Richard - I am creating a new topic for the issue that Eric was talking about in the AX post. I am the systems integrator that is working with Eric to get nhaystack to work. We are running the haystack driver with N4.3.58.18. We were able to get the nhaystack to work in N4.2 but somehow we only got it to work with the encrypted authentication (digest not http basic) which I have no idea how we did that. We have tried multiple things to get this to work including creating new users both basic and digest, turning off the secure HTTPS port and only looking at the HTTP port. We known the user is setup as basic because we are able to connect SkySpark with OBIX. I am also able to run the https://IP/haystack/read?filter=point after logging in via the browser. I was able to get logs from the jetty web service and will post them. Thanks for the help!

Richard,

We are using the 2.0.1 driver on N4, version 4.3. However, we don't seem to be able to get past the Authentication Failed 302 error. The user we have created is using basic authentication and works with the oBix driver but not with nHaystack 2.0.1 on 4.3 Niagara.

Has the 2.0.1 driver been tested on 4.3, are are there any thoughts on helping debug?

Eric

We've been able to get 4.3 to work for us. I don't know if this helps but I've noticed that we have had to restart Skyspark service before the connection was successful. I don't know why that helps, it could be coincidental but it worked for us.

Gabe

Hi Melissa,

thanks for posting and providing all the information.

As I've posted before in the forum it is important to understand that the authentication issue is not something that is under my control in the nhaystack module. The nhaystack servlet is mounted in the Niagara web server and sits behind Tridium's authentication procedure.

The process for getting it working does seem a bit random from the feedback I've had which makes it difficult to diagnose individual situations. It is encouraging though that Gabe managed to get it to work under 4.3.

If you're using SkySpark perhaps try Gabe's suggestion and see if that makes a difference.

Cheers, Richard

Thanks Richard,

We are going to try a few more things, but the restart of SkySpark did not help. (-;

Eric

Reviewing a different but related post (http://project-haystack.org/forum/topic/375), I tried testing the connection at the command line, and get the following. It looks like it is presenting some sort of Java Login page ...

IP Addresses and passwords changed..

E:\Data\SkSp\skyspark-2.1.15\bin>fan haystack::Client http://10.1.1.1:85/haystack Group_14_Basic xxxxxxxxxx
[12:47:25 03-Aug-17] [debug] [haystackClient] > [0]
POST http://10.1.1.1:85/haystack/authHello
Content-Length: 35
Content-Type: text/zinc
Accept-Encoding: gzip
Accept: text/zinc
ver:"3.0"
username
"Group_14_Basic"

[12:47:25 03-Aug-17] [debug] [haystackClient] < [0]
302 Found
Set-Cookie: JSESSIONID=c17bcedf7c895dadfa7269605ea1a4a15552c03c8f0db9d819;Path=/;HttpOnly
Content-Length: 0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://10.1.1.1:85/login

[12:47:25 03-Aug-17] [debug] [haystackClient] > [1]
GET http://10.1.1.1:85/login
Accept-Encoding: gzip

[12:47:25 03-Aug-17] [debug] [haystackClient] < [1]
200 OK
Content-Length: 2270
x-frame-options: sameorigin
Content-Type: text/html;charset=utf-8
<!DOCTYPE html>
<html>
<head>
  <meta name="viewport" content="width=device-width initial-scale=1.0 maximum-scale=1.0 target-densityDpi=medium-dpi">
  <title>Login</title>
  <link rel="stylesheet" type="text/css" href="login/loginN4.css">
  <script type="text/javascript" src="login/loginN4.js"></script>

</head>
<body onload="checkFail()">
  <script type='text/javascript'>
    if ('ontouchstart' in window) {
      document.body.className += ' touch-enabled';
    }
  </script>
  <div id="outer-login-form-container">
    <div id="login-logo-container">
  <img id="login-logo" src="login/logo" alt="Custom Logo"/>
</div>
    <div id="login-form-container">
      <div id="login-title-container">
        <div id="login-title">DPSWS</div>
      </div>
      <div>
        <noscript>JavaScript must be enabled to login</noscript>
      </div>
      <div id="login-failed">
        Login Failed
      </div>

      <div id="login-image">
        <img src="login/keys.png" />
      </div>
      <form id="main-login-form" method="POST" action=prelogin>
            <div id="login-credentials">
    <div class="login-group">
        <label class="login-label" for="userName">Username:</label>
        <input class="login-input" type="text" name="j_username" autofocus/>
    </div>

    <input id="login-submit" type="submit" value="Login"/>
</div>
      </form>

    </div>
    <div id="blanket" style="display:none">
  <div id="licenseDiv" style="display:block">
    <div id="licenseTitle"><div id="licenseFileName"></div><div><img id="closeButton" src="login/close.png" alt="Close" onclick="closeLicense()"/></div></div>
    <iframe id="licenseFile" onload="fixStyle(this)" src=""></iframe>
  </div>
</div>

<div id="licenseAgreements">
Use of this software is subject to the<br />
<a href="#" onclick="openLicense('End User License Agreement', 'eula');">End User License Agreement</a>
 and other <a href="#" onclick="openLicense('Third Party Licenses', 'thirdPartyLicenses');">Third Party Licenses</a>
</div>

  </div>
  <p>
  <span id="webStartLogin" class="">
  To connect using Java Web Start <a id="niagara_webStartJnlpLink" href="/webstart/jnlp">click here</a>
  </span>
</p>
</body>
</html>

[12:47:25 03-Aug-17] [debug] [haystackClient] > [2]
POST http://10.1.1.1:85/j_security_check/
Content-Length: 95
Cookie: JSESSIONID=c17bcedf7c895dadfa7269605ea1a4a15552c03c8f0db9d819; niagara_userid=Group_14_Basic
Content-Type: application/x-niagara-login-support; charset=UTF-8
Accept-Encoding: gzip
action=sendClientFirstMessage&clientFirstMessage=n,,n=Group_14_Basic,r=kniaF4WpnECV+MgwO/N5vA==

[12:47:25 03-Aug-17] [debug] [haystackClient] < [2]
302 Found
Set-Cookie: niagara_userid=Group_14_Basic;Expires=Fri, 03-Aug-2018 18:47:19 GMT
Content-Length: 0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://10.1.1.1:85/login?auth=fail

sys::Err: Authentication failed: 302
  haystack::NiagaraScramAuthAlgorithm.firstMsg (ClientAuth.fan:494)
  haystack::NiagaraScramAuthAlgorithm.auth (ClientAuth.fan:476)
  haystack::ClientAuth.authHaystack (ClientAuth.fan:79)
  haystack::Client.openx (Client.fan:39)
  haystack::Client.main (Client.fan:301)
  java.lang.reflect.Method.invoke (Unknown)
  fan.sys.Method.invoke (Method.java:559)
  fan.sys.Method$MethodFunc.callList (Method.java:198)
  fan.sys.Method.callList (Method.java:138)
  fanx.tools.Fan.callMain (Fan.java:183)
  fanx.tools.Fan.executeType (Fan.java:147)
  fanx.tools.Fan.execute (Fan.java:41)
  fanx.tools.Fan.run (Fan.java:308)
  fanx.tools.Fan.main (Fan.java:346)

E:\Data\SkSp\skyspark-2.1.15\bin>

Anyone more familiar with Niagara N4 and the nHaystack driver have any suggestions? We seem to be at a loss.

@Richard

I think we really need to consider using another forum than project-haystack for direct support of nhaystack (or any other 3rd party module/program/etc).

I'm used to Github and I really like the way it works.

Maybe Bitbucket can work fine for that need too...

But this forum doesn't fit for that.

It's hard to keep track of bugs and work related to bugs ... and code format just don't look good.

Hi Christian,

Thanks for your thoughts.

I'm not fussed by either Github or Bitbucket. Like most developers I use both Mercurial and Git in my regular day job so it's of no consequence to me personally.

For what it's worth Bitbucket does have an issue tracker and it's open for everyone to use as long as you have a Bitbucket account which is free.

However, moving the repo around isn't going to solve the issue.

Neither is moving the discussion away from this forum where most people in the Haystack community get their updates from...and neither is tracking a bug in another online system going to assist either.

The reason I say this is that to the best of my knowledge and as far as I can see the issue that everyone is experiencing is not a bug with nhaystack.

It is an issue with the Niagara authentication mechanism not conforming to the standard published by Matt Giannini. nhaystack has no direct control over authentication as far as I can tell.

I have posted to this effect several times.

Believe me I am equally frustrated as those who are trying to use this Niagara module, this is not the sort of feedback I want to be seeing.

I have been following up with Tridium offline via email but have not yet received any responses, if I had I would have updated everyone via this forum immediately.

As you know Christian, and others also do, I'm more than happy to take input from the community for the nhaystack module, whether by submitting code through Pull Requests or any other way that is appropriate. So if there are other suggestions on how we as a community can solve this issue without requiring support from Tridium then I'm happy to take all ideas on board.

Cheers, Richard

I established another connection with a new jace that is running 4.3 and didn't have any issues. We have 3 connections with 4.3 stations plus many other 4.2 stations with no issues.

I'm assuming you are completing all the necessary steps that need to be done to setup this connection but I can explain the steps we take to create the connection. But being that you have established connection with 4.2 jaces you should know these steps.

Gabe

Gabe!!

What's your secret? Can you share any more detailed steps with the community that might assist everyone?

Cheers,

Richard

Yes, I would certainly like to know what steps you take and any issues you have worked through. We have many nHaystack drivers out there working for us (both AX and N4) but the few that fail can be really troubling.

Eric

Jace setup:

-Install jar file. (This should require a reboot) -Add Nhaystack service to services container. -Initialize haystack. -Make sure web service http port or https port is open depending on which you use. -Add a Http Basic Scheme to Authentification Service/Authentification Scheme container. -Create a user account and set the Authentification Scheme to use the Http Basic Scheme.

We don't do anything different than what is already specified for a Haystack connection other than I recommend using the ip address and not the host name of the Jace. We use ssl cert and we notice that we have to stop Skyspark service after running the "fan tools::KeyMgr trust -uri https://example.com" in command prompt, and then start the service. The connection should work after that.

Gabe

All,

Thanks for responding!!! It is very encouraging that others have got it to work. I am already using basic authentication as described above. Sorry about posting the logs. I didn't realize this was not the place to post it but I do appreciate the feedback.

This issue is difficult to troubleshoot because we are essentially trying to integrate 3 vendors(Tridium, Haystack, SkySpark) and each are pointing fingers at the other.

Followed Gabe's instructions to a T and I still couldn't get it to work. We went back to 4.2 and I works fine. Also tried a new clean install without haystack jar file then reinstalled it. Still no bueno.

I have been having a similar issue with 4.3.58. what i did was test using HTTPbasic and chrome with the ARC plugin which allows to send restfull commands to Nhastack i can send the user and password with the get command and get a 200 response which is good and get the about info. I also was able to get Nhaystack point info with curl. that being said i still get a 302 authorization error in FIN4 so that would lead me to believe that Niagara and Nhaystack are ok but the client software is an issue ?

I forgot to mention 4.3 has implemented java security policies. Could it be why it is not communicating anymore...

Hi guys,

After receiving multiple emails regarding this, I got the latest N4.3 from John to help check this. Below is what I did to make this work with SkySpark v2.1.15, which is likely what most of you might have. If you have the newer SkySpark v3.0 version, it should just work (I have v3.0.12) because mine connected without issue after doing the Niagara steps below.

To make this work, I followed Gabes setup on the Niagara side.

-Install jar files. (This should require a reboot) 
-Add Nhaystack service to services container. 
-Initialize haystack. 
-Make sure web service http port or https port is open depending on which you use. 
-Add a Http Basic Scheme to Authentification Service/Authentification Scheme container. (Rebooted)
-Create a user account and set the Authentification Scheme to use the Http Basic Scheme.

Then on the SkySpark side.

- Install this haystack.pod (https://www.dropbox.com/s/g74a2qkyt2k2j0j/haystack.pod?dl=0)
- Restart the service and done.

Note: However, with this pod the haystack connections to N3.8 or older will no longer work. So if you have projects that have a combination of N3.8 and N4.3, this will be an issue.