Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ?
Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara < samee...@wso2.com> wrote: > Hi Senduran, > > Can we try the following: > > Export the primary key of the IS: > > keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert > > Then import the certificate to the tenant's key store > > (Home > Configure > KeyStores > Import Certificates To) > > > Thank You, > Sameera > > > On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam < > sendu...@wso2.com> wrote: > >> Hi, >> >> I debugged the org.wso2.store.sso.common.util.Util >> (product-es/modules/components/sso-common). Also I attached >> xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the >> complete executing code. >> >> I compared the signingCert variable (in the >> org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a >> tenant >> If I log in to ES's management console the subject of the certificate is >> *CN=localhost, >> O=WSO2, L=Mountain View, ST=CA, C=US* >> but when I log in to the publisher as the same tenant the subject of the >> certificate is *C=None, O="None L=None", OU=None, CN=istenant.com >> <http://istenant.com>* >> >> Please note that in the above both scenarios I am logging as a Tenant and >> when I try to log in to publisher the signature is trying to validate >> against the tenant specific certificate, >> Is this causing the "org.opensaml.xml.validation.ValidationException: >> Signature did not validate against the credential's key" exception ? >> >> Thanks >> Senduran >> >> On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < >> sendu...@wso2.com> wrote: >> >>> Hi, >>> >>> Thanks Malithi for the response. >>> I tried, un-checking the Enable Response Signing , but even when I >>> login as admin I got the following exception >>> java.lang.NullPointerException >>> at >>> org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) >>> at >>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) >>> at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> ..... >>> What I am missing here ? >>> >>> >>> @ES Team, could you please help me on how to import the public >>> certificate of a tenant to the publisher's key store. Where can I find the >>> tenant's public certificate >>> >>> Thank you >>> Senduran >>> >>> >>> >>> On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe <malit...@wso2.com> >>> wrote: >>> >>>> Hii Senduran, >>>> >>>> There's a separate primary keystore generated for the tenant. Since you >>>> have enabled response signing also, the service provider that you have >>>> registered should know the public key of the IdP in order to validate. >>>> Hence, the service provider should have the public key of the IdP in >>>> it's keystore and validate the signature acquiring the respective alias. So >>>> in this case I think that you should import the public cert of the >>>> respective tenant to your publisher's keystore. >>>> >>>> Thanks, >>>> Malithi. >>>> >>>> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >>>> sendu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I am experiencing $subject, with ES 2.0.0 M5. Following are the >>>>> changes I made to configure SSO. >>>>> >>>>> - Shared registry and user database between ES and IS >>>>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>>>> embedded LDAP >>>>> - Modified as following in publisher, store json >>>>> >>>>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>>>> >>>>> >>>>> - Created a Service provider for publisher and store in IS as >>>>> follows >>>>> >>>>> SP for publisher >>>>> >>>>> Issuer: publisher >>>>> >>>>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>>>> >>>>> Use fully qualified username in the NameID >>>>> >>>>> Enable Response Signing >>>>> >>>>> Enable Assertion Signing >>>>> >>>>> Enable Single Logout >>>>> >>>>> >>>>> SP for store >>>>> >>>>> Issuer: store >>>>> >>>>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>>>> >>>>> Use fully qualified username in the NameID >>>>> >>>>> Enable Response Signing >>>>> >>>>> Enable Assertion Signing >>>>> >>>>> Enable Single Logout >>>>> >>>>> >>>>> When admin login the publisher behaviors as expected. (i.e page is >>>>> redirected to IS login and redirected to publisher, if already a sso >>>>> session is available directly goes to publisher)\ >>>>> But when I log in as a tenant, the browser is redirected to >>>>> https://localhost:9443/publisher/acs and following exception is shown >>>>> in the console >>>>> >>>>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>>>> https://localhost:9447/samlsso >>>>> org.opensaml.xml.validation.ValidationException: Signature did not >>>>> validate against the credential's key >>>>> at >>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>>>> at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>> at >>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>> at >>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>> at >>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>>>> at >>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>> at >>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>> at >>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>> at >>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>> at >>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>> at >>>>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>>>> at >>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>> at >>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>> at >>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>>>> at >>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>> at >>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>>>> at >>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>>>> at >>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>>>> at >>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>>>> at >>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>> at >>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>> at >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>> at >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>> at >>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>>> at >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>> at >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>> at >>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>> at >>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>>> at >>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>> at >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>> at >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>>> at >>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>>> at >>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>>>> at >>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>>> (My ES runs on default port and IS runs on port offset 4) >>>>> >>>>> Could you please help me to resolve this issue >>>>> >>>>> Thank you >>>>> Senduran >>>>> >>>>> -- >>>>> *Senduran * >>>>> Software Engineer, >>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>> Mobile: +94 77 952 6548 >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Malithi Edirisinghe* >>>> Senior Software Engineer >>>> WSO2 Inc. >>>> >>>> Mobile : +94 (0) 718176807 >>>> malit...@wso2.com >>>> >>> >>> >>> >>> -- >>> *Senduran * >>> Software Engineer, >>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>> Mobile: +94 77 952 6548 >>> >> >> >> >> -- >> *Senduran * >> Software Engineer, >> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >> Mobile: +94 77 952 6548 >> > > > > -- > Sameera Medagammaddegedara > Software Engineer > > Contact: > Email: samee...@wso2.com > Mobile: + 94 077 255 3005 > -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ <http://wso2.com/> Mobile: +94 77 952 6548
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
