Hi Kasun, I worked with Senduran and it seemed like a certificate mismatch. AFAICR, due to the latest changes in IS code base, the tenant key store is used during SSO. Hence, ES, which is based on newer IS code expects tenants certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, I think, this should be the issue here.
Hence, can somebody from IS team verify my doubt please? @Kasun/Senduran, If it is my doubt, then you will have to use it with an IS pack which has that change. On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri <ka...@wso2.com> wrote: > Hi ES team, > > We have spent quite a lot of time on this issue but haven't found a > resolution yet. This will be a blocker for ES as well as iPaaS milestones. > Can we get somebody from ES team to look in to this ASAP please? > > On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam < > sendu...@wso2.com> wrote: > >> Hi Sameera, >> >> Unfortunately the exception is still there, I tried as you instructed. >> What I guess is if a tenant is logged in ES is trying to verify the >> signature against the tenant's specific keystore, while IS consider the >> wso2carbon keystore >> Is there any configuration in ES to check with the wso2carbon keystore >> even for the tenant ? >> >> Thank you >> Senduran >> >> On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara < >> samee...@wso2.com> wrote: >> >>> Hi Senduran, >>> >>> Can we try the following: >>> >>> Export the primary key of the IS: >>> >>> keytool -export -keystore wso2carbon.jks -alias wso2carbon -file >>> wso2.cert >>> >>> Then import the certificate to the tenant's key store >>> >>> (Home > Configure > KeyStores > Import Certificates To) >>> >>> >>> Thank You, >>> Sameera >>> >>> >>> On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam < >>> sendu...@wso2.com> wrote: >>> >>>> Hi, >>>> >>>> I debugged the org.wso2.store.sso.common.util.Util >>>> (product-es/modules/components/sso-common). Also I attached >>>> xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the >>>> complete executing code. >>>> >>>> I compared the signingCert variable (in the >>>> org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a >>>> tenant >>>> If I log in to ES's management console the subject of the certificate >>>> is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* >>>> but when I log in to the publisher as the same tenant the subject of >>>> the certificate is *C=None, O="None L=None", OU=None, CN=istenant.com >>>> <http://istenant.com>* >>>> >>>> Please note that in the above both scenarios I am logging as a Tenant >>>> and when I try to log in to publisher the signature is trying to validate >>>> against the tenant specific certificate, >>>> Is this causing the "org.opensaml.xml.validation.ValidationException: >>>> Signature did not validate against the credential's key" exception ? >>>> >>>> Thanks >>>> Senduran >>>> >>>> On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < >>>> sendu...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks Malithi for the response. >>>>> I tried, un-checking the Enable Response Signing , but even when I >>>>> login as admin I got the following exception >>>>> java.lang.NullPointerException >>>>> at >>>>> org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) >>>>> at >>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) >>>>> at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> ..... >>>>> What I am missing here ? >>>>> >>>>> >>>>> @ES Team, could you please help me on how to import the public >>>>> certificate of a tenant to the publisher's key store. Where can I find the >>>>> tenant's public certificate >>>>> >>>>> Thank you >>>>> Senduran >>>>> >>>>> >>>>> >>>>> On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe < >>>>> malit...@wso2.com> wrote: >>>>> >>>>>> Hii Senduran, >>>>>> >>>>>> There's a separate primary keystore generated for the tenant. Since >>>>>> you have enabled response signing also, the service provider that you >>>>>> have >>>>>> registered should know the public key of the IdP in order to validate. >>>>>> Hence, the service provider should have the public key of the IdP in >>>>>> it's keystore and validate the signature acquiring the respective alias. >>>>>> So >>>>>> in this case I think that you should import the public cert of the >>>>>> respective tenant to your publisher's keystore. >>>>>> >>>>>> Thanks, >>>>>> Malithi. >>>>>> >>>>>> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >>>>>> sendu...@wso2.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I am experiencing $subject, with ES 2.0.0 M5. Following are the >>>>>>> changes I made to configure SSO. >>>>>>> >>>>>>> - Shared registry and user database between ES and IS >>>>>>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>>>>>> embedded LDAP >>>>>>> - Modified as following in publisher, store json >>>>>>> >>>>>>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>>>>>> >>>>>>> >>>>>>> - Created a Service provider for publisher and store in IS as >>>>>>> follows >>>>>>> >>>>>>> SP for publisher >>>>>>> >>>>>>> Issuer: publisher >>>>>>> >>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>>>>>> >>>>>>> Use fully qualified username in the NameID >>>>>>> >>>>>>> Enable Response Signing >>>>>>> >>>>>>> Enable Assertion Signing >>>>>>> >>>>>>> Enable Single Logout >>>>>>> >>>>>>> >>>>>>> SP for store >>>>>>> >>>>>>> Issuer: store >>>>>>> >>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>>>>>> >>>>>>> Use fully qualified username in the NameID >>>>>>> >>>>>>> Enable Response Signing >>>>>>> >>>>>>> Enable Assertion Signing >>>>>>> >>>>>>> Enable Single Logout >>>>>>> >>>>>>> >>>>>>> When admin login the publisher behaviors as expected. (i.e page is >>>>>>> redirected to IS login and redirected to publisher, if already a sso >>>>>>> session is available directly goes to publisher)\ >>>>>>> But when I log in as a tenant, the browser is redirected to >>>>>>> https://localhost:9443/publisher/acs and following exception is >>>>>>> shown in the console >>>>>>> >>>>>>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>>>>>> https://localhost:9447/samlsso >>>>>>> org.opensaml.xml.validation.ValidationException: Signature did not >>>>>>> validate against the credential's key >>>>>>> at >>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>>>>>> at >>>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>> at >>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>> at >>>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>>> at >>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>>> at >>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>> at >>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>> at >>>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>>> at >>>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>> at >>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>>>>>> at >>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>>> at >>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>>> at >>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>>>>>> at >>>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>>>>>> at >>>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>> at >>>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>> at >>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>> at >>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>> at >>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>> at >>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>>>>> at >>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>> at >>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>>> at >>>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>> at >>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>>>>> at >>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>>> at >>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>> at >>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>>>>> at >>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>>>>> at >>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>>>>> at >>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>>>>>> at >>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> >>>>>>> (My ES runs on default port and IS runs on port offset 4) >>>>>>> >>>>>>> Could you please help me to resolve this issue >>>>>>> >>>>>>> Thank you >>>>>>> Senduran >>>>>>> >>>>>>> -- >>>>>>> *Senduran * >>>>>>> Software Engineer, >>>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>>> Mobile: +94 77 952 6548 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Malithi Edirisinghe* >>>>>> Senior Software Engineer >>>>>> WSO2 Inc. >>>>>> >>>>>> Mobile : +94 (0) 718176807 >>>>>> malit...@wso2.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Senduran * >>>>> Software Engineer, >>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>> Mobile: +94 77 952 6548 >>>>> >>>> >>>> >>>> >>>> -- >>>> *Senduran * >>>> Software Engineer, >>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>> Mobile: +94 77 952 6548 >>>> >>> >>> >>> >>> -- >>> Sameera Medagammaddegedara >>> Software Engineer >>> >>> Contact: >>> Email: samee...@wso2.com >>> Mobile: + 94 077 255 3005 >>> >> >> >> >> -- >> *Senduran * >> Software Engineer, >> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >> Mobile: +94 77 952 6548 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Kasun Indrasiri > Software Architect > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > cell: +94 77 556 5206 > Blog : http://kasunpanorama.blogspot.com/ > -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>* *email: ruch...@wso2.com <ruch...@wso2.com>, blog: ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>, mobile: +94 77 5493444*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
