#537 Niagara/Haystack Auth Patch for N4.3

Bill Smith Wed 20 Sep 2017

The authentication mechanism described in http://project-haystack.org/doc/Auth is available for Niagara 4.3 by installing the following patch modules:

  • baja
  • jetty-rt
  • web-rt
  • docDeveloper

This will allow you to authenticate to Niagara 4.3 using the scram-sha mechanism defined in the Auth document. You should be able to obtain these through your support channel.

Alper Üzmezler Wed 20 Sep 2017

Great news. Thank you Bill. This will help us all.

Richard McElhinney Thu 21 Sep 2017

Hi Bill,

Thanks for this! It's great news for the community and we appreciate Tridium's collaboration.

Can you elaborate further on if/when this might be back-ported to Niagara 4.2? I know there are a lot of folks in the community who are using nhaystack with 4.2 and have suffered from this issue for some time.

To the community: I'm currently working on the next release of nhaystack which will be built using Niagara 4.3. Once I hear further from Bill regarding any possibility of backporting to 4.2 I will deal with that when the time comes. However, I think that once I release the next nhaystack we as a community should do our best to upgrade and standardise on Nigara 4.3 moving forward.

I appreciate this is not always possible and I appreciate that this may bring it's own set of challenges on existing sites. However I think we need to get a reliable working baseline going and it looks like Niagara 4.3 is going to be it.

I'm still happy to take comments, thoughts, patches or assistance as always.

I'll keep the community posted.


Bill Smith Thu 21 Sep 2017

Hi Richard. I can't commit to a date, but backporting to N4.2 is in the works!

Richard McElhinney Thu 21 Sep 2017

Thanks Bill...that's great news!

We look forward to further updates when you can share them.

Cheers, Richard

Ricky Villa Thu 9 Nov 2017

Hi Bill,

I have a customer that has N4.4 and are getting the below error when trying to authenticate to it. Looks like complete rejection. Is N4.4 supporting haystack auth?

They had N4.3 which worked just fine. Then after upgrading is when this occurred.


Error: sys::IOErr: HTTP error code: 403

haystack::AuthClientContext.open (AuthClientContext.fan:92)
haystack::Client.openAuth (Client.fan:61)
haystack::Client.main (Client.fan:330)
java.lang.reflect.Method.invoke (Unknown)
fan.sys.Method.invoke (Method.java:559)
fan.sys.Method$MethodFunc.callList (Method.java:198)
fan.sys.Method.callList (Method.java:138)
fanx.tools.Fan.callMain (Fan.java:183)
fanx.tools.Fan.executeType (Fan.java:147)
fanx.tools.Fan.execute (Fan.java:41)
fanx.tools.Fan.run (Fan.java:308)
fanx.tools.Fan.main (Fan.java:346)

Bill Smith Fri 10 Nov 2017

Hi Ricky,

This should work fine in N4.4. I've forwarded this to our engineer who implemented the auth and will post his response. Do you have any info or stacktrace from the server side?

Regards, Bill

david blanch Fri 17 Nov 2017

hi there not sure this is the right thread to be posting this in but was along the same lines AUTH, im currently having issues in 4.3 with nHaystack device driver when trying to connect to skysparks server from niagara to draw points back down.

i have a slack messenger service i created that connects to restApi which was throwing the same error as im getting from nHaystack below in 4.3, after contacting tridium they advised that i needed to add the "module-permissions.xml" to my source to allow external connections on specific ports from my niagara 4.3 instance. Could the below be caused by the same issue?? this is only new to 4.3 hence why i though i would ask the question

any help would be greatly appreciated

Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "" "connect,resolve")

at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) at sun.net.www.http.HttpClient.openServer(HttpClient.java:541) at sun.net.www.http.HttpClient.<init>(HttpClient.java:242) at sun.net.www.http.HttpClient.New(HttpClient.java:339) at sun.net.www.http.HttpClient.New(HttpClient.java:357)

Jonathan Hughes Tue 5 Dec 2017

Skyspark had no issue connecting down with BasicAuth in 4.3 prior to updating with this patch. Installed the patch to fix the memory leak but now Skyspark can't authenticate with the implementation of the HaystackAuth that comes with the patches.

Anybody had any luck connecting to 4.3 from Skyspark after this patches has been installed?


sys::IOErr: HTTP error code: 403
  auth::AuthClientContext.open (AuthClientContext.fan:92)
  skyarcd::Client.open (Client.fan:44)
  haystackExt::HaystackConn.onOpen (HaystackConn.fan:63)
  connExt::Conn.open (Conn.fan:150)
  connExt::Conn.openLinger (Conn.fan:116)
  connExt::Conn.openLinger (Conn.fan)
  connExt::Conn.ping (Conn.fan:204)
  connExt::Conn.checkReopen (Conn.fan:421)
  connExt::Conn.doHouseKeeping (Conn.fan:340)
  connExt::ConnActor.receive (ConnActor.fan:173)
  concurrent::Actor._dispatch (Actor.java:230)
  concurrent::Actor._work (Actor.java:201)
  concurrent::ThreadPool$Worker.run (ThreadPool.java:262)

Rav Panchalingam Mon 15 Jan 2018

same issue here..

Daryl Bennett Tue 16 Jan 2018

Were you able to find a fix Jonathan?

Bill Smith Tue 16 Jan 2018

This is probably due to the user still being configured to use http basic instead of digest. Try switching to digest and see if that helps.

Rav Panchalingam Tue 16 Jan 2018

Thanks Bill, I changed the user back to Digest and now I get a new error "AuthScheme param not found: data"

Bill Smith Tue 16 Jan 2018

That error is from a header check at the very end of the handshake. That has been fixed in N4.4 and should be available in a few days for N4.3.

Bill Smith Mon 22 Jan 2018

The fix for the WWW-Authenticate header is now available for N4.3 with the following modules:

  • jetty-rt
  • web-rt

You should be able to obtain these through your support channel.

Rich Quackenbush Mon 3 Jul

This is an ancient topic, but I'm having the same issue with version of Niagara.

Is a patch still required or is this baked into the drivers still?

Login or Signup to reply.