Re: fediz production

[Matthew Broadhead]

i get a load of stuff, but in the middle of the one before the error i get
Warning: no suitable certificate found - continuing without client 
authentication

On 25/10/2017 13:42, Matthew Broadhead wrote:
ahhh...
-Djavax.net.debug=all

On 25/10/2017 13:39, Matthew Broadhead wrote:
How would I enable the debug? 
services/idp/src/main/webapp/WEB-INF/security-config.xml 
<security:debug/>?

On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
If you change it to "required" does it fail? If so, you could try 
running
the Tomcat IdP with Java SSL debugging enabled and it should tell 
you why
the IdP can't connect to the STS.

Colm.

On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

Hi Colm,

I realise now that this html file was included in the 
examples/samplekeys
directory in the code.  but i was taking it from the internet.

I am 100% using clientAuth="want" on my Tomcat connector but I am 
still
getting the same error over and again.  I can browse the wsdl without
having to provide a client certificate.  could you point me to the 
part of
the idp-sts configuration which might be causing it to not ask for 
the keys
properly?  or is it definitely a tomcat server.xml issue?

On 25/10/2017 12:55, Colm O hEigeartaigh wrote:

You can see the HTML here:
https://htmlpreview.github.io/?https://raw.githubusercontent
.com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
ateKeysREADME.html

I'll update the webpage to point to github instead of SVN.

Colm.

On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

Hi Colm
Firstly is there somewhere to see these instructions correctly 
formatted
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html

Secondly there is a massive difference between
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)

On the SVN one it doesn't mention adding the MyTCRP.cer key to
ststrust.jks.

I have some more things to try now so I will let you know if I get
further

On 25/10/2017 12:11, Colm O hEigeartaigh wrote:

Why not try the simple Connector configuration I gave earlier but 
with
your
own keys?

Colm.

On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

in Tomcat 8 
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#

SSL_Support_-_Connector_-_NIO_and_NIO2 it says
clientAuth
This is an alias for the certificateVerification attribute of the
default
SSLHostConfig element.

then
certificateVerification
Set to required if you want the SSL stack to require a valid
certificate
chain from the client before accepting a connection. Set to 
optional if
you
want the SSL stack to request a client Certificate, but not 
fail if one
isn't presented. Set to optionalNoCA if you want client 
certificates to
be
optional and you don't want Tomcat to check them against the 
list of
trusted CAs. If the TLS provider doesn't support this option 
(OpenSSL
does,
JSSE does not) it is treated as if optional was specified. A 
none value
(which is the default) will not require a certificate chain 
unless the
client requests a resource protected by a security constraint 
that uses
CLIENT-CERT authentication.

so i changed clientAuth="want" to clientAuth="required". now i 
cannot
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL peer
cannot
verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT

maybe i should try using Tomcat 7?

On 25/10/2017 11:42, Colm O hEigeartaigh wrote:

The problem is that your Tomcat container hosting the STS is 
not asking

for
client authentication. You can check this by using a web 
browser or
curl
to
view the WSDL of the STS - if you can get it to work then the
configuration
is incorrect, as it should error on the browser not supplying 
a client
cert.

Colm.

On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

i spoke too soon.

i am completely stuck with the same stack trace and no amount of
reloading
the certificates is helping.  is there any way to debug what the
actual
problem is?

2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue 

has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ 
model to
stream: RequireClientCertificate is set, but no local 
certificates
were
negotiated.  Is the server set to ask for client authorization?
        at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
        at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
        at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
        at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
        at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
427)
        at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
328)
        at 
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:
281)
        at org.apache.cxf.ws.security.tru
st.AbstractSTSClient.issue(Abs
tractSTSClient.java:861)
        at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:47)
        at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:42)
        at org.apache.cxf.fediz.service.i
dp.beans.STSClientAction.submi
t(STSClientAction.java:296)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
        at sun.reflect.NativeMethodAccess
orImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
        at sun.reflect.DelegatingMethodAc
cessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.expression
.spel.support.ReflectiveMethod
Executor.execute(ReflectiveMethodExecutor.java:113)
        at org.springframework.expression
.spel.ast.MethodReference.getV
alueInternal(MethodReference.java:129)
        at 
org.springframework.expression.spel.ast.MethodReference.
access$000(MethodReference.java:49)
        at org.springframework.expression
.spel.ast.MethodReference$Meth
odValueRef.getValue(MethodReference.java:347)
        at org.springframework.expression
.spel.ast.CompoundExpression.g
etValueInternal(CompoundExpression.java:88)
        at org.springframework.expression.spel.ast.SpelNodeImpl.
getTypedValue(SpelNodeImpl.java:131)
        at org.springframework.expression
.spel.standard.SpelExpression.
getValue(SpelExpression.java:297)
        at org.springframework.binding.ex
pression.spel.SpringELExpressi
on.getValue(SpringELExpression.java:84)
        at org.springframework.webflow.ac
tion.EvaluateAction.doExecute(
EvaluateAction.java:75)
        at org.springframework.webflow.ac
tion.AbstractAction.execute(Ab
stractAction.java:188)
        at org.springframework.webflow.ex
ecution.AnnotatedAction.execut
e(AnnotatedAction.java:145)
        at org.springframework.webflow.ex
ecution.ActionExecutor.execute
(ActionExecutor.java:51)
        at org.springframework.webflow.en
gine.ActionList.execute(Action
List.java:154)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
3)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
        at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
        at org.springframework.webflow.en
gine.SubflowState.handleEvent(
SubflowState.java:116)
        at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.en
dActiveFlowSession(FlowExecutionImpl.java:414)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
        at org.springframework.webflow.en
gine.EndState.doEnter(EndState
.java:107)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
        at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
        at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
        at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
        at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
        at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
        at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
        at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.start(RequestControlContextImpl.java:234)
        at org.springframework.webflow.en
gine.SubflowState.doEnter(Subf
lowState.java:101)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
        at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
        at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
        at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
        at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:223)
        at org.springframework.webflow.ex
ecutor.FlowExecutorImpl.launch
Execution(FlowExecutorImpl.java:140)
        at org.springframework.webflow.mv
c.servlet.FlowHandlerAdapter.
handle(FlowHandlerAdapter.java:263)
        at org.springframework.web.servle
t.DispatcherServlet.doDispatch
(DispatcherServlet.java:967)
        at org.springframework.web.servle
t.DispatcherServlet.doService(
DispatcherServlet.java:901)
        at org.springframework.web.servle
t.FrameworkServlet.processRequ
est(FrameworkServlet.java:970)
        at 
org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:861)
        at javax.servlet.http.HttpServlet
.service(HttpServlet.java:635)
        at 
org.springframework.web.servlet.FrameworkServlet.service(
FrameworkServlet.java:846)
        at javax.servlet.http.HttpServlet
.service(HttpServlet.java:742)
        at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
        at org.apache.tomcat.websocket.se
rver.WsFilter.doFilter(WsFilte
r.java:52)
        at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.w
eb.access.intercept.FilterSecu
rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
        at org.springframework.security.w
eb.access.intercept.FilterSecu
rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.access.ExceptionTranslation
Filter.doFilter(ExceptionTranslationFilter.java:113)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.session.SessionManagementFi
lter.doFilter(SessionManagementFilter.java:103)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.authentication.AnonymousAut
henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) 

        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) 

        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.servletapi.SecurityContextH
olderAwareRequestFilter.doFilter(SecurityContextHolder
AwareRequestFilter.java:154)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.savedrequest.RequestCacheAw
areFilter.doFilter(RequestCacheAwareFilter.java:45)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.authentication.www.BasicAut
henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.authentication.AbstractAuth
enticationProcessingFilter.doFilter(AbstractAuthenticatio
nProcessingFilter.java:199)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.authentication.logout.Logou
tFilter.doFilter(LogoutFilter.java:110)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.context.request.async.WebAs
yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
erIntegrationFilter.java:50)
        at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.context.SecurityContextPers
istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.apache.cxf.fediz.service.i
dp.STSPortFilter.doFilter(STSP
ortFilter.java:74)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.access.channel.ChannelProce
ssingFilter.doFilter(ChannelProcessingFilter.java:144)
        at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.w
eb.FilterChainProxy.doFilterIn
ternal(FilterChainProxy.java:192)
        at org.springframework.security.w
eb.FilterChainProxy.doFilter(F
ilterChainProxy.java:160)
        at org.springframework.web.filter
.DelegatingFilterProxy.invokeD
elegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter
.DelegatingFilterProxy.doFilte
r(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
        at org.springframework.web.filter
.CharacterEncodingFilter.doFil
terInternal(CharacterEncodingFilter.java:197)
        at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
        at org.apache.catalina.core.Stand
ardWrapperValve.invoke(Standar
dWrapperValve.java:198)
        at org.apache.catalina.core.Stand
ardContextValve.invoke(Standar
dContextValve.java:96)
        at org.apache.catalina.core.Stand
ardHostValve.invoke(StandardHo
stValve.java:140)
        at org.apache.catalina.valves.Err
orReportValve.invoke(ErrorRepo
rtValve.java:80)
        at org.apache.catalina.valves.Abs
tractAccessLogValve.invoke(Abs
tractAccessLogValve.java:650)
        at org.apache.catalina.core.Stand
ardEngineValve.invoke(Standard
EngineValve.java:87)
        at org.apache.catalina.connector.
CoyoteAdapter.service(CoyoteAd
apter.java:342)
        at org.apache.coyote.http2.Stream
Processor.service(StreamProces
sor.java:245)
        at org.apache.coyote.AbstractProc
essorLight.process(AbstractPro
cessorLight.java:66)
        at org.apache.coyote.http2.Stream
Processor.process(StreamProces
sor.java:65)
        at 
org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
java:35)
        at java.util.concurrent.ThreadPoo
lExecutor.runWorker(ThreadPool
Executor.java:1142)
        at java.util.concurrent.ThreadPoo
lExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
        at org.apache.tomcat.util.threads
.TaskThread$WrappingRunnable.
run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated. Is the server 
set to
ask
for client authorization?
        at 
com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
java:255)
        at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
        ... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates were
negotiated.  Is the server set to ask for client authorization?
        at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
        at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
        at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
        at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.onFirstWrite(HTTPConduit.java:1293)
        at org.apache.cxf.transport.http.
URLConnectionHTTPConduit$URLCo
nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
Conduit.java:309)
        at org.apache.cxf.io.AbstractWrap
pedOutputStream.write(Abstract
WrappedOutputStream.java:47)
        at org.apache.cxf.io.AbstractThre
sholdOutputStream.unBuffer(Abs
tractThresholdOutputStream.java:89)
        at org.apache.cxf.io.AbstractThre
sholdOutputStream.write(Abstra
ctThresholdOutputStream.java:63)
        at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
        at com.ctc.wstx.sw.BufferingXmlWr
iter.flush(BufferingXmlWriter.
java:241)
        at 
com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
java:253)
        ... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction  - 
Error in
retrieving a token


On 23/10/2017 19:41, Matthew Broadhead wrote:

Thanks for your help Colm.  I now have it working using the
production

certificate by following this example 
https://stackoverflow.com/a/21
41229/3052312 to export the pems into jks files.

but in the end i also had to copy idp-ssl-key.jks and
idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in 
catalina
base.
this seems impractical in production as the certificates get
reissued
every
6 months.  is it possible for sec:keyStore to define the 
resource as
being
in catalina base?

On 23/10/2017 18:11, Colm O hEigeartaigh wrote:

sec:keyStore supports either JKS or PKCS12 keystores. There 
is also
a

sec:certStore that works with PEM files, but only for 
TrustStores I
think.
As a workaround you can just use the Java keytool command 
to import
your
PEM key/cert into a JKS keystore.

this document http://svn.apache.org/viewvc/c

xf/fediz/trunk/examples/sample

keys/HowToGenerateKeysREADME.html?view=co has 
idp-ssl-server.jks
but

no
idp-ssl-key.jks.

SVN is not used any more by CXF or Fediz, that page is old. 
The
correct
version is on github:

https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html

Colm.

On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

Hi Colm,

is there any way for sec:keyStore to be pointed at a pem
certificate

instead of a java keystore?  where is the doumentation for
sec:keyStore?

Matt

On 23/10/2017 17:11, Colm O hEigeartaigh wrote:

I haven't used the APR connector. The following works for 
me in
the

tests,

perhaps you could duplicate this config and get it 
working first
before
switching over to the APR connector:

       <Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" 
clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />

Yes you will need to specify the truststore and keystore in
cxf-tls.xml to
communicate with the STS from the IdP. The truststore should
contain
the
issuing cert of the Tomcat instance hosting your STS + then
keystore
the
private key of your IdP.

Colm.

On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

i am using my own certificate with APR in the tomcat
server.xml.  I
added

clientVerification="required" to SSLHostConfig but I 
still have
the

same
problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
                     maxThreads="150" SSLEnabled="true">
              <UpgradeProtocol 
className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
              <SSLHostConfig clientVerification="required">
                  <Certificate 
certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc 

hain.pem"
type="RSA" />
              </SSLHostConfig>
          </Connector>

I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml.  Could this 
be the
problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
                  <!-- <sec:trustManagers>
                      <sec:keyStore type="jks" 
password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
                  <sec:keyManagers keyPassword="tompass">
                      <sec:keyStore type="jks" 
password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
          </http:conduit>


On 22/10/2017 00:38, Matthew Broadhead wrote:

ok...i fixed the last error by dropping the schema and
restarting.

but now i have this

2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] 
WARN
org.apache.cxf.phase.PhaseInterceptorChain - 
Interceptor for
{
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT 

okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 

2/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing 
SAAJ
model
to
stream: RequireClientCertificate is set, but no local
certificates
were
negotiated.  Is the server set to ask for client 
authorization?
          at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) 

          at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) 

          at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
          at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
          ...
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated.  Is the 
server
set
to
ask
for client authorization?
          at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.java
:255)
          at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) 

          ... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local 
certificates were
negotiated.  Is the server set to ask for client 
authorization?
          at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H 

ttpsTokenInterceptorProvider.java:143)
          at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
          at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
          ...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] 
ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction 
- Error
in
retrieving a token


On 20/10/2017 23:05, Matthew Broadhead wrote:

ok i now have a different error and it doesn't load the 
login
screen

2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] 
WARN

org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida 

tor
-
No
service config found for urn:org:apache:cxf:fediz:fediz
helloworld
2017-10-20 19:26:18,084 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 
[https-openssl-apr-9443-exec-5] ERROR
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 
[https-openssl-apr-9443-exec-5] INFO
org.apache.cxf.fediz.service.idp.service.security.GrantedAut 

horityEntitlements
- Enriched AuthenticationToken added

the previous one was caused by
services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal 

m.xml
<property name="stsUrl" value="https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file

On 20/10/2017 18:27, Matthew Broadhead wrote:

Hi Colm,

Yes I have:

<bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
              <property name="applications">
<util:list>
                      <ref bean="srv-fedizhelloworld" />
              <!-- <ref bean="srv-oidc" /> -->
</util:list>
              </property>
...
</bean>

<bean id="srv-fedizhelloworld" class="
org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
              <property name="realm"
value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
              <property name="protocol" value="
http://docs.oasis-open.
org/wsfed/federation/200706" />
              <property name="serviceDisplayName"
value="Fedizhelloworld"
/>
              <property name="serviceDescription" 
value="Web
Application to
illustrate WS-Federation" />
              <property name="role"
value="ApplicationServiceType"
/>
              <property name="tokenType" value="
http://docs.oasis-open
.
org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
              <property name="lifeTime" value="3600" />
              <property name="passiveRequestorEndpoint
Constraint"
value="https://localhost:?(\d)*/.*" />
              <property name="logoutEndpointConstraint"
value="https://localhost:?(\d)*/.*" />
</bean>

<bean class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.Applicat
ionClaimEntity">
              <property name="application"
ref="srv-fedizhelloworld" />
              <property name="claim" ref="claim_role" />
              <property name="optional" value="false" />
</bean>

etc.

On 20/10/2017 18:08, Colm O hEigeartaigh wrote:

Do you have an

org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti 

ty

instance in
your 
webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?

Colm.

On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:

Hi,

i have Fediz working now on (e.g.) 
domain.tld:9443/idp and i
am

trying to

use it from localhost:9443/fedizhelloworld
/secure/fedservlet.
it
correctly redirects to the login page and seems to
authenticate
ok

but then i get the following error
2017-10-20 15:56:17,424 
[https-openssl-apr-9443-exec-8]
INFO
org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken 

-
Token
[IDP_TOKEN=<something>] for realm [<something>]
successfully
cached.
2017-10-20 15:56:17,433 
[https-openssl-apr-9443-exec-8]
WARN
org.apache.cxf.fediz.service.i
dp.beans.EndpointAddressValida
tor
-
No
service config found for 
urn:org:apache:cxf:fediz:fediz
helloworld

Matthew