The authentication mechanism described in http://project-haystack.org/doc/Auth is available for Niagara 4.3 by installing the following patch modules:

• baja 4.3.58.22.1
• jetty-rt 4.3.58.22.3
• web-rt 4.3.58.22.3
• docDeveloper 4.3.58.22.1

This will allow you to authenticate to Niagara 4.3 using the scram-sha mechanism defined in the Auth document. You should be able to obtain these through your support channel.

Great news. Thank you Bill. This will help us all.

Hi Bill,

Thanks for this! It's great news for the community and we appreciate Tridium's collaboration.

Can you elaborate further on if/when this might be back-ported to Niagara 4.2? I know there are a lot of folks in the community who are using nhaystack with 4.2 and have suffered from this issue for some time.

To the community: I'm currently working on the next release of nhaystack which will be built using Niagara 4.3. Once I hear further from Bill regarding any possibility of backporting to 4.2 I will deal with that when the time comes. However, I think that once I release the next nhaystack we as a community should do our best to upgrade and standardise on Nigara 4.3 moving forward.

I appreciate this is not always possible and I appreciate that this may bring it's own set of challenges on existing sites. However I think we need to get a reliable working baseline going and it looks like Niagara 4.3 is going to be it.

I'm still happy to take comments, thoughts, patches or assistance as always.

I'll keep the community posted.

Richard

Hi Richard. I can't commit to a date, but backporting to N4.2 is in the works!

Thanks Bill...that's great news!

We look forward to further updates when you can share them.

Cheers, Richard

Hi Bill,

I have a customer that has N4.4 and are getting the below error when trying to authenticate to it. Looks like complete rejection. Is N4.4 supporting haystack auth?

They had N4.3 which worked just fine. Then after upgrading is when this occurred.

Thanks.

Error: sys::IOErr: HTTP error code: 403

haystack::AuthClientContext.open (AuthClientContext.fan:92)
haystack::Client.openAuth (Client.fan:61)
haystack::Client.main (Client.fan:330)
java.lang.reflect.Method.invoke (Unknown)
fan.sys.Method.invoke (Method.java:559)
fan.sys.Method$MethodFunc.callList (Method.java:198)
fan.sys.Method.callList (Method.java:138)
fanx.tools.Fan.callMain (Fan.java:183)
fanx.tools.Fan.executeType (Fan.java:147)
fanx.tools.Fan.execute (Fan.java:41)
fanx.tools.Fan.run (Fan.java:308)
fanx.tools.Fan.main (Fan.java:346)

Hi Ricky,

This should work fine in N4.4. I've forwarded this to our engineer who implemented the auth and will post his response. Do you have any info or stacktrace from the server side?

Regards, Bill

hi there not sure this is the right thread to be posting this in but was along the same lines AUTH, im currently having issues in 4.3 with nHaystack device driver when trying to connect to skysparks server from niagara to draw points back down.

i have a slack messenger service i created that connects to restApi which was throwing the same error as im getting from nHaystack below in 4.3, after contacting tridium they advised that i needed to add the "module-permissions.xml" to my source to allow external connections on specific ports from my niagara 4.3 instance. Could the below be caused by the same issue?? this is only new to 4.3 hence why i though i would ask the question

any help would be greatly appreciated

Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:8080" "connect,resolve")

at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) at sun.net.www.http.HttpClient.openServer(HttpClient.java:541) at sun.net.www.http.HttpClient.<init>(HttpClient.java:242) at sun.net.www.http.HttpClient.New(HttpClient.java:339) at sun.net.www.http.HttpClient.New(HttpClient.java:357)

Skyspark had no issue connecting down with BasicAuth in 4.3 prior to updating with this patch. Installed the patch to fix the memory leak but now Skyspark can't authenticate with the implementation of the HaystackAuth that comes with the patches.

Anybody had any luck connecting to 4.3 from Skyspark after this patches has been installed?

curErr:

sys::IOErr: HTTP error code: 403
  auth::AuthClientContext.open (AuthClientContext.fan:92)
  skyarcd::Client.open (Client.fan:44)
  haystackExt::HaystackConn.onOpen (HaystackConn.fan:63)
  connExt::Conn.open (Conn.fan:150)
  connExt::Conn.openLinger (Conn.fan:116)
  connExt::Conn.openLinger (Conn.fan)
  connExt::Conn.ping (Conn.fan:204)
  connExt::Conn.checkReopen (Conn.fan:421)
  connExt::Conn.doHouseKeeping (Conn.fan:340)
  connExt::ConnActor.receive (ConnActor.fan:173)
  concurrent::Actor._dispatch (Actor.java:230)
  concurrent::Actor._work (Actor.java:201)
  concurrent::ThreadPool$Worker.run (ThreadPool.java:262)

same issue here..

Were you able to find a fix Jonathan?

This is probably due to the user still being configured to use http basic instead of digest. Try switching to digest and see if that helps.

Thanks Bill, I changed the user back to Digest and now I get a new error "AuthScheme param not found: data"

That error is from a header check at the very end of the handshake. That has been fixed in N4.4 and should be available in a few days for N4.3.

The fix for the WWW-Authenticate header is now available for N4.3 with the following modules:

• jetty-rt 4.3.58.22.7
• web-rt 4.3.58.22.7

You should be able to obtain these through your support channel.

This is an ancient topic, but I'm having the same issue with version 4.11.0.142 of Niagara.

Is a patch still required or is this baked into the drivers still?