You'll need to go through the output to figure out why the cert is not trusted. If you generate some test certs + create a testcase somewhere I will take a look.
Colm. On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < matthew.broadh...@nbmlaw.co.uk> wrote: > i get a load of stuff, but in the middle of the one before the error i get > Warning: no suitable certificate found - continuing without client > authentication > > > On 25/10/2017 13:42, Matthew Broadhead wrote: > >> ahhh... >> -Djavax.net.debug=all >> >> On 25/10/2017 13:39, Matthew Broadhead wrote: >> >>> How would I enable the debug? >>> services/idp/src/main/webapp/WEB-INF/security-config.xml >>> <security:debug/>? >>> >>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote: >>> >>>> If you change it to "required" does it fail? If so, you could try >>>> running >>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you >>>> why >>>> the IdP can't connect to the STS. >>>> >>>> Colm. >>>> >>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < >>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>> >>>> Hi Colm, >>>>> >>>>> I realise now that this html file was included in the >>>>> examples/samplekeys >>>>> directory in the code. but i was taking it from the internet. >>>>> >>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am still >>>>> getting the same error over and again. I can browse the wsdl without >>>>> having to provide a client certificate. could you point me to the >>>>> part of >>>>> the idp-sts configuration which might be causing it to not ask for the >>>>> keys >>>>> properly? or is it definitely a tomcat server.xml issue? >>>>> >>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote: >>>>> >>>>> You can see the HTML here: >>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent >>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >>>>>> ateKeysREADME.html >>>>>> >>>>>> I'll update the webpage to point to github instead of SVN. >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>> >>>>>> Hi Colm >>>>>> >>>>>>> Firstly is there somewhere to see these instructions correctly >>>>>>> formatted >>>>>>> in html? >>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>> >>>>>>> Secondly there is a massive difference between >>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>> and >>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >>>>>>> keys/HowToGenerateKeysREADME.html?view=co >>>>>>> (svn being the one linked from the main fediz pages) >>>>>>> >>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to >>>>>>> ststrust.jks. >>>>>>> >>>>>>> I have some more things to try now so I will let you know if I get >>>>>>> further >>>>>>> >>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>>>>>> >>>>>>> Why not try the simple Connector configuration I gave earlier but >>>>>>> with >>>>>>> >>>>>>>> your >>>>>>>> own keys? >>>>>>>> >>>>>>>> Colm. >>>>>>>> >>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>>>> >>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc >>>>>>>> at-8.5-doc/config/http.html# >>>>>>>> >>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>>>>>> clientAuth >>>>>>>>> This is an alias for the certificateVerification attribute of the >>>>>>>>> default >>>>>>>>> SSLHostConfig element. >>>>>>>>> >>>>>>>>> then >>>>>>>>> certificateVerification >>>>>>>>> Set to required if you want the SSL stack to require a valid >>>>>>>>> certificate >>>>>>>>> chain from the client before accepting a connection. Set to >>>>>>>>> optional if >>>>>>>>> you >>>>>>>>> want the SSL stack to request a client Certificate, but not fail >>>>>>>>> if one >>>>>>>>> isn't presented. Set to optionalNoCA if you want client >>>>>>>>> certificates to >>>>>>>>> be >>>>>>>>> optional and you don't want Tomcat to check them against the list >>>>>>>>> of >>>>>>>>> trusted CAs. If the TLS provider doesn't support this option >>>>>>>>> (OpenSSL >>>>>>>>> does, >>>>>>>>> JSSE does not) it is treated as if optional was specified. A none >>>>>>>>> value >>>>>>>>> (which is the default) will not require a certificate chain unless >>>>>>>>> the >>>>>>>>> client requests a resource protected by a security constraint that >>>>>>>>> uses >>>>>>>>> CLIENT-CERT authentication. >>>>>>>>> >>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i >>>>>>>>> cannot >>>>>>>>> access the site at all with >>>>>>>>> Secure Connection Failed >>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL peer >>>>>>>>> cannot >>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>>>>>>>> >>>>>>>>> maybe i should try using Tomcat 7? >>>>>>>>> >>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>>>>>> >>>>>>>>> The problem is that your Tomcat container hosting the STS is not >>>>>>>>> asking >>>>>>>>> >>>>>>>>> for >>>>>>>>>> client authentication. You can check this by using a web browser >>>>>>>>>> or >>>>>>>>>> curl >>>>>>>>>> to >>>>>>>>>> view the WSDL of the STS - if you can get it to work then the >>>>>>>>>> configuration >>>>>>>>>> is incorrect, as it should error on the browser not supplying a >>>>>>>>>> client >>>>>>>>>> cert. >>>>>>>>>> >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>>>>>> >>>>>>>>>> i spoke too soon. >>>>>>>>>> >>>>>>>>>> i am completely stuck with the same stack trace and no amount of >>>>>>>>>> >>>>>>>>>>> reloading >>>>>>>>>>> the certificates is helping. is there any way to debug what the >>>>>>>>>>> actual >>>>>>>>>>> problem is? >>>>>>>>>>> >>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>>> 2/}Issue >>>>>>>>>>> has >>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ >>>>>>>>>>> model to >>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>> certificates >>>>>>>>>>> were >>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>> 518) >>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>> 427) >>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>> 328) >>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>> 281) >>>>>>>>>>> at org.apache.cxf.ws.security.tru >>>>>>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>>>>>> tractSTSClient.java:861) >>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>> dp.beans.STSClientAction.submi >>>>>>>>>>> t(STSClientAction.java:296) >>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>>>>>>>> Method) >>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>>>>>> ssorImpl.java:62) >>>>>>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.support.ReflectiveMethod >>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.ast.MethodReference.getV >>>>>>>>>>> alueInternal(MethodReference.java:129) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.ast.MethodReference. >>>>>>>>>>> access$000(MethodReference.java:49) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.ast.MethodReference$Meth >>>>>>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.ast.CompoundExpression.g >>>>>>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>>>>>> at org.springframework.expression.spel.ast.SpelNodeImpl. >>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>>>>>> at org.springframework.expression >>>>>>>>>>> .spel.standard.SpelExpression. >>>>>>>>>>> getValue(SpelExpression.java:297) >>>>>>>>>>> at org.springframework.binding.ex >>>>>>>>>>> pression.spel.SpringELExpressi >>>>>>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>> tion.EvaluateAction.doExecute( >>>>>>>>>>> EvaluateAction.java:75) >>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>> tion.AbstractAction.execute(Ab >>>>>>>>>>> stractAction.java:188) >>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>> ecution.AnnotatedAction.execut >>>>>>>>>>> e(AnnotatedAction.java:145) >>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>> ecution.ActionExecutor.execute >>>>>>>>>>> (ActionExecutor.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.ActionList.execute(Action >>>>>>>>>>> List.java:154) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 3) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.SubflowState.handleEvent( >>>>>>>>>>> SubflowState.java:116) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>> a:547) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.EndState.doEnter(EndState >>>>>>>>>>> .java:107) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>> a:547) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>> nState.java:105) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>> a:547) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>> nState.java:105) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.SubflowState.doEnter(Subf >>>>>>>>>>> lowState.java:101) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>> tion.java:228) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>> isionState.java:51) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>> 4) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>> art(FlowExecutionImpl.java:223) >>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>>>>>> at org.springframework.webflow.mv >>>>>>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>> t.DispatcherServlet.doDispatch >>>>>>>>>>> (DispatcherServlet.java:967) >>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>> t.DispatcherServlet.doService( >>>>>>>>>>> DispatcherServlet.java:901) >>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>> t.FrameworkServlet.processRequ >>>>>>>>>>> est(FrameworkServlet.java:970) >>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>> t.FrameworkServlet.doGet( >>>>>>>>>>> FrameworkServlet.java:861) >>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>> .service(HttpServlet.java:635) >>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>> t.FrameworkServlet.service( >>>>>>>>>>> FrameworkServlet.java:846) >>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>> .service(HttpServlet.java:742) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>> at org.apache.tomcat.websocket.se >>>>>>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>>>>>> r.java:52) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.access.ExceptionTranslation >>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.session.SessionManagementFi >>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.authentication.AnonymousAut >>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) >>>>>>>>>>> >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) >>>>>>>>>>> >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.servletapi.SecurityContextH >>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>>>>>> AwareRequestFilter.java:154) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.savedrequest.RequestCacheAw >>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.authentication.www.BasicAut >>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.authentication.AbstractAuth >>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>>>>>> nProcessingFilter.java:199) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.authentication.logout.Logou >>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.context.request.async.WebAs >>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>>>>>> erIntegrationFilter.java:50) >>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.context.SecurityContextPers >>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>>>>>> ortFilter.java:74) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.access.channel.ChannelProce >>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>>>>>> ternal(FilterChainProxy.java:192) >>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>>>>>> ilterChainProxy.java:160) >>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>> .DelegatingFilterProxy.invokeD >>>>>>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>> .DelegatingFilterProxy.doFilte >>>>>>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>> .CharacterEncodingFilter.doFil >>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>> ardWrapperValve.invoke(Standar >>>>>>>>>>> dWrapperValve.java:198) >>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>> ardContextValve.invoke(Standar >>>>>>>>>>> dContextValve.java:96) >>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>> ardHostValve.invoke(StandardHo >>>>>>>>>>> stValve.java:140) >>>>>>>>>>> at org.apache.catalina.valves.Err >>>>>>>>>>> orReportValve.invoke(ErrorRepo >>>>>>>>>>> rtValve.java:80) >>>>>>>>>>> at org.apache.catalina.valves.Abs >>>>>>>>>>> tractAccessLogValve.invoke(Abs >>>>>>>>>>> tractAccessLogValve.java:650) >>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>> ardEngineValve.invoke(Standard >>>>>>>>>>> EngineValve.java:87) >>>>>>>>>>> at org.apache.catalina.connector. >>>>>>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>>>>>> apter.java:342) >>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>> Processor.service(StreamProces >>>>>>>>>>> sor.java:245) >>>>>>>>>>> at org.apache.coyote.AbstractProc >>>>>>>>>>> essorLight.process(AbstractPro >>>>>>>>>>> cessorLight.java:66) >>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>> Processor.process(StreamProces >>>>>>>>>>> sor.java:65) >>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>> Runnable.run(StreamRunnable. >>>>>>>>>>> java:35) >>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>> lExecutor.runWorker(ThreadPool >>>>>>>>>>> Executor.java:1142) >>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>>>>>> lExecutor.java:617) >>>>>>>>>>> at org.apache.tomcat.util.threads >>>>>>>>>>> .TaskThread$WrappingRunnable. >>>>>>>>>>> run(TaskThread.java:61) >>>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>> RequireClientCertificate >>>>>>>>>>> is >>>>>>>>>>> set, but no local certificates were negotiated. Is the server >>>>>>>>>>> set to >>>>>>>>>>> ask >>>>>>>>>>> for client authorization? >>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>> java:255) >>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>> ... 154 more >>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>> ion: >>>>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>>>>>> Conduit.java:309) >>>>>>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>>>>>> pedOutputStream.write(Abstract >>>>>>>>>>> WrappedOutputStream.java:47) >>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>>>>>> tractThresholdOutputStream.java:89) >>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>> sholdOutputStream.write(Abstra >>>>>>>>>>> ctThresholdOutputStream.java:63) >>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) >>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>>>>>> iter.flush(BufferingXmlWriter. >>>>>>>>>>> java:241) >>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>> java:253) >>>>>>>>>>> ... 155 more >>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error >>>>>>>>>>> in >>>>>>>>>>> retrieving a token >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>>>>>> >>>>>>>>>>> Thanks for your help Colm. I now have it working using the >>>>>>>>>>> production >>>>>>>>>>> >>>>>>>>>>> certificate by following this example >>>>>>>>>>> https://stackoverflow.com/a/21 >>>>>>>>>>> >>>>>>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>>>>>> >>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>>>>>> idp-ssl-trust.jks >>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in >>>>>>>>>>>> catalina >>>>>>>>>>>> base. >>>>>>>>>>>> this seems impractical in production as the certificates get >>>>>>>>>>>> reissued >>>>>>>>>>>> every >>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the >>>>>>>>>>>> resource as >>>>>>>>>>>> being >>>>>>>>>>>> in catalina base? >>>>>>>>>>>> >>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>> >>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is >>>>>>>>>>>> also >>>>>>>>>>>> a >>>>>>>>>>>> >>>>>>>>>>>> sec:certStore that works with PEM files, but only for >>>>>>>>>>>> TrustStores I >>>>>>>>>>>> >>>>>>>>>>>>> think. >>>>>>>>>>>>> As a workaround you can just use the Java keytool command to >>>>>>>>>>>>> import >>>>>>>>>>>>> your >>>>>>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>>>>>> >>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>>>>>> >>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>> >>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has >>>>>>>>>>>>>> idp-ssl-server.jks >>>>>>>>>>>>>> but >>>>>>>>>>>>>> >>>>>>>>>>>>>> no >>>>>>>>>>>>>> >>>>>>>>>>>>> idp-ssl-key.jks. >>>>>>>>>>>>> >>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The >>>>>>>>>>>>> correct >>>>>>>>>>>>> version is on github: >>>>>>>>>>>>> >>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>> >>>>>>>>>>>>> Colm. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>> >>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem >>>>>>>>>>>>> certificate >>>>>>>>>>>>> >>>>>>>>>>>>> instead of a java keystore? where is the doumentation for >>>>>>>>>>>>>> sec:keyStore? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Matt >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> I haven't used the APR connector. The following works for me >>>>>>>>>>>>>> in >>>>>>>>>>>>>> the >>>>>>>>>>>>>> >>>>>>>>>>>>>> tests, >>>>>>>>>>>>>> >>>>>>>>>>>>>> perhaps you could duplicate this config and get it working >>>>>>>>>>>>>>> first >>>>>>>>>>>>>>> before >>>>>>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <Connector port="9443" >>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>>>>>>>>>>> clientAuth="want" >>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore should >>>>>>>>>>>>>>> contain >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then >>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> private key of your IdP. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>>>>>> server.xml. I >>>>>>>>>>>>>>> added >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still >>>>>>>>>>>>>>> have >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> same >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> problem >>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>>>>>>>>>> <UpgradeProtocol >>>>>>>>>>>>>>>> className="org.apache.coyote.h >>>>>>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>> <SSLHostConfig clientVerification="required"> >>>>>>>>>>>>>>>> <Certificate >>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse >>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>>>>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> hain.pem" >>>>>>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>>>>>> </Connector> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this >>>>>>>>>>>>>>>> be the >>>>>>>>>>>>>>>> problem? >>>>>>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>> password="ispass" >>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>> password="tompass" >>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>>>>>> </http:conduit> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and >>>>>>>>>>>>>>>> restarting. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> but now i have this >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] >>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor >>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing >>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>> model >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the >>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>>>>>> :255) >>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates >>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] >>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - >>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the >>>>>>>>>>>>>>>>> login >>>>>>>>>>>>>>>>> screen >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myreal >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>>>>>> should have been >>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>> <property name="serviceDescription" >>>>>>>>>>>>>>>>>>> value="Web >>>>>>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" /> >>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint >>>>>>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint" >>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" /> >>>>>>>>>>>>>>>>>>> <property name="optional" value="false" /> >>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas >>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml >>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>> matthew.broadh...@nbmlaw.co.uk> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp >>>>>>>>>>>>>>>>>>>> and i >>>>>>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] >>>>>>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>> >>>> >>> >>> >>> >> >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com