Hi Colm
Firstly is there somewhere to see these instructions correctly formatted
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
Secondly there is a massive difference between
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)
On the SVN one it doesn't mention adding the MyTCRP.cer key to ststrust.jks.
I have some more things to try now so I will let you know if I get further
On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
Why not try the simple Connector configuration I gave earlier but with your
own keys?
Colm.
On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
[email protected]> wrote:
in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
SSL_Support_-_Connector_-_NIO_and_NIO2 it says
clientAuth
This is an alias for the certificateVerification attribute of the default
SSLHostConfig element.
then
certificateVerification
Set to required if you want the SSL stack to require a valid certificate
chain from the client before accepting a connection. Set to optional if you
want the SSL stack to request a client Certificate, but not fail if one
isn't presented. Set to optionalNoCA if you want client certificates to be
optional and you don't want Tomcat to check them against the list of
trusted CAs. If the TLS provider doesn't support this option (OpenSSL does,
JSSE does not) it is treated as if optional was specified. A none value
(which is the default) will not require a certificate chain unless the
client requests a resource protected by a security constraint that uses
CLIENT-CERT authentication.
so i changed clientAuth="want" to clientAuth="required". now i cannot
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL peer cannot
verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
maybe i should try using Tomcat 7?
On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
The problem is that your Tomcat container hosting the STS is not asking
for
client authentication. You can check this by using a web browser or curl
to
view the WSDL of the STS - if you can get it to work then the
configuration
is incorrect, as it should error on the browser not supplying a client
cert.
Colm.
On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
[email protected]> wrote:
i spoke too soon.
i am completely stuck with the same stack trace and no amount of
reloading
the certificates is helping. is there any way to debug what the actual
problem is?
2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
stream: RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
tractSTSClient.java:861)
at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:47)
at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:42)
at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
t(STSClientAction.java:296)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.expression.spel.support.ReflectiveMethod
Executor.execute(ReflectiveMethodExecutor.java:113)
at org.springframework.expression.spel.ast.MethodReference.getV
alueInternal(MethodReference.java:129)
at org.springframework.expression.spel.ast.MethodReference.
access$000(MethodReference.java:49)
at org.springframework.expression.spel.ast.MethodReference$Meth
odValueRef.getValue(MethodReference.java:347)
at org.springframework.expression.spel.ast.CompoundExpression.g
etValueInternal(CompoundExpression.java:88)
at org.springframework.expression.spel.ast.SpelNodeImpl.
getTypedValue(SpelNodeImpl.java:131)
at org.springframework.expression.spel.standard.SpelExpression.
getValue(SpelExpression.java:297)
at org.springframework.binding.expression.spel.SpringELExpressi
on.getValue(SpringELExpression.java:84)
at org.springframework.webflow.action.EvaluateAction.doExecute(
EvaluateAction.java:75)
at org.springframework.webflow.action.AbstractAction.execute(Ab
stractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execut
e(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute
(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionList.execute(Action
List.java:154)
at org.springframework.webflow.engine.State.enter(State.java:193)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.SubflowState.handleEvent(
SubflowState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
dActiveFlowSession(FlowExecutionImpl.java:414)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
at org.springframework.webflow.engine.EndState.doEnter(EndState
.java:107)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.engine.impl.RequestControlContex
tImpl.start(RequestControlContextImpl.java:234)
at org.springframework.webflow.engine.SubflowState.doEnter(Subf
lowState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.engine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:223)
at org.springframework.webflow.executor.FlowExecutorImpl.launch
Execution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
handle(FlowHandlerAdapter.java:263)
at org.springframework.web.servlet.DispatcherServlet.doDispatch
(DispatcherServlet.java:967)
at org.springframework.web.servlet.DispatcherServlet.doService(
DispatcherServlet.java:901)
at org.springframework.web.servlet.FrameworkServlet.processRequ
est(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
at org.springframework.web.servlet.FrameworkServlet.service(
FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
r.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecu
rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslation
Filter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFi
lter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAut
henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextH
olderAwareRequestFilter.doFilter(SecurityContextHolder
AwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAw
areFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAut
henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuth
enticationProcessingFilter.doFilter(AbstractAuthenticatio
nProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.Logou
tFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAs
yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
erIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPers
istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
ortFilter.java:74)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.channel.ChannelProce
ssingFilter.doFilter(ChannelProcessingFilter.java:144)
at org.springframework.security.web.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterIn
ternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(F
ilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeD
elegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilte
r(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFil
terInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
dWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(Standar
dContextValve.java:96)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
stValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
rtValve.java:80)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
tractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(Standard
EngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
apter.java:342)
at org.apache.coyote.http2.StreamProcessor.service(StreamProces
sor.java:245)
at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
cessorLight.java:66)
at org.apache.coyote.http2.StreamProcessor.process(StreamProces
sor.java:65)
at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
java:35)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
set, but no local certificates were negotiated. Is the server set to ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
java:255)
at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
m.onFirstWrite(HTTPConduit.java:1293)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
Conduit.java:309)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
WrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
tractThresholdOutputStream.java:89)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
ctThresholdOutputStream.java:63)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
java:241)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
java:253)
... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 23/10/2017 19:41, Matthew Broadhead wrote:
Thanks for your help Colm. I now have it working using the production
certificate by following this example https://stackoverflow.com/a/21
41229/3052312 to export the pems into jks files.
but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in catalina
base.
this seems impractical in production as the certificates get reissued
every
6 months. is it possible for sec:keyStore to define the resource as
being
in catalina base?
On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
sec:keyStore supports either JKS or PKCS12 keystores. There is also a
sec:certStore that works with PEM files, but only for TrustStores I
think.
As a workaround you can just use the Java keytool command to import
your
PEM key/cert into a JKS keystore.
this document http://svn.apache.org/viewvc/c
xf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but
no
idp-ssl-key.jks.
SVN is not used any more by CXF or Fediz, that page is old. The correct
version is on github:
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
Colm.
On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
[email protected]> wrote:
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem certificate
instead of a java keystore? where is the doumentation for
sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for me in the
tests,
perhaps you could duplicate this config and get it working first
before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore in
cxf-tls.xml to
communicate with the STS from the IdP. The truststore should contain
the
issuing cert of the Tomcat instance hosting your STS + then keystore
the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
[email protected]> wrote:
i am using my own certificate with APR in the tomcat server.xml. I
added
clientVerification="required" to SSLHostConfig but I still have the
same
problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
<SSLHostConfig clientVerification="required">
<Certificate certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
hain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml. Could this be the
problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<!-- <sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>
On 22/10/2017 00:38, Matthew Broadhead wrote:
ok...i fixed the last error by dropping the schema and restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
2/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
to
stream: RequireClientCertificate is set, but no local certificates
were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
...
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated. Is the server set
to
ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.java
:255)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates were
negotiated. Is the server set to ask for client authorization?
at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
retrieving a token
On 20/10/2017 23:05, Matthew Broadhead wrote:
ok i now have a different error and it doesn't load the login
screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
No
service config found for urn:org:apache:cxf:fediz:fedizhelloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAut
horityEntitlements
- Enriched AuthenticationToken added
the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
<property name="stsUrl" value="https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file
On 20/10/2017 18:27, Matthew Broadhead wrote:
Hi Colm,
Yes I have:
<bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
<property name="applications">
<util:list>
<ref bean="srv-fedizhelloworld" />
<!-- <ref bean="srv-oidc" /> -->
</util:list>
</property>
...
</bean>
<bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
<property name="realm" value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
<property name="protocol" value="
http://docs.oasis-open.
org/wsfed/federation/200706" />
<property name="serviceDisplayName"
value="Fedizhelloworld"
/>
<property name="serviceDescription" value="Web
Application to
illustrate WS-Federation" />
<property name="role" value="ApplicationServiceType"
/>
<property name="tokenType" value="
http://docs.oasis-open
.
org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="passiveRequestorEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
<property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>
<bean class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.Applicat
ionClaimEntity">
<property name="application"
ref="srv-fedizhelloworld" />
<property name="claim" ref="claim_role" />
<property name="optional" value="false" />
</bean>
etc.
On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
Do you have an
org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
instance in
your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
[email protected]> wrote:
Hi,
i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
trying to
use it from localhost:9443/fedizhelloworld/secure/fedservlet.
it
correctly redirects to the login page and seems to authenticate
ok
but then i get the following error
2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
Token
[IDP_TOKEN=<something>] for realm [<something>] successfully
cached.
2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
tor
-
No
service config found for urn:org:apache:cxf:fediz:fediz
helloworld
Matthew
