Thanks for your help Colm. I now have it working using the production
certificate by following this example
https://stackoverflow.com/a/2141229/3052312 to export the pems into jks
files.
but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in catalina
base. this seems impractical in production as the certificates get
reissued every 6 months. is it possible for sec:keyStore to define the
resource as being in catalina base?
On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
sec:keyStore supports either JKS or PKCS12 keystores. There is also a
sec:certStore that works with PEM files, but only for TrustStores I think.
As a workaround you can just use the Java keytool command to import your
PEM key/cert into a JKS keystore.
this document http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
idp-ssl-key.jks.
SVN is not used any more by CXF or Fediz, that page is old. The correct
version is on github:
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
Colm.
On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem certificate
instead of a java keystore? where is the doumentation for sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for me in the tests,
perhaps you could duplicate this config and get it working first before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore in cxf-tls.xml to
communicate with the STS from the IdP. The truststore should contain the
issuing cert of the Tomcat instance hosting your STS + then keystore the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
i am using my own certificate with APR in the tomcat server.xml. I added
clientVerification="required" to SSLHostConfig but I still have the same
problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
<SSLHostConfig clientVerification="required">
<Certificate certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml. Could this be the problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<!-- <sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>
On 22/10/2017 00:38, Matthew Broadhead wrote:
ok...i fixed the last error by dropping the schema and restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:
518)
...
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate
is
set, but no local certificates were negotiated. Is the server set to
ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java
:255)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 20/10/2017 23:05, Matthew Broadhead wrote:
ok i now have a different error and it doesn't load the login screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Enriched AuthenticationToken added
the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
<property name="stsUrl" value="https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file
On 20/10/2017 18:27, Matthew Broadhead wrote:
Hi Colm,
Yes I have:
<bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
<property name="applications">
<util:list>
<ref bean="srv-fedizhelloworld" />
<!-- <ref bean="srv-oidc" /> -->
</util:list>
</property>
...
</bean>
<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
<property name="realm" value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
<property name="protocol" value="http://docs.oasis-open.
org/wsfed/federation/200706" />
<property name="serviceDisplayName" value="Fedizhelloworld"
/>
<property name="serviceDescription" value="Web Application to
illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.
org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="passiveRequestorEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
<property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
ionClaimEntity">
<property name="application" ref="srv-fedizhelloworld" />
<property name="claim" ref="claim_role" />
<property name="optional" value="false" />
</bean>
etc.
On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
Do you have an
org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi,
i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
trying to
use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
correctly redirects to the login page and seems to authenticate ok
but then i get the following error
2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
[IDP_TOKEN=<something>] for realm [<something>] successfully cached.
2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
Matthew
