5 CNC Console Troubleshooting in OCI Deployment

This section provides information to troubleshoot the common errors which can be encountered when CNC Console is deployed in OCI.

5.1 CNC Console Deployment pods are not coming up

CNC Console Deployment pods are not coming up

This error can arise due to the following problems -

Problem 1: CreateContainerConfigError is observed in acore-ingress-gateway and mcore-ingress-gateway pods.

Solution: Cross check if oci-iam-secret is created or not. If not, create the secret properly as mentioned in Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.

Problem 2: mcore-ingress-gateway pods is going to CrashLoopBackOff state.

Solution: Please check the occncc_custom_values.yaml file for the following -

  1. Incorrect domain URL is provided in global.mCnccIams.fqdn section of Instance configuration. This field should contain the URL of OCI Domain used to deploy CNC Console.
    mCnccIams:
    - id: Cluster1
      fqdn: idcs-37e739602b574bb6848c8cd96640f11d.identity.oraclecloud.com
      scheme: https
  2. Scheme is missing in Instance Configuration of global.mCnccIams.scheme User should provide HTTPS scheme.

Problem 3: ImagePullBackOff Error coming up for CNC Console Deployment pods.

Solution: All the image repositories must be public. Run the following steps to make all image repositories public:

  1. Go to OCI Console → Developer Services → Containers & Artifacts → Container Registry.
  2. Select the compartment.
  3. In the Repositories and Images Search option, the images will be listed. Select each image and change to Public. This step must be preformed for all the images sequentially.

5.2 CNC Console Core GUI is not loading

CNC Console Core GUI is not loading

Problem: Unable to access CNC Console Core GUI, getting "Invalid credentials" Error

This error can arise due to the following incorrect configurations -
  • Incorrect Configuration 1: When oci-iam-secret is incorrect.

    Solution: Please make sure to create the secret properly as described in the Oracle Communications Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.

  • Incorrect Configuration 2: Incorrect Issuer URL is provided in OAuth settings of OCI IAM domain

    Solution: Follow the below steps to correct the Issuer URL in OAuth settings:

    1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain where CNC Console is deployed.
    2. Navigate to Security → OAuth
    3. Update the issuer URL with correct value (If the OCI IAM domain URL is with default port 80/443, make sure to remove the port from the domain URL while updating the Issuer field and it should match with what is provided in the global.mCnccIams.fqdn section of occncc_custom_values.yaml).

5.3 Getting invalid redirect uri error while accessing CNC Console Core

Getting 'invalid redirect uri error' while accessing CNC Console Core

Problem: Getting the below error while accessing to CNC Console Core
{"error":"invalid_redirect_uri","error_description":"Client c2151db267684a8fa15bcd19d56cd2a3 requested an invalid redirect URL: https://100.xx.xx.xx/login/oauth2/code/cncc-iam. ECID:
      OZjBv13L900000000"}

Solution:

This problem is observed when incorrect redirect-uri is configured in the OAuth configuration of Integrated Application . Please follow the below steps -

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain where CNC Console is deployed.
  2. Click on Integrated Applications
  3. Click on the Integrated Application that you want to modify. (Ex: cncc-iam)
  4. Click Edit OAuth Configuration
  5. Scroll down to find Redirect URL
  6. Make sure to update the correct Redirect URL as per Oracle Communications Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.

5.4 LDAP Integration Issues

LDAP Integration Issues

Problem 1: Not Able to find Delegate Authentication option.

Solution: Check for Type of Domain, it should be Premium for Delegate Authentication.

Problem 2: Not Able to find The Active Directory's (AD) Organization Unit (OU) for user and group in Oracle Cloud Infrastructure IAM (OCI IAM) Console.

Solution:

  1. Check for the Organizational Unit in Active Directory.
  2. If Organizational Unit is present in Active Directory.
  3. Refresh the web Browser.

Problem 3: Not Able to Authenticate User using Active Directory user's password

Solution:

  1. Make sure Enable local authentication is Enabled in Authentication Settings of OCI IAM.
  2. Provide the required permission to Active Directory administrator. For more information see, the Oracle Cloud Infrastructure Documentation.

5.5 Issues in SAML Authentication

Issues in SAML Authentication

Problem: Logging in using SAML SSO throws following error: No user was returned during the SAML assertion to user mapping for partner SSO

Solution: In this case, recheck the SAML JIT configuration done in the IDP section of OCI IAM.

  1. In the Map User Attributes section, check if the proper mapping is done between the IDP and Identity domain attributes.
  2. If any of the IDP attribute mapped under this section is missing in SAML Assertion coming from IDP, then the authentication will fail.

5.6 CNC Console Access when private LoadBalancer IP is assigned

CNC Console Access when private LoadBalancer IP is assigned

Problem: CNC Console GUIs cannot be accessed when private LoadBalancer IP is assigned using the annotation oci-network-load-balancer.oraclecloud.com/internal: "true"

Solution: Access the CNC Console GUI via tunneling.

You can use any online emulator available for tunneling or you can follow the below steps mentioned

  1. Run the following command for tunnelling using ssh command
    ssh -v -f -N -i <id_rsa_private_key> -o StrictHostKeyChecking=no -o ProxyCommand="ssh -i <id_rsa_private_key> -o StrictHostKeyChecking=no -W %h:%p <user>@<bastion_ip>" <user>@<operator_instance_ip> -L <local_port>:<worker_node_ip>:<loadbalancer_service_port> -o ServerAliveInterval=60 -o ServerAliveCountMax=300
    Example:
    ssh -v -f -N -i id_rsa -o StrictHostKeyChecking=no -o ProxyCommand="ssh -i id_rsa -o StrictHostKeyChecking=no -W %h:%p opc@10.xx.xx.xx" opc@10.xx.xx.xx -L 443:10.xx.xx.xx:31152 -o ServerAliveInterval=60 -o ServerAliveCountMax=300
    where each attributes are
    Attribute Description
    <id_rsa_private_key> Specifies the private key to connect to the Bastion host.
    <user> username to connect to Bastion and Operator instances
    <bastion_ip> IP of the bastion host
    <operator_instance_ip> IP of the Operator instance
    <worker_node_ip> IP of the Worker node where CNC Console Application is installed
    <local_port> The port on your local machine where the browser is installed that requires forwarding from a remote host.
    <loadbalancer_service_port> Load Balancer service port of CNC Console, that is, M-CNCC Core ingress-gateway service
  2. Open the /etc/hosts file.

    For Mac

    1. Open the Terminal application on your Mac computer.
    2. Access the /etc/ hosts folder using a text editor (sudo user).

    For Windows

    1. Press the Windows key.
    2. Type Notepad in the search field.
    3. In the search results, right-click Notepad and select Run as administrator.
    4. From Notepad, open the following file: c:\Windows\System32\Drivers\etc\hosts

  3. Add following entries under /etc/hosts file

    For M-CNCC Core
    
127.0.0.1 <cncc_release_name>-mcore-ingress-gateway.<cncc_namespace>.svc.<cluster_domain>
    Example:
    127.0.0.1 cncc-mcore-ingress-gateway.cncc.svc.cluster.local
  4. Access the CNC Console GUI using the above configured FQDN.