I haven't used the APR connector. The following works for me in the tests,
perhaps you could duplicate this config and get it working first before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore in cxf-tls.xml to
communicate with the STS from the IdP. The truststore should contain the
issuing cert of the Tomcat instance hosting your STS + then keystore the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
> i am using my own certificate with APR in the tomcat server.xml. I added
> clientVerification="required" to SSLHostConfig but I still have the same
> problem
> <Connector port="9443" protocol="org.apache.coyote.ht
> tp11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true">
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> />
> <SSLHostConfig clientVerification="required">
> <Certificate certificateKeyFile="/etc/letse
> ncrypt/live/domain.tld/privkey.pem"
> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> I commented the trustManagers and keyManagers in
> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
> How would I use production certificates?
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters
> disableCNCheck="true">
> <!-- <sec:trustManagers>
> <sec:keyStore type="jks" password="ispass"
> resource="idp-ssl-trust.jks" />
> </sec:trustManagers>
> <sec:keyManagers keyPassword="tompass">
> <sec:keyStore type="jks" password="tompass"
> resource="idp-ssl-key.jks"/>
> </sec:keyManagers> -->
> </http:tlsClientParameters>
> </http:conduit>
>
>
> On 22/10/2017 00:38, Matthew Broadhead wrote:
>
>> ok...i fixed the last error by dropping the schema and restarting.
>> but now i have this
>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>> thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>> stream: RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>> InterceptorChain.java:308)
>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>> ...
>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>> set, but no local certificates were negotiated. Is the server set to ask
>> for client authorization?
>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>> ... 154 more
>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>> RequireClientCertificate is set, but no local certificates were
>> negotiated. Is the server set to ask for client authorization?
>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>> ttpsTokenInterceptorProvider.java:143)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.makeTrustDecision(HTTPConduit.java:1780)
>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>> ...
>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>> retrieving a token
>>
>>
>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>
>>> ok i now have a different error and it doesn't load the login screen
>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'CLAIM_LIST' not found
>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'IDP_READ' not found
>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'IDP_LIST' not found
>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'TRUSTEDIDP_LIST' not found
>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'CLAIM_READ' not found
>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'APPLICATION_LIST' not found
>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'APPLICATION_READ' not found
>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Role 'TRUSTEDIDP_READ' not found
>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>> - Enriched AuthenticationToken added
>>>
>>> the previous one was caused by
>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>> <property name="stsUrl" value="https://domain.tld:9443
>>> /idp-sts/REALMMYREALM" />
>>> should have been
>>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM";
>>> />
>>> according to original file
>>>
>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> Yes I have:
>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>> rvice.idp.service.jpa.IdpEntity">
>>>> ...
>>>> <property name="applications">
>>>> <util:list>
>>>> <ref bean="srv-fedizhelloworld" />
>>>> <!-- <ref bean="srv-oidc" /> -->
>>>> </util:list>
>>>> </property>
>>>> ...
>>>> </bean>
>>>>
>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>> <property name="realm"
>>>> value="urn:org:apache:cxf:fediz:fedizhelloworld"
>>>> />
>>>> <property name="protocol" value="http://docs.oasis-open.
>>>> org/wsfed/federation/200706" />
>>>> <property name="serviceDisplayName" value="Fedizhelloworld" />
>>>> <property name="serviceDescription" value="Web Application to
>>>> illustrate WS-Federation" />
>>>> <property name="role" value="ApplicationServiceType" />
>>>> <property name="tokenType" value="http://docs.oasis-open.
>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>> <property name="lifeTime" value="3600" />
>>>> <property name="passiveRequestorEndpointConstraint"
>>>> value="https://localhost:?(\d)*/.*" />
>>>> <property name="logoutEndpointConstraint"
>>>> value="https://localhost:?(\d)*/.*" />
>>>> </bean>
>>>>
>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>> ionClaimEntity">
>>>> <property name="application" ref="srv-fedizhelloworld" />
>>>> <property name="claim" ref="claim_role" />
>>>> <property name="optional" value="false" />
>>>> </bean>
>>>>
>>>> etc.
>>>>
>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>
>>>>> Do you have an
>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>> instance in
>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>> matthew.broadh...@nbmlaw.co.uk> wrote:
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>> trying to
>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
>>>>>> correctly redirects to the login page and seems to authenticate ok
>>>>>>
>>>>>> but then i get the following error
>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached.
>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>
>>>>>> Matthew
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
