Hi Glen, I have managed to get a but further in the process. As it turns out, the self-signed certificate for the IDP/STS needs to be added to the cacerts keystore of the JRE!!! Possible this is caused by the fact the the keystore is created using the -trustcacerts parameter. I.e. omitting it will probably obviate the need to add the certificate to JRE's keystore.
However, further down the line (after a message exchange between IDP and STS), the same type of problem reappears. In an attempt to solve this, I have also added the RP certificate to the cacerts keystore, but this doesn't make the problem go away, Any ideas would be appreciated. Cheers, Frank On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <[email protected]> wrote: > Hi, are you using Fediz 1.0.1? It was released a couple of days ago, > featuring new sample keystores and several other changes. More comments > below: > > > On 08/31/2012 12:04 PM, frank wrote: > >> Hi, >> >> After having configured the IDP/STS and the RP sample, I run into the >> issue >> that after the redirect to the IDP, a page with "*Access to the specified >> resource (Requesting security token failed) has been forbidden.*" appears. >> >> Tomcat's error trace suggests that there is something wrong with the >> certificates. >> >> Caused by: sun.security.validator.**ValidatorException: PKIX path >> building >> failed: sun.security.provider.**certpath.**SunCertPathBuilderException: >> unable >> to find valid certification path to requested target >> > > ... normally indicating a key was missing from a truststore > > >> Possibly this is caused by the rather unclear path to creating the >> keystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is >> sufficient to get the web application up and running, but in this process >> stsstore.jks also needs to be created for MyIDP.cer. >> > > Are you following this chart: http://svn.apache.org/viewvc/** > cxf/fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?** > revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>(and > using the sample Tomcat keys already provided in this folder?) > > Further, stsstore.jks does not need to be "created" (it does for > production, but not for running the sample), it should already be in the > STS war. > > > > Strangely enough, >> fediz-config.xml points to stsstore.jks in the conf directory whereas the >> table for the keystores states that fediz-config.xml point tot >> tomcat-rp.jks, which according to the same table should be in the base >> directory of the RP samples. >> > > It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to > tomcat-rp.jks: > > http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/** > simpleWebapp/src/main/config/**fediz_config.xml?revision=** > 1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup> > > I don't know why your version has it pointing to stsstore.jks. Fediz 1.0.0 > had it that way, but that was updated in 1.0.1. > > HTH, > Glen > > > >> What is the way out of this situation? How can I get things up and >> running? >> Any help would be appreciated. >> >> I tried generating my own keystores as well as using the keystores >> provided >> in the source code samples. Neither of these work. >> >> Cheers, >> >> Frank >> >> > > -- > Glen Mazza > Talend Community Coders - coders.talend.com > blog: www.jroller.com/gmazza > >
