Hmmm...just saw this today
http://janbernhardt.blogspot.com.es/2015/12/fediz-with-openid-connect-support-and_14.html.
That looks more like a better solution. Now I understand what you mean
about WS-Fed. But I still couldn't access the Idp without it asking for
a certificate. Although it was
Hi Matthew
Thanks for the feedback. Finally I get a chance to contribute to this
thread :-).
Putting aside the fact KeyCloak is a high quality project, I'd like to
say the fact you could not figure out how to set up the keys is not
sufficient to conclude Fediz is not ready for use in
Thanks Colm,
I really appreciate the time you took to respond to my emails. I spent
a lot of time trying to get Fediz to work. I also submitted a couple of
PRs on github.
But in the end I have moved to keycloak. It is a much more mature
project and has an installation program and a web
Are you using the same Tomcat instance for the IdP and the STS? Or is the
Tomcat IdP instance set to ask for client authentication? Failing that, I
don't have any more ideas - I need to see a test-case to help any further.
Colm.
On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
hi Colm,
Sorry to keep bothering you with this issue.
It is still prompting me for a certificate when redirecting to the idp.
I have checked line by line the differences between the original code
and my production code and cannot see any major difference. i have
tried with the production
comments below
On 26/10/2017 13:46, Colm O hEigeartaigh wrote:
Are you using Java 9? If so please try with Java 8 instead. The warnings
should be harmless, however I haven't tested Fediz with Java 9.
i am using openjdk 1.8.0.151
"when i first connect with fedizhelloworld it pops up a box
Are you using Java 9? If so please try with Java 8 instead. The warnings
should be harmless, however I haven't tested Fediz with Java 9.
"when i first connect with fedizhelloworld it pops up a box asking for a
certificate." - can you reproduce this with a test-case? It sounds as if
you are not
Hi Colm,
I am not sure that would be very easy to provide a test case? Everything
was working fine on localhost with the test certificates.
Testing on production is completely different using letsencrypt certs
and having to change lots of configuration files in the code? You would
be
Could you create a test-case and upload it to github somewhere + I will
take a look?
Colm.
On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> Thanks for pointing me in the right direction.
>
> basically what the documentation lacks is that the
Thanks for pointing me in the right direction.
basically what the documentation lacks is that the ststrust.jks must
contain MyTCIDP.cer, i.e.
keytool -import -trustcacerts -keystore ststrust.jks -storepass
storepass -alias idpcert -file MyTCIDP.cer -noprompt
i looked through the original
Your truststore in cxf-tls.xml must trust the certificate presented by the
STS. Also, it must contain a keystore with the private key of the IdP,
which in turn must be trusted by the STS.
Colm.
On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> Are the
Are the two keystores responsible for the trust between idp and sts are
supposed to be
stsrealm_a.jks and ststrust.jks
it is just that the cert it is not trusting is the idp-ssl-key.jks
(domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
does this mean ststrust.jks should
You'll need to go through the output to figure out why the cert is not
trusted. If you generate some test certs + create a testcase somewhere I
will take a look.
Colm.
On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> i get a load of stuff, but in
i get a load of stuff, but in the middle of the one before the error i get
Warning: no suitable certificate found - continuing without client
authentication
On 25/10/2017 13:42, Matthew Broadhead wrote:
ahhh...
-Djavax.net.debug=all
On 25/10/2017 13:39, Matthew Broadhead wrote:
How would I
ahhh...
-Djavax.net.debug=all
On 25/10/2017 13:39, Matthew Broadhead wrote:
How would I enable the debug?
services/idp/src/main/webapp/WEB-INF/security-config.xml
?
On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
If you change it to "required" does it fail? If so, you could try
running
the
How would I enable the debug?
services/idp/src/main/webapp/WEB-INF/security-config.xml ?
On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
If you change it to "required" does it fail? If so, you could try running
the Tomcat IdP with Java SSL debugging enabled and it should tell you why
the IdP
If you change it to "required" does it fail? If so, you could try running
the Tomcat IdP with Java SSL debugging enabled and it should tell you why
the IdP can't connect to the STS.
Colm.
On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> Hi Colm,
>
>
Hi Colm,
I realise now that this html file was included in the
examples/samplekeys directory in the code. but i was taking it from the
internet.
I am 100% using clientAuth="want" on my Tomcat connector but I am still
getting the same error over and again. I can browse the wsdl without
You can see the HTML here:
https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html
I'll update the webpage to point to github instead of SVN.
Colm.
On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
Hi Colm
Firstly is there somewhere to see these instructions correctly formatted
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
Secondly there is a massive difference between
Why not try the simple Connector configuration I gave earlier but with your
own keys?
Colm.
On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>
in Tomcat 8
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
it says
clientAuth
This is an alias for the certificateVerification attribute of the
default SSLHostConfig element.
then
certificateVerification
Set to required if you want the SSL
The problem is that your Tomcat container hosting the STS is not asking for
client authentication. You can check this by using a web browser or curl to
view the WSDL of the STS - if you can get it to work then the configuration
is incorrect, as it should error on the browser not supplying a client
i spoke too soon.
i am completely stuck with the same stack trace and no amount of
reloading the certificates is helping. is there any way to debug what
the actual problem is?
2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain -
Thanks for your help Colm. I now have it working using the production
certificate by following this example
https://stackoverflow.com/a/2141229/3052312 to export the pems into jks
files.
but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes
sec:keyStore supports either JKS or PKCS12 keystores. There is also a
sec:certStore that works with PEM files, but only for TrustStores I think.
As a workaround you can just use the Java keytool command to import your
PEM key/cert into a JKS keystore.
> this document
this document
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
has idp-ssl-server.jks but no idp-ssl-key.jks.
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for me in the tests,
perhaps
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem certificate
instead of a java keystore? where is the doumentation for sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for me in the tests,
perhaps you
I haven't used the APR connector. The following works for me in the tests,
perhaps you could duplicate this config and get it working first before
switching over to the APR connector:
Yes you will need to specify the truststore and keystore in cxf-tls.xml to
communicate with the STS from the
i am using my own certificate with APR in the tomcat server.xml. I
added clientVerification="required" to SSLHostConfig but I still have
the same problem
className="org.apache.coyote.http2.Http2Protocol" />
ok...i fixed the last error by dropping the schema and restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
ok i now have a different error and it doesn't load the login screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084
Hi Colm,
Yes I have:
class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity">
...
...
class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
value="urn:org:apache:cxf:fediz:fedizhelloworld"
Do you have an
org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk>
Hi,
i have Fediz working now on (e.g.) domain.tld:9443/idp and i am trying
to use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
correctly redirects to the login page and seems to authenticate ok
but then i get the following error
2017-10-20 15:56:17,424
35 matches
Mail list logo
