I haven't used the APR connector. The following works for me in the tests, perhaps you could duplicate this config and get it working first before switching over to the APR connector:
<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass" keyPass="tompass" truststoreFile="idp-ssl-trust.jks" truststorePass="ispass" /> Yes you will need to specify the truststore and keystore in cxf-tls.xml to communicate with the STS from the IdP. The truststore should contain the issuing cert of the Tomcat instance hosting your STS + then keystore the private key of your IdP. Colm. On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > i am using my own certificate with APR in the tomcat server.xml. I added > clientVerification="required" to SSLHostConfig but I still have the same > problem > <Connector port="9443" protocol="org.apache.coyote.ht > tp11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true"> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > <SSLHostConfig clientVerification="required"> > <Certificate certificateKeyFile="/etc/letse > ncrypt/live/domain.tld/privkey.pem" > certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" > certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > I commented the trustManagers and keyManagers in > services/idp/src/main/resources/cxf-tls.xml. Could this be the problem? > How would I use production certificates? > <http:conduit name="*.http-conduit"> > <http:tlsClientParameters > disableCNCheck="true"> > <!-- <sec:trustManagers> > <sec:keyStore type="jks" password="ispass" > resource="idp-ssl-trust.jks" /> > </sec:trustManagers> > <sec:keyManagers keyPassword="tompass"> > <sec:keyStore type="jks" password="tompass" > resource="idp-ssl-key.jks"/> > </sec:keyManagers> --> > </http:tlsClientParameters> > </http:conduit> > > > On 22/10/2017 00:38, Matthew Broadhead wrote: > >> ok...i fixed the last error by dropping the schema and restarting. >> but now i have this >> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has >> thrown exception, unwinding now >> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >> stream: RequireClientCertificate is set, but no local certificates were >> negotiated. Is the server set to ask for client authorization? >> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >> InterceptorChain.java:308) >> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518) >> ... >> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is >> set, but no local certificates were negotiated. Is the server set to ask >> for client authorization? >> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255) >> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >> ... 154 more >> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: >> RequireClientCertificate is set, but no local certificates were >> negotiated. Is the server set to ask for client authorization? >> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >> ttpsTokenInterceptorProvider.java:143) >> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> m.makeTrustDecision(HTTPConduit.java:1780) >> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >> ... >> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >> retrieving a token >> >> >> On 20/10/2017 23:05, Matthew Broadhead wrote: >> >>> ok i now have a different error and it doesn't load the login screen >>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No >>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'CLAIM_LIST' not found >>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'IDP_READ' not found >>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'IDP_LIST' not found >>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'TRUSTEDIDP_LIST' not found >>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'CLAIM_READ' not found >>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'APPLICATION_LIST' not found >>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'APPLICATION_READ' not found >>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Role 'TRUSTEDIDP_READ' not found >>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements >>> - Enriched AuthenticationToken added >>> >>> the previous one was caused by >>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>> <property name="stsUrl" value="https://domain.tld:9443 >>> /idp-sts/REALMMYREALM" /> >>> should have been >>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM" >>> /> >>> according to original file >>> >>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>> >>>> Hi Colm, >>>> >>>> Yes I have: >>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>> rvice.idp.service.jpa.IdpEntity"> >>>> ... >>>> <property name="applications"> >>>> <util:list> >>>> <ref bean="srv-fedizhelloworld" /> >>>> <!-- <ref bean="srv-oidc" /> --> >>>> </util:list> >>>> </property> >>>> ... >>>> </bean> >>>> >>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se >>>> rvice.idp.service.jpa.ApplicationEntity"> >>>> <property name="realm" >>>> value="urn:org:apache:cxf:fediz:fedizhelloworld" >>>> /> >>>> <property name="protocol" value="http://docs.oasis-open. >>>> org/wsfed/federation/200706" /> >>>> <property name="serviceDisplayName" value="Fedizhelloworld" /> >>>> <property name="serviceDescription" value="Web Application to >>>> illustrate WS-Federation" /> >>>> <property name="role" value="ApplicationServiceType" /> >>>> <property name="tokenType" value="http://docs.oasis-open. >>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>> <property name="lifeTime" value="3600" /> >>>> <property name="passiveRequestorEndpointConstraint" >>>> value="https://localhost:?(\d)*/.*" /> >>>> <property name="logoutEndpointConstraint" >>>> value="https://localhost:?(\d)*/.*" /> >>>> </bean> >>>> >>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat >>>> ionClaimEntity"> >>>> <property name="application" ref="srv-fedizhelloworld" /> >>>> <property name="claim" ref="claim_role" /> >>>> <property name="optional" value="false" /> >>>> </bean> >>>> >>>> etc. >>>> >>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>> >>>>> Do you have an >>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>> instance in >>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm >>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>> >>>>> Colm. >>>>> >>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>> >>>>> Hi, >>>>>> >>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>> trying to >>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it >>>>>> correctly redirects to the login page and seems to authenticate ok >>>>>> >>>>>> but then i get the following error >>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token >>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached. >>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No >>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>> >>>>>> Matthew >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com