Why not try the simple Connector configuration I gave earlier but with your own keys?
Colm. On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < [email protected]> wrote: > in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html# > SSL_Support_-_Connector_-_NIO_and_NIO2 it says > clientAuth > This is an alias for the certificateVerification attribute of the default > SSLHostConfig element. > > then > certificateVerification > Set to required if you want the SSL stack to require a valid certificate > chain from the client before accepting a connection. Set to optional if you > want the SSL stack to request a client Certificate, but not fail if one > isn't presented. Set to optionalNoCA if you want client certificates to be > optional and you don't want Tomcat to check them against the list of > trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, > JSSE does not) it is treated as if optional was specified. A none value > (which is the default) will not require a certificate chain unless the > client requests a resource protected by a security constraint that uses > CLIENT-CERT authentication. > > so i changed clientAuth="want" to clientAuth="required". now i cannot > access the site at all with > Secure Connection Failed > An error occurred during a connection to domain.tld:9443. SSL peer cannot > verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT > > maybe i should try using Tomcat 7? > > On 25/10/2017 11:42, Colm O hEigeartaigh wrote: > >> The problem is that your Tomcat container hosting the STS is not asking >> for >> client authentication. You can check this by using a web browser or curl >> to >> view the WSDL of the STS - if you can get it to work then the >> configuration >> is incorrect, as it should error on the browser not supplying a client >> cert. >> >> Colm. >> >> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >> [email protected]> wrote: >> >> i spoke too soon. >>> >>> i am completely stuck with the same stack trace and no amount of >>> reloading >>> the certificates is helping. is there any way to debug what the actual >>> problem is? >>> >>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has >>> thrown exception, unwinding now >>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>> stream: RequireClientCertificate is set, but no local certificates were >>> negotiated. Is the server set to ask for client authorization? >>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>> InterceptorChain.java:308) >>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281) >>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs >>> tractSTSClient.java:861) >>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>> yTokenResponse(IdpSTSClient.java:47) >>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>> yTokenResponse(IdpSTSClient.java:42) >>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi >>> t(STSClientAction.java:296) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.springframework.expression.spel.support.ReflectiveMethod >>> Executor.execute(ReflectiveMethodExecutor.java:113) >>> at org.springframework.expression.spel.ast.MethodReference.getV >>> alueInternal(MethodReference.java:129) >>> at org.springframework.expression.spel.ast.MethodReference. >>> access$000(MethodReference.java:49) >>> at org.springframework.expression.spel.ast.MethodReference$Meth >>> odValueRef.getValue(MethodReference.java:347) >>> at org.springframework.expression.spel.ast.CompoundExpression.g >>> etValueInternal(CompoundExpression.java:88) >>> at org.springframework.expression.spel.ast.SpelNodeImpl. >>> getTypedValue(SpelNodeImpl.java:131) >>> at org.springframework.expression.spel.standard.SpelExpression. >>> getValue(SpelExpression.java:297) >>> at org.springframework.binding.expression.spel.SpringELExpressi >>> on.getValue(SpringELExpression.java:84) >>> at org.springframework.webflow.action.EvaluateAction.doExecute( >>> EvaluateAction.java:75) >>> at org.springframework.webflow.action.AbstractAction.execute(Ab >>> stractAction.java:188) >>> at org.springframework.webflow.execution.AnnotatedAction.execut >>> e(AnnotatedAction.java:145) >>> at org.springframework.webflow.execution.ActionExecutor.execute >>> (ActionExecutor.java:51) >>> at org.springframework.webflow.engine.ActionList.execute(Action >>> List.java:154) >>> at org.springframework.webflow.engine.State.enter(State.java:193) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>> ecute(FlowExecutionImpl.java:395) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.execute(RequestControlContextImpl.java:214) >>> at org.springframework.webflow.engine.TransitionableState.handl >>> eEvent(TransitionableState.java:116) >>> at org.springframework.webflow.engine.SubflowState.handleEvent( >>> SubflowState.java:116) >>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>> a:547) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>> ndleEvent(FlowExecutionImpl.java:390) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en >>> dActiveFlowSession(FlowExecutionImpl.java:414) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>> at org.springframework.webflow.engine.EndState.doEnter(EndState >>> .java:107) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>> ecute(FlowExecutionImpl.java:395) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.execute(RequestControlContextImpl.java:214) >>> at org.springframework.webflow.engine.TransitionableState.handl >>> eEvent(TransitionableState.java:116) >>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>> a:547) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>> ndleEvent(FlowExecutionImpl.java:390) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>> nState.java:105) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>> ecute(FlowExecutionImpl.java:395) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.execute(RequestControlContextImpl.java:214) >>> at org.springframework.webflow.engine.TransitionableState.handl >>> eEvent(TransitionableState.java:116) >>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>> a:547) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>> ndleEvent(FlowExecutionImpl.java:390) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>> nState.java:105) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>> art(FlowExecutionImpl.java:368) >>> at org.springframework.webflow.engine.impl.RequestControlContex >>> tImpl.start(RequestControlContextImpl.java:234) >>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf >>> lowState.java:101) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Transition.execute(Transi >>> tion.java:228) >>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>> isionState.java:51) >>> at org.springframework.webflow.engine.State.enter(State.java:194) >>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>> art(FlowExecutionImpl.java:368) >>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>> art(FlowExecutionImpl.java:223) >>> at org.springframework.webflow.executor.FlowExecutorImpl.launch >>> Execution(FlowExecutorImpl.java:140) >>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter. >>> handle(FlowHandlerAdapter.java:263) >>> at org.springframework.web.servlet.DispatcherServlet.doDispatch >>> (DispatcherServlet.java:967) >>> at org.springframework.web.servlet.DispatcherServlet.doService( >>> DispatcherServlet.java:901) >>> at org.springframework.web.servlet.FrameworkServlet.processRequ >>> est(FrameworkServlet.java:970) >>> at org.springframework.web.servlet.FrameworkServlet.doGet( >>> FrameworkServlet.java:861) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) >>> at org.springframework.web.servlet.FrameworkServlet.service( >>> FrameworkServlet.java:846) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:231) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:166) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>> r.java:52) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:193) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:166) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:330) >>> at org.springframework.security.web.access.intercept.FilterSecu >>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>> at org.springframework.security.web.access.intercept.FilterSecu >>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.access.ExceptionTranslation >>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.session.SessionManagementFi >>> lter.doFilter(SessionManagementFilter.java:103) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.authentication.AnonymousAut >>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.servletapi.SecurityContextH >>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>> AwareRequestFilter.java:154) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.savedrequest.RequestCacheAw >>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.authentication.www.BasicAut >>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.authentication.AbstractAuth >>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>> nProcessingFilter.java:199) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.authentication.logout.Logou >>> tFilter.doFilter(LogoutFilter.java:110) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.context.request.async.WebAs >>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>> erIntegrationFilter.java:50) >>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>> (OncePerRequestFilter.java:107) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.context.SecurityContextPers >>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP >>> ortFilter.java:74) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.access.channel.ChannelProce >>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>> terChain.doFilter(FilterChainProxy.java:342) >>> at org.springframework.security.web.FilterChainProxy.doFilterIn >>> ternal(FilterChainProxy.java:192) >>> at org.springframework.security.web.FilterChainProxy.doFilter(F >>> ilterChainProxy.java:160) >>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >>> elegate(DelegatingFilterProxy.java:346) >>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >>> r(DelegatingFilterProxy.java:262) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:193) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:166) >>> at org.springframework.web.filter.CharacterEncodingFilter.doFil >>> terInternal(CharacterEncodingFilter.java:197) >>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>> (OncePerRequestFilter.java:107) >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>> lter(ApplicationFilterChain.java:193) >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>> licationFilterChain.java:166) >>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>> dWrapperValve.java:198) >>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>> dContextValve.java:96) >>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>> stValve.java:140) >>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>> rtValve.java:80) >>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs >>> tractAccessLogValve.java:650) >>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>> EngineValve.java:87) >>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>> apter.java:342) >>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces >>> sor.java:245) >>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro >>> cessorLight.java:66) >>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces >>> sor.java:65) >>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable. >>> java:35) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >>> run(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is >>> set, but no local certificates were negotiated. Is the server set to ask >>> for client authorization? >>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>> java:255) >>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>> ... 154 more >>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept >>> ion: >>> RequireClientCertificate is set, but no local certificates were >>> negotiated. Is the server set to ask for client authorization? >>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>> ttpsTokenInterceptorProvider.java:143) >>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>> m.makeTrustDecision(HTTPConduit.java:1780) >>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>> m.onFirstWrite(HTTPConduit.java:1293) >>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo >>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>> Conduit.java:309) >>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract >>> WrappedOutputStream.java:47) >>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs >>> tractThresholdOutputStream.java:89) >>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra >>> ctThresholdOutputStream.java:63) >>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) >>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter. >>> java:241) >>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>> java:253) >>> ... 155 more >>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>> retrieving a token >>> >>> >>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>> >>> Thanks for your help Colm. I now have it working using the production >>>> certificate by following this example https://stackoverflow.com/a/21 >>>> 41229/3052312 to export the pems into jks files. >>>> >>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks >>>> into webapps/idp/WEB-INF/classes as well as having them in catalina >>>> base. >>>> this seems impractical in production as the certificates get reissued >>>> every >>>> 6 months. is it possible for sec:keyStore to define the resource as >>>> being >>>> in catalina base? >>>> >>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>> >>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a >>>>> sec:certStore that works with PEM files, but only for TrustStores I >>>>> think. >>>>> As a workaround you can just use the Java keytool command to import >>>>> your >>>>> PEM key/cert into a JKS keystore. >>>>> >>>>> this document http://svn.apache.org/viewvc/c >>>>> >>>>>> xf/fediz/trunk/examples/sample >>>>>> >>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but >>>>> no >>>>> idp-ssl-key.jks. >>>>> >>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct >>>>> version is on github: >>>>> >>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>> plekeys/HowToGenerateKeysREADME.html >>>>> >>>>> Colm. >>>>> >>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>> [email protected]> wrote: >>>>> >>>>> Hi Colm, >>>>> >>>>>> is there any way for sec:keyStore to be pointed at a pem certificate >>>>>> instead of a java keystore? where is the doumentation for >>>>>> sec:keyStore? >>>>>> >>>>>> Matt >>>>>> >>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>> >>>>>> I haven't used the APR connector. The following works for me in the >>>>>> >>>>>>> tests, >>>>>>> perhaps you could duplicate this config and get it working first >>>>>>> before >>>>>>> switching over to the APR connector: >>>>>>> >>>>>>> <Connector port="9443" >>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>> maxThreads="150" >>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>> keystorePass="tompass" >>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>> truststorePass="ispass" /> >>>>>>> >>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>> cxf-tls.xml to >>>>>>> communicate with the STS from the IdP. The truststore should contain >>>>>>> the >>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore >>>>>>> the >>>>>>> private key of your IdP. >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> i am using my own certificate with APR in the tomcat server.xml. I >>>>>>> added >>>>>>> >>>>>>> clientVerification="required" to SSLHostConfig but I still have the >>>>>>>> same >>>>>>>> problem >>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>> tp11.Http11AprProtocol" >>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>> <UpgradeProtocol className="org.apache.coyote.h >>>>>>>> ttp2.Http2Protocol" >>>>>>>> /> >>>>>>>> <SSLHostConfig clientVerification="required"> >>>>>>>> <Certificate certificateKeyFile="/etc/letse >>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc >>>>>>>> hain.pem" >>>>>>>> type="RSA" /> >>>>>>>> </SSLHostConfig> >>>>>>>> </Connector> >>>>>>>> >>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the >>>>>>>> problem? >>>>>>>> How would I use production certificates? >>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>> <http:tlsClientParameters >>>>>>>> disableCNCheck="true"> >>>>>>>> <!-- <sec:trustManagers> >>>>>>>> <sec:keyStore type="jks" password="ispass" >>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>> </sec:trustManagers> >>>>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>>>> <sec:keyStore type="jks" password="tompass" >>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>> </sec:keyManagers> --> >>>>>>>> </http:tlsClientParameters> >>>>>>>> </http:conduit> >>>>>>>> >>>>>>>> >>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>> >>>>>>>> ok...i fixed the last error by dropping the schema and restarting. >>>>>>>> >>>>>>>> but now i have this >>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>> 2/}Issue >>>>>>>>> has >>>>>>>>> thrown exception, unwinding now >>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model >>>>>>>>> to >>>>>>>>> stream: RequireClientCertificate is set, but no local certificates >>>>>>>>> were >>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>> InterceptorChain.java:308) >>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>> 518) >>>>>>>>> ... >>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>> RequireClientCertificate >>>>>>>>> is >>>>>>>>> set, but no local certificates were negotiated. Is the server set >>>>>>>>> to >>>>>>>>> ask >>>>>>>>> for client authorization? >>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>> :255) >>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>> ... 154 more >>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>> ion: >>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>> ... >>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>>>>>> retrieving a token >>>>>>>>> >>>>>>>>> >>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>> >>>>>>>>> ok i now have a different error and it doesn't load the login >>>>>>>>> screen >>>>>>>>> >>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - >>>>>>>>>> No >>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>> horityEntitlements >>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>> >>>>>>>>>> the previous one was caused by >>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>> should have been >>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>> /> >>>>>>>>>> according to original file >>>>>>>>>> >>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>> >>>>>>>>>> Hi Colm, >>>>>>>>>> >>>>>>>>>> Yes I have: >>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>> ... >>>>>>>>>>> <property name="applications"> >>>>>>>>>>> <util:list> >>>>>>>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>> </util:list> >>>>>>>>>>> </property> >>>>>>>>>>> ... >>>>>>>>>>> </bean> >>>>>>>>>>> >>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se >>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi >>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>> /> >>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>> /> >>>>>>>>>>> <property name="serviceDescription" value="Web >>>>>>>>>>> Application to >>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>> <property name="role" value="ApplicationServiceType" >>>>>>>>>>> /> >>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>> . >>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>>>> <property name="lifeTime" value="3600" /> >>>>>>>>>>> <property name="passiveRequestorEndpointConstraint" >>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>> <property name="logoutEndpointConstraint" >>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>> </bean> >>>>>>>>>>> >>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>> <property name="application" >>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>> <property name="claim" ref="claim_role" /> >>>>>>>>>>> <property name="optional" value="false" /> >>>>>>>>>>> </bean> >>>>>>>>>>> >>>>>>>>>>> etc. >>>>>>>>>>> >>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>> >>>>>>>>>>> Do you have an >>>>>>>>>>> >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>>>>>>> instance in >>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with >>>>>>>>>>>> realm >>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>> >>>>>>>>>>>> Colm. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>>>>>>>> >>>>>>>>>>>>> trying to >>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. >>>>>>>>>>>>> it >>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate >>>>>>>>>>>>> ok >>>>>>>>>>>>> >>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - >>>>>>>>>>>>> Token >>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully >>>>>>>>>>>>> cached. >>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida >>>>>>>>>>>>> tor >>>>>>>>>>>>> - >>>>>>>>>>>>> No >>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>> helloworld >>>>>>>>>>>>> >>>>>>>>>>>>> Matthew >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
