You can see the HTML here: https://htmlpreview.github.io/?https://raw.githubusercontent.com/apache/cxf-fediz/master/examples/samplekeys/HowToGenerateKeysREADME.html
I'll update the webpage to point to github instead of SVN. Colm. On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < [email protected]> wrote: > Hi Colm > > Firstly is there somewhere to see these instructions correctly formatted > in html? > https://github.com/apache/cxf-fediz/blob/master/examples/sam > plekeys/HowToGenerateKeysREADME.html > > Secondly there is a massive difference between > https://github.com/apache/cxf-fediz/blob/master/examples/sam > plekeys/HowToGenerateKeysREADME.html > and > http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample > keys/HowToGenerateKeysREADME.html?view=co > (svn being the one linked from the main fediz pages) > > On the SVN one it doesn't mention adding the MyTCRP.cer key to > ststrust.jks. > > I have some more things to try now so I will let you know if I get further > > On 25/10/2017 12:11, Colm O hEigeartaigh wrote: > >> Why not try the simple Connector configuration I gave earlier but with >> your >> own keys? >> >> Colm. >> >> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >> [email protected]> wrote: >> >> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html# >>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>> clientAuth >>> This is an alias for the certificateVerification attribute of the default >>> SSLHostConfig element. >>> >>> then >>> certificateVerification >>> Set to required if you want the SSL stack to require a valid certificate >>> chain from the client before accepting a connection. Set to optional if >>> you >>> want the SSL stack to request a client Certificate, but not fail if one >>> isn't presented. Set to optionalNoCA if you want client certificates to >>> be >>> optional and you don't want Tomcat to check them against the list of >>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL >>> does, >>> JSSE does not) it is treated as if optional was specified. A none value >>> (which is the default) will not require a certificate chain unless the >>> client requests a resource protected by a security constraint that uses >>> CLIENT-CERT authentication. >>> >>> so i changed clientAuth="want" to clientAuth="required". now i cannot >>> access the site at all with >>> Secure Connection Failed >>> An error occurred during a connection to domain.tld:9443. SSL peer cannot >>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>> >>> maybe i should try using Tomcat 7? >>> >>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>> >>> The problem is that your Tomcat container hosting the STS is not asking >>>> for >>>> client authentication. You can check this by using a web browser or curl >>>> to >>>> view the WSDL of the STS - if you can get it to work then the >>>> configuration >>>> is incorrect, as it should error on the browser not supplying a client >>>> cert. >>>> >>>> Colm. >>>> >>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>> [email protected]> wrote: >>>> >>>> i spoke too soon. >>>> >>>>> i am completely stuck with the same stack trace and no amount of >>>>> reloading >>>>> the certificates is helping. is there any way to debug what the actual >>>>> problem is? >>>>> >>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue >>>>> has >>>>> thrown exception, unwinding now >>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>>> stream: RequireClientCertificate is set, but no local certificates were >>>>> negotiated. Is the server set to ask for client authorization? >>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>>> InterceptorChain.java:308) >>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java: >>>>> 518) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>> 427) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>> 328) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java: >>>>> 281) >>>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs >>>>> tractSTSClient.java:861) >>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>>>> yTokenResponse(IdpSTSClient.java:47) >>>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>>>> yTokenResponse(IdpSTSClient.java:42) >>>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi >>>>> t(STSClientAction.java:296) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>>> ssorImpl.java:62) >>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>>> thodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>> at org.springframework.expression.spel.support.ReflectiveMethod >>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>> at org.springframework.expression.spel.ast.MethodReference.getV >>>>> alueInternal(MethodReference.java:129) >>>>> at org.springframework.expression.spel.ast.MethodReference. >>>>> access$000(MethodReference.java:49) >>>>> at org.springframework.expression.spel.ast.MethodReference$Meth >>>>> odValueRef.getValue(MethodReference.java:347) >>>>> at org.springframework.expression.spel.ast.CompoundExpression.g >>>>> etValueInternal(CompoundExpression.java:88) >>>>> at org.springframework.expression.spel.ast.SpelNodeImpl. >>>>> getTypedValue(SpelNodeImpl.java:131) >>>>> at org.springframework.expression.spel.standard.SpelExpression. >>>>> getValue(SpelExpression.java:297) >>>>> at org.springframework.binding.expression.spel.SpringELExpressi >>>>> on.getValue(SpringELExpression.java:84) >>>>> at org.springframework.webflow.action.EvaluateAction.doExecute( >>>>> EvaluateAction.java:75) >>>>> at org.springframework.webflow.action.AbstractAction.execute(Ab >>>>> stractAction.java:188) >>>>> at org.springframework.webflow.execution.AnnotatedAction.execut >>>>> e(AnnotatedAction.java:145) >>>>> at org.springframework.webflow.execution.ActionExecutor.execute >>>>> (ActionExecutor.java:51) >>>>> at org.springframework.webflow.engine.ActionList.execute(Action >>>>> List.java:154) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 3) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>>> ecute(FlowExecutionImpl.java:395) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>> at org.springframework.webflow.engine.TransitionableState.handl >>>>> eEvent(TransitionableState.java:116) >>>>> at org.springframework.webflow.engine.SubflowState.handleEvent( >>>>> SubflowState.java:116) >>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>>> a:547) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en >>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>>>> at org.springframework.webflow.engine.EndState.doEnter(EndState >>>>> .java:107) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>>> ecute(FlowExecutionImpl.java:395) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>> at org.springframework.webflow.engine.TransitionableState.handl >>>>> eEvent(TransitionableState.java:116) >>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>>> a:547) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>>>> nState.java:105) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>>> ecute(FlowExecutionImpl.java:395) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>> at org.springframework.webflow.engine.TransitionableState.handl >>>>> eEvent(TransitionableState.java:116) >>>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>>> a:547) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>>>> nState.java:105) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>>> art(FlowExecutionImpl.java:368) >>>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf >>>>> lowState.java:101) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>>> tion.java:228) >>>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>>> isionState.java:51) >>>>> at org.springframework.webflow.engine.State.enter(State.java:19 >>>>> 4) >>>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>>> art(FlowExecutionImpl.java:368) >>>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>>> art(FlowExecutionImpl.java:223) >>>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch >>>>> Execution(FlowExecutorImpl.java:140) >>>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter. >>>>> handle(FlowHandlerAdapter.java:263) >>>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch >>>>> (DispatcherServlet.java:967) >>>>> at org.springframework.web.servlet.DispatcherServlet.doService( >>>>> DispatcherServlet.java:901) >>>>> at org.springframework.web.servlet.FrameworkServlet.processRequ >>>>> est(FrameworkServlet.java:970) >>>>> at org.springframework.web.servlet.FrameworkServlet.doGet( >>>>> FrameworkServlet.java:861) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) >>>>> at org.springframework.web.servlet.FrameworkServlet.service( >>>>> FrameworkServlet.java:846) >>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:231) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:166) >>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>>> r.java:52) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:193) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:166) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>> at org.springframework.security.web.access.intercept.FilterSecu >>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>> at org.springframework.security.web.access.intercept.FilterSecu >>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.access.ExceptionTranslation >>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.session.SessionManagementFi >>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.authentication.AnonymousAut >>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.servletapi.SecurityContextH >>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>> AwareRequestFilter.java:154) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.savedrequest.RequestCacheAw >>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.authentication.www.BasicAut >>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.authentication.AbstractAuth >>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>> nProcessingFilter.java:199) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.authentication.logout.Logou >>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.context.request.async.WebAs >>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>> erIntegrationFilter.java:50) >>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>>>> (OncePerRequestFilter.java:107) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.context.SecurityContextPers >>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP >>>>> ortFilter.java:74) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.access.channel.ChannelProce >>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>> at org.springframework.security.web.FilterChainProxy.doFilterIn >>>>> ternal(FilterChainProxy.java:192) >>>>> at org.springframework.security.web.FilterChainProxy.doFilter(F >>>>> ilterChainProxy.java:160) >>>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >>>>> elegate(DelegatingFilterProxy.java:346) >>>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >>>>> r(DelegatingFilterProxy.java:262) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:193) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:166) >>>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil >>>>> terInternal(CharacterEncodingFilter.java:197) >>>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>>>> (OncePerRequestFilter.java:107) >>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>>> lter(ApplicationFilterChain.java:193) >>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>>> licationFilterChain.java:166) >>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>>> dWrapperValve.java:198) >>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>>> dContextValve.java:96) >>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>> stValve.java:140) >>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>> rtValve.java:80) >>>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs >>>>> tractAccessLogValve.java:650) >>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>> EngineValve.java:87) >>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>> apter.java:342) >>>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces >>>>> sor.java:245) >>>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro >>>>> cessorLight.java:66) >>>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces >>>>> sor.java:65) >>>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable. >>>>> java:35) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>> Executor.java:1142) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>> lExecutor.java:617) >>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >>>>> run(TaskThread.java:61) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate >>>>> is >>>>> set, but no local certificates were negotiated. Is the server set to >>>>> ask >>>>> for client authorization? >>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>>> java:255) >>>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>> ... 154 more >>>>> Caused by: org.apache.cxf.transport.http. >>>>> UntrustedURLConnectionIOExcept >>>>> ion: >>>>> RequireClientCertificate is set, but no local certificates were >>>>> negotiated. Is the server set to ask for client authorization? >>>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>> ttpsTokenInterceptorProvider.java:143) >>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo >>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>> Conduit.java:309) >>>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract >>>>> WrappedOutputStream.java:47) >>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs >>>>> tractThresholdOutputStream.java:89) >>>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra >>>>> ctThresholdOutputStream.java:63) >>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) >>>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter. >>>>> java:241) >>>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>>> java:253) >>>>> ... 155 more >>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>> retrieving a token >>>>> >>>>> >>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>> >>>>> Thanks for your help Colm. I now have it working using the production >>>>> >>>>>> certificate by following this example https://stackoverflow.com/a/21 >>>>>> 41229/3052312 to export the pems into jks files. >>>>>> >>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>> idp-ssl-trust.jks >>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina >>>>>> base. >>>>>> this seems impractical in production as the certificates get reissued >>>>>> every >>>>>> 6 months. is it possible for sec:keyStore to define the resource as >>>>>> being >>>>>> in catalina base? >>>>>> >>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>> >>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a >>>>>> >>>>>>> sec:certStore that works with PEM files, but only for TrustStores I >>>>>>> think. >>>>>>> As a workaround you can just use the Java keytool command to import >>>>>>> your >>>>>>> PEM key/cert into a JKS keystore. >>>>>>> >>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>> >>>>>>> xf/fediz/trunk/examples/sample >>>>>>>> >>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks >>>>>>>> but >>>>>>>> >>>>>>> no >>>>>>> idp-ssl-key.jks. >>>>>>> >>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The >>>>>>> correct >>>>>>> version is on github: >>>>>>> >>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Hi Colm, >>>>>>> >>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate >>>>>>>> instead of a java keystore? where is the doumentation for >>>>>>>> sec:keyStore? >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>> >>>>>>>> I haven't used the APR connector. The following works for me in the >>>>>>>> >>>>>>>> tests, >>>>>>>>> perhaps you could duplicate this config and get it working first >>>>>>>>> before >>>>>>>>> switching over to the APR connector: >>>>>>>>> >>>>>>>>> <Connector port="9443" >>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>> maxThreads="150" >>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>> keystorePass="tompass" >>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>> truststorePass="ispass" /> >>>>>>>>> >>>>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>>>> cxf-tls.xml to >>>>>>>>> communicate with the STS from the IdP. The truststore should >>>>>>>>> contain >>>>>>>>> the >>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then >>>>>>>>> keystore >>>>>>>>> the >>>>>>>>> private key of your IdP. >>>>>>>>> >>>>>>>>> Colm. >>>>>>>>> >>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I >>>>>>>>> added >>>>>>>>> >>>>>>>>> clientVerification="required" to SSLHostConfig but I still have the >>>>>>>>> >>>>>>>>>> same >>>>>>>>>> problem >>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>>>> <UpgradeProtocol className="org.apache.coyote.h >>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>> /> >>>>>>>>>> <SSLHostConfig clientVerification="required"> >>>>>>>>>> <Certificate certificateKeyFile="/etc/letse >>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc >>>>>>>>>> hain.pem" >>>>>>>>>> type="RSA" /> >>>>>>>>>> </SSLHostConfig> >>>>>>>>>> </Connector> >>>>>>>>>> >>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the >>>>>>>>>> problem? >>>>>>>>>> How would I use production certificates? >>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>> <http:tlsClientParameters >>>>>>>>>> disableCNCheck="true"> >>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>> <sec:keyStore type="jks" password="ispass" >>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>> </sec:trustManagers> >>>>>>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>>>>>> <sec:keyStore type="jks" password="tompass" >>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>> </http:conduit> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>> >>>>>>>>>> ok...i fixed the last error by dropping the schema and restarting. >>>>>>>>>> >>>>>>>>>> but now i have this >>>>>>>>>> >>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>>> 2/}Issue >>>>>>>>>>> has >>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ >>>>>>>>>>> model >>>>>>>>>>> to >>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>> certificates >>>>>>>>>>> were >>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>> 518) >>>>>>>>>>> ... >>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>> RequireClientCertificate >>>>>>>>>>> is >>>>>>>>>>> set, but no local certificates were negotiated. Is the server >>>>>>>>>>> set >>>>>>>>>>> to >>>>>>>>>>> ask >>>>>>>>>>> for client authorization? >>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>> :255) >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>> ... 154 more >>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>> ion: >>>>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>> ... >>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error >>>>>>>>>>> in >>>>>>>>>>> retrieving a token >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>> >>>>>>>>>>> ok i now have a different error and it doesn't load the login >>>>>>>>>>> screen >>>>>>>>>>> >>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>> >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator >>>>>>>>>>>> - >>>>>>>>>>>> No >>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>> helloworld >>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>> horityEntitlements >>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>> >>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal >>>>>>>>>>>> m.xml >>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>> should have been >>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>> /> >>>>>>>>>>>> according to original file >>>>>>>>>>>> >>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Colm, >>>>>>>>>>>> >>>>>>>>>>>> Yes I have: >>>>>>>>>>>> >>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>> ... >>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>> <util:list> >>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>> </util:list> >>>>>>>>>>>>> </property> >>>>>>>>>>>>> ... >>>>>>>>>>>>> </bean> >>>>>>>>>>>>> >>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se >>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>> /> >>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>> /> >>>>>>>>>>>>> <property name="serviceDescription" value="Web >>>>>>>>>>>>> Application to >>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>> /> >>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>> . >>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>>>>>> <property name="lifeTime" value="3600" /> >>>>>>>>>>>>> <property name="passiveRequestorEndpoint >>>>>>>>>>>>> Constraint" >>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>> <property name="logoutEndpointConstraint" >>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>> </bean> >>>>>>>>>>>>> >>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>> <property name="claim" ref="claim_role" /> >>>>>>>>>>>>> <property name="optional" value="false" /> >>>>>>>>>>>>> </bean> >>>>>>>>>>>>> >>>>>>>>>>>>> etc. >>>>>>>>>>>>> >>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Do you have an >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>>>>>>>> >>>>>>>>>>>>>> instance in >>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml >>>>>>>>>>>>>> with >>>>>>>>>>>>>> realm >>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i >>>>>>>>>>>>>> am >>>>>>>>>>>>>> >>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>> it >>>>>>>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - >>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully >>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida >>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>> - >>>>>>>>>>>>>>> No >>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
