An error occurred while attempting to contact the authentication service

When accessing Identity Application Home and Provisioning dashboard (/landing), getting this error after authenticating:

"An error occurred while attempting to contact the authentication service"


If you enable debugging on your browser (F12 on Firefox) and track all the requests, the last request to /IDMProv/rest/access/users/fullName will fail with error "503 Service Unavailable". 

This error occurs when you access Home and Provisioning Dashboard (landing) over https and the certificate used by the application server to secure the connection is not a publicly chained certificate already trusted by the default cacerts java trust store.  This might also occur if your certificate contains one or more intermediate certificates.  OSP needs to establish a trust chain in order for it to securely communicate over https.

Run configupdate and click "Show advanced options".
Go to "Authentication" tab.
In the box "Optional TLS/SSL trustore file" point to a keystore that contains a certificate used by your application server.
In the box "Optional TLS/SSL truststore password" provide the keystore password.
Restart your application server.

The “Optional TLS/SSL trustore file” in configupdate allows you to specify an additional java keystore file that OSP will use to verify the trust chain of the certificate.  Using keytool you can create a keystore file that contains the public key of any intermediate or root certificates needed to establish trust.  These should be imported using the trustcacerts switch with keytool.  In the event you are using a self-signed certificate (a certificate whose subject and issuer are the same) you can also import that public key in order to establish trust.  This also applies if your OSP and User application are on different servers. Use the keytool command to import the application server's public key into a new keystore file specified by this setting.