RE: Fusion not leaving maintenance mode

@randall

Don't know your OS, but in case your error is related to what I found on a recent Windows/Postgres install:
https://fusionauth.io/community/forum/topic/2219/maintenance-mode-db-creation-fails-without-message-with-postgresql-15-on-windows

Thank you.
https://github.com/FusionAuth/fusionauth-issues/issues/971

In case it helps anyone, a version of the ASP.NET Core Identity PasswordHasher HashPasswordV3

package com.mycompany.fusionauth.plugins;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.util.Base64;
import io.fusionauth.plugin.spi.security.PasswordEncryptor;

/**
* Example password hashing based on Asp.Net Core Identity PasswordHasher HashPasswordV3.
*/
public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor implements PasswordEncryptor {

  @Override
  public int defaultFactor() {
    return 10_000;
  }

  @Override
  public String encrypt(String password, String salt, int factor) {
    if (factor <= 0) {
      throw new IllegalArgumentException("Invalid factor value [" + factor + "]");
    }

    SecretKeyFactory keyFactory;
    try {
      keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
    } catch (NoSuchAlgorithmException e) {
      throw new IllegalStateException("No such algorithm [PBKDF2WithHmacSHA256]");
    }

	int keyLength = 32; // numBytesRequested
	byte[] saltBytes = Base64.getDecoder().decode(salt); // assumes Base64 encoded salt. saltSize: 16 bytes

    KeySpec keySpec = new PBEKeySpec(password.toCharArray(), saltBytes, factor, keyLength * 8);
    SecretKey secret;
    try {
      secret = keyFactory.generateSecret(keySpec); // subkey
    } catch (InvalidKeySpecException e) {
      throw new IllegalArgumentException("Could not generate secret key for algorithm [PBKDF2WithHmacSHA256]");
    }
	
	byte[] outputBytes = new byte[13 + saltBytes.length + secret.getEncoded().length];
	outputBytes[0] = 0x01; // format marker
	WriteNetworkByteOrder(outputBytes, 1, 1);
	WriteNetworkByteOrder(outputBytes, 5, factor);
	WriteNetworkByteOrder(outputBytes, 9, saltBytes.length);
	System.arraycopy(saltBytes, 0, outputBytes, 13, saltBytes.length);
	System.arraycopy(secret.getEncoded(), 0, outputBytes, 13 + saltBytes.length, secret.getEncoded().length);
	
	return new String(Base64.getEncoder().encode(outputBytes));
  }
  
  private static void WriteNetworkByteOrder(byte[] buffer, int offset, int value)
  {
	buffer[offset + 0] = (byte)(value >> 24);
	buffer[offset + 1] = (byte)(value >> 16);
	buffer[offset + 2] = (byte)(value >> 8);
	buffer[offset + 3] = (byte)(value >> 0);
  }
}

package com.mycompany.fusionauth.plugins;

import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import static org.testng.Assert.assertEquals;

public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptorTest {
  @Test(dataProvider = "hashes")
  public void encrypt(String password, String salt, String hash) {
    ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor encryptor = new ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor();
    assertEquals(encryptor.encrypt(password, salt, 10_000), hash);
  }

  @DataProvider(name = "hashes")
  public Object[][] hashes() {
    return new Object[][]{
        {"MyExamplePassword", "CVsv6SwPJr7WDrVvAb+7aw==", "AQAAAAEAACcQAAAAEAlbL+ksDya+1g61bwG/u2ssOcnQU6Q2xo9tmijJv0zM2GsxeOl04NSpXRsAveBBag=="},
    };
  }
}

Two updates:

• The workaround to use the explicit IP instead of localhost only works sometimes, indicating that there continues to be some kind of timing/timeout issue in Production mode, but not in Development mode.
• Adding a second processor seems to have actually fixed the issue.

Thanks. I believe the RSS feed for the release announcements will work for us.

@randall

Don't know your OS, but in case your error is related to what I found on a recent Windows/Postgres install:
https://fusionauth.io/community/forum/topic/2219/maintenance-mode-db-creation-fails-without-message-with-postgresql-15-on-windows

On Windows Server 2022, installed postgres 15, then attempted to install FusionAuth app and search (1.40.2). When Maintenance Mode came up, entered postgres user and password, used default fusionauth user and password, and clicked submit. Page came back to Maintenance Mode screen without any error message. Log showed stack trace with

 Cause: org.postgresql.util.PSQLException: ERROR: permission denied for schema public

Looking in postgres list of dbs, saw the fusionauth db had been created with UTF8 for Collate and Ctype params. Looking at the advanced installation instructions, saw manual db setup for Windows required:

CREATE DATABASE fusionauth ENCODING 'UTF-8' LC_CTYPE 'English_United States' LC_COLLATE 'English_United States' TEMPLATE template0;

Was able to use these instructions to create the db and user, then Maintenance Mode was able to complete table creation and setup.
If not possible for Maintenance Mode to detect that the db is on Windows, would be great to have an error message instead of having to interpret the log file trace.

Attempt to install app (result below) and search (not shown) as Windows services:

From cmd run as Administrator:

c:\fusionauth\fusionauth-app\bin>FusionAuthApp.exe /install

Installing service FusionAuthApp...
Service FusionAuthApp has been successfully installed.
Creating EventLog source FusionAuthApp in log Application...

Then nothing happens. After about 10-15 minutes I gave up, ctrl-c out. The app is able to run.

@voidmain Thank you!

Is adding an SSL cert to the keystore as described in https://fusionauth.io/docs/v1/tech/admin-guide/securing "Custom Certificate Authority" functionally equivalent to adding the cert to a standalone keystore, then using that keystore in Tomcat via the server.xml config file? Or is the "Custom Certificate Authority" for a different use?

With the switch from Tomcat to Netty in 1.37, is it possible to add an SSL certificate directly to Netty, as was possible with Tomcat? Perhaps via some configuration file?

Related post:
https://fusionauth.io/community/forum/topic/180/is-it-possible-to-set-up-ssl-for-fusionauth-directly

Received a notification from Google that they're discontinuing Google Sign-In JavaScript Platform Library for web (https://developers.googleblog.com/2021/08/gsi-jsweb-deprecation.html). They provided us "a list of your client ID(s) that use the legacy Google Sign-In web solution" and the only item was the client id we set up for FusionAuth's Google identity provider.

Will this affect the Google identity provider in FusionAuth, and if so, is it on the roadmap to be updated?

Two ideas:

• Does it help to specify the key id when creating your test SymmetricSecurityKey?

var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes( "My secret from application config" ) ) { KeyId = "Your Key Id" };

• You don't specify which algorithm you're using to sign your tokens. If you're using SymmetricSecurityKey, ensure you're using an symmetric algorithm to sign your tokens.

Thanks. I believe the RSS feed for the release announcements will work for us.

Is there an easy way to be notified when a new version of FusionAuth is released? I'm subscribed to your general email list, but am looking for something simple that just happens for a new version. I see there's an endpoint at https://metrics.fusionauth.io/api/latest-version that I could poll, but wondering if there's a better way, perhaps through GitHub, or if there's a way to only get version update emails from your mailing list.