in Tomcat 8
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
it says
clientAuth
This is an alias for the certificateVerification attribute of the
default SSLHostConfig element.
then
certificateVerification
Set to required if you want the SSL stack to require a valid certificate
chain from the client before accepting a connection. Set to optional if
you want the SSL stack to request a client Certificate, but not fail if
one isn't presented. Set to optionalNoCA if you want client certificates
to be optional and you don't want Tomcat to check them against the list
of trusted CAs. If the TLS provider doesn't support this option (OpenSSL
does, JSSE does not) it is treated as if optional was specified. A none
value (which is the default) will not require a certificate chain unless
the client requests a resource protected by a security constraint that
uses CLIENT-CERT authentication.
so i changed clientAuth="want" to clientAuth="required". now i cannot
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL peer
cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
maybe i should try using Tomcat 7?
On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
The problem is that your Tomcat container hosting the STS is not asking for
client authentication. You can check this by using a web browser or curl to
view the WSDL of the STS - if you can get it to work then the configuration
is incorrect, as it should error on the browser not supplying a client cert.
Colm.
On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
[email protected]> wrote:
i spoke too soon.
i am completely stuck with the same stack trace and no amount of reloading
the certificates is helping. is there any way to debug what the actual
problem is?
2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
tractSTSClient.java:861)
at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:47)
at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:42)
at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
t(STSClientAction.java:296)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.expression.spel.support.ReflectiveMethod
Executor.execute(ReflectiveMethodExecutor.java:113)
at org.springframework.expression.spel.ast.MethodReference.getV
alueInternal(MethodReference.java:129)
at org.springframework.expression.spel.ast.MethodReference.
access$000(MethodReference.java:49)
at org.springframework.expression.spel.ast.MethodReference$Meth
odValueRef.getValue(MethodReference.java:347)
at org.springframework.expression.spel.ast.CompoundExpression.g
etValueInternal(CompoundExpression.java:88)
at org.springframework.expression.spel.ast.SpelNodeImpl.
getTypedValue(SpelNodeImpl.java:131)
at org.springframework.expression.spel.standard.SpelExpression.
getValue(SpelExpression.java:297)
at org.springframework.binding.expression.spel.SpringELExpressi
on.getValue(SpringELExpression.java:84)
at org.springframework.webflow.action.EvaluateAction.doExecute(
EvaluateAction.java:75)
at org.springframework.webflow.action.AbstractAction.execute(Ab
stractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execut
e(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute
(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionList.execute(Action
List.java:154)
at org.springframework.webflow.engine.State.enter(State.java:193)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.SubflowState.handleEvent(
SubflowState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
dActiveFlowSession(FlowExecutionImpl.java:414)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
at org.springframework.webflow.engine.EndState.doEnter(EndState
.java:107)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.start(RequestControlContextImpl.java:234)
at org.springframework.webflow.engine.SubflowState.doEnter(Subf
lowState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:223)
at org.springframework.webflow.executor.FlowExecutorImpl.launch
Execution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
handle(FlowHandlerAdapter.java:263)
at org.springframework.web.servlet.DispatcherServlet.doDispatch
(DispatcherServlet.java:967)
at org.springframework.web.servlet.DispatcherServlet.doService(
DispatcherServlet.java:901)
at org.springframework.web.servlet.FrameworkServlet.processRequ
est(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
at org.springframework.web.servlet.FrameworkServlet.service(
FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
r.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslation
Filter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFi
lter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAut
henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextH
olderAwareRequestFilter.doFilter(SecurityContextHolder
AwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAw
areFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAut
henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuth
enticationProcessingFilter.doFilter(AbstractAuthenticatio
nProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.Logou
tFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAs
yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
erIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPers
istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
ortFilter.java:74)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.channel.ChannelProce
ssingFilter.doFilter(ChannelProcessingFilter.java:144)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterIn
ternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(F
ilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeD
elegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilte
r(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFil
terInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
dWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(Standar
dContextValve.java:96)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
stValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
rtValve.java:80)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
tractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(Standard
EngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
apter.java:342)
at org.apache.coyote.http2.StreamProcessor.service(StreamProces
sor.java:245)
at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
cessorLight.java:66)
at org.apache.coyote.http2.StreamProcessor.process(StreamProces
sor.java:65)
at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
set, but no local certificates were negotiated. Is the server set to ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.onFirstWrite(HTTPConduit.java:1293)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
Conduit.java:309)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
WrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
tractThresholdOutputStream.java:89)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
ctThresholdOutputStream.java:63)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
java:241)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 23/10/2017 19:41, Matthew Broadhead wrote:
Thanks for your help Colm. I now have it working using the production
certificate by following this example https://stackoverflow.com/a/21
41229/3052312 to export the pems into jks files.
but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in catalina base.
this seems impractical in production as the certificates get reissued every
6 months. is it possible for sec:keyStore to define the resource as being
in catalina base?
On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
sec:keyStore supports either JKS or PKCS12 keystores. There is also a
sec:certStore that works with PEM files, but only for TrustStores I
think.
As a workaround you can just use the Java keytool command to import your
PEM key/cert into a JKS keystore.
this document http://svn.apache.org/viewvc/c
xf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
idp-ssl-key.jks.
SVN is not used any more by CXF or Fediz, that page is old. The correct
version is on github:
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
Colm.
On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
[email protected]> wrote:
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem certificate
instead of a java keystore? where is the doumentation for sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for me in the
tests,
perhaps you could duplicate this config and get it working first before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore in
cxf-tls.xml to
communicate with the STS from the IdP. The truststore should contain
the
issuing cert of the Tomcat instance hosting your STS + then keystore
the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
[email protected]> wrote:
i am using my own certificate with APR in the tomcat server.xml. I
added
clientVerification="required" to SSLHostConfig but I still have the
same
problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
<SSLHostConfig clientVerification="required">
<Certificate certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml. Could this be the
problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<!-- <sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>
On 22/10/2017 00:38, Matthew Broadhead wrote:
ok...i fixed the last error by dropping the schema and restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates
were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
...
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated. Is the server set to
ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.java
:255)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 20/10/2017 23:05, Matthew Broadhead wrote:
ok i now have a different error and it doesn't load the login screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Enriched AuthenticationToken added
the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
<property name="stsUrl" value="https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file
On 20/10/2017 18:27, Matthew Broadhead wrote:
Hi Colm,
Yes I have:
<bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
<property name="applications">
<util:list>
<ref bean="srv-fedizhelloworld" />
<!-- <ref bean="srv-oidc" /> -->
</util:list>
</property>
...
</bean>
<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
<property name="realm" value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
<property name="protocol" value="http://docs.oasis-open.
org/wsfed/federation/200706" />
<property name="serviceDisplayName"
value="Fedizhelloworld"
/>
<property name="serviceDescription" value="Web
Application to
illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open
.
org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="passiveRequestorEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
<property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
ionClaimEntity">
<property name="application" ref="srv-fedizhelloworld" />
<property name="claim" ref="claim_role" />
<property name="optional" value="false" />
</bean>
etc.
On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
Do you have an
org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
[email protected]> wrote:
Hi,
i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
trying to
use it from localhost:9443/fedizhelloworld/secure/fedservlet. it
correctly redirects to the login page and seems to authenticate
ok
but then i get the following error
2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
Token
[IDP_TOKEN=<something>] for realm [<something>] successfully
cached.
2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
-
No
service config found for urn:org:apache:cxf:fediz:fediz
helloworld
Matthew
