have acces to at least one on-line edge router via an edge router policy
- The service must have access to at least one on-line edge router via a service edge router policy
- There must be at least one on-line edge router that both the identity and service have access to.
Policy Advisor Output Guide:
STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR.
ID = identity name
ID ROUTERS = number of routers accessible to the identity via edge router policies.
- See edge router polices for an identity: ziti edge controller list identity edge-router-policies <identity>
SVC = service name
SVC ROUTERS = number of routers accessible to the service via service edge router policies.
- See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies <service>
ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
DIAL_OK = indicates if the identity has permission to dial the service.
- See service polices for a service : ziti edge controller list service service-policies <service>
- See service polices for an identity: ziti edge controller list identity service-policies <identity>
BIND_OK = indicates if the identity has permission to bind the service.
ERROR_LIST = if the status is ERROR, error details will be listed on the following lines
Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
panic: no identity 'default' found in cli config /Users/evangertis/.ziti/ziti-cli.json
goroutine 1 [running]:
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.runPolicyAdvisorForIdentities(0xc000395cb0)
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:211 +0x22b
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.runIdentitiesPolicyAdvisor(0xc000395cb0)
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:137 +0x97
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge.newPolicyAdvisorIdentitiesCmd.func1(0xc0004a9400, {0x66c8a58, 0x0, 0x0})
github.com/openziti/ziti/ziti/cmd/ziti/cmd/edge/policy_advisor.go:67 +0x70
github.com/spf13/cobra.(*Command).execute(0xc0004a9400, {0x66c8a58, 0x0, 0x0})
github.com/spf13/cobra@v1.2.1/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0x6674b80)
github.com/spf13/cobra@v1.2.1/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/cobra@v1.2.1/command.go:902
github.com/openziti/ziti/ziti/cmd/ziti/cmd.Execute()
github.com/openziti/ziti/ziti/cmd/ziti/cmd/cmd.go:79 +0x38
main.main()
github.com/openziti/ziti/ziti/cmd/ziti/main.go:24 +0x17
The screenshot you shared is from the netfoundry console - help with netfoundry console issues can be found at the other discourse: https://community.netfoundry.io/
That said - looking at your policy advisor output - it seems quite incomplete. can you post the full output?
@TheLumberjack Thank you I’ve updated it.
Delete the file at /Users/evangertis/.ziti/ziti-cli.json and login via the ziti cli again. if that fails make an empty json file at that location and try again
1 Like
Thank you @TheLumberjack! I was able to start the project after removing the maxPerm size, changing buildForAndroid=false to false in the gradle.properties file, and pulling the latest code changes from @ekoby for ziti-sdk-jvm/ziti-springboot at main · openziti/ziti-sdk-jvm · GitHub.
