Your truststore in cxf-tls.xml must trust the certificate presented by the STS. Also, it must contain a keystore with the private key of the IdP, which in turn must be trusted by the STS.
Colm. On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead < [email protected]> wrote: > Are the two keystores responsible for the trust between idp and sts are > supposed to be > stsrealm_a.jks and ststrust.jks > > it is just that the cert it is not trusting is the idp-ssl-key.jks > (domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc > > does this mean ststrust.jks should contain MyTCIDP.cer as well as > MyTCRP.cer? > > On 25/10/2017 14:03, Colm O hEigeartaigh wrote: > >> You'll need to go through the output to figure out why the cert is not >> trusted. If you generate some test certs + create a testcase somewhere I >> will take a look. >> >> Colm. >> >> On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead < >> [email protected]> wrote: >> >> i get a load of stuff, but in the middle of the one before the error i get >>> Warning: no suitable certificate found - continuing without client >>> authentication >>> >>> >>> On 25/10/2017 13:42, Matthew Broadhead wrote: >>> >>> ahhh... >>>> -Djavax.net.debug=all >>>> >>>> On 25/10/2017 13:39, Matthew Broadhead wrote: >>>> >>>> How would I enable the debug? services/idp/src/main/webapp/W >>>>> EB-INF/security-config.xml >>>>> <security:debug/>? >>>>> >>>>> On 25/10/2017 13:37, Colm O hEigeartaigh wrote: >>>>> >>>>> If you change it to "required" does it fail? If so, you could try >>>>>> running >>>>>> the Tomcat IdP with Java SSL debugging enabled and it should tell you >>>>>> why >>>>>> the IdP can't connect to the STS. >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Hi Colm, >>>>>> >>>>>>> I realise now that this html file was included in the >>>>>>> examples/samplekeys >>>>>>> directory in the code. but i was taking it from the internet. >>>>>>> >>>>>>> I am 100% using clientAuth="want" on my Tomcat connector but I am >>>>>>> still >>>>>>> getting the same error over and again. I can browse the wsdl without >>>>>>> having to provide a client certificate. could you point me to the >>>>>>> part of >>>>>>> the idp-sts configuration which might be causing it to not ask for >>>>>>> the >>>>>>> keys >>>>>>> properly? or is it definitely a tomcat server.xml issue? >>>>>>> >>>>>>> On 25/10/2017 12:55, Colm O hEigeartaigh wrote: >>>>>>> >>>>>>> You can see the HTML here: >>>>>>> >>>>>>>> https://htmlpreview.github.io/?https://raw.githubusercontent >>>>>>>> .com/apache/cxf-fediz/master/examples/samplekeys/HowToGener >>>>>>>> ateKeysREADME.html >>>>>>>> >>>>>>>> I'll update the webpage to point to github instead of SVN. >>>>>>>> >>>>>>>> Colm. >>>>>>>> >>>>>>>> On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Hi Colm >>>>>>>> >>>>>>>> Firstly is there somewhere to see these instructions correctly >>>>>>>>> formatted >>>>>>>>> in html? >>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>> >>>>>>>>> Secondly there is a massive difference between >>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>> and >>>>>>>>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co >>>>>>>>> (svn being the one linked from the main fediz pages) >>>>>>>>> >>>>>>>>> On the SVN one it doesn't mention adding the MyTCRP.cer key to >>>>>>>>> ststrust.jks. >>>>>>>>> >>>>>>>>> I have some more things to try now so I will let you know if I get >>>>>>>>> further >>>>>>>>> >>>>>>>>> On 25/10/2017 12:11, Colm O hEigeartaigh wrote: >>>>>>>>> >>>>>>>>> Why not try the simple Connector configuration I gave earlier but >>>>>>>>> with >>>>>>>>> >>>>>>>>> your >>>>>>>>>> own keys? >>>>>>>>>> >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> in Tomcat 8 https://tomcat.apache.org/tomc >>>>>>>>>> at-8.5-doc/config/http.html# >>>>>>>>>> >>>>>>>>>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >>>>>>>>>> >>>>>>>>>>> clientAuth >>>>>>>>>>> This is an alias for the certificateVerification attribute of the >>>>>>>>>>> default >>>>>>>>>>> SSLHostConfig element. >>>>>>>>>>> >>>>>>>>>>> then >>>>>>>>>>> certificateVerification >>>>>>>>>>> Set to required if you want the SSL stack to require a valid >>>>>>>>>>> certificate >>>>>>>>>>> chain from the client before accepting a connection. Set to >>>>>>>>>>> optional if >>>>>>>>>>> you >>>>>>>>>>> want the SSL stack to request a client Certificate, but not fail >>>>>>>>>>> if one >>>>>>>>>>> isn't presented. Set to optionalNoCA if you want client >>>>>>>>>>> certificates to >>>>>>>>>>> be >>>>>>>>>>> optional and you don't want Tomcat to check them against the list >>>>>>>>>>> of >>>>>>>>>>> trusted CAs. If the TLS provider doesn't support this option >>>>>>>>>>> (OpenSSL >>>>>>>>>>> does, >>>>>>>>>>> JSSE does not) it is treated as if optional was specified. A none >>>>>>>>>>> value >>>>>>>>>>> (which is the default) will not require a certificate chain >>>>>>>>>>> unless >>>>>>>>>>> the >>>>>>>>>>> client requests a resource protected by a security constraint >>>>>>>>>>> that >>>>>>>>>>> uses >>>>>>>>>>> CLIENT-CERT authentication. >>>>>>>>>>> >>>>>>>>>>> so i changed clientAuth="want" to clientAuth="required". now i >>>>>>>>>>> cannot >>>>>>>>>>> access the site at all with >>>>>>>>>>> Secure Connection Failed >>>>>>>>>>> An error occurred during a connection to domain.tld:9443. SSL >>>>>>>>>>> peer >>>>>>>>>>> cannot >>>>>>>>>>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >>>>>>>>>>> >>>>>>>>>>> maybe i should try using Tomcat 7? >>>>>>>>>>> >>>>>>>>>>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >>>>>>>>>>> >>>>>>>>>>> The problem is that your Tomcat container hosting the STS is not >>>>>>>>>>> asking >>>>>>>>>>> >>>>>>>>>>> for >>>>>>>>>>> >>>>>>>>>>>> client authentication. You can check this by using a web browser >>>>>>>>>>>> or >>>>>>>>>>>> curl >>>>>>>>>>>> to >>>>>>>>>>>> view the WSDL of the STS - if you can get it to work then the >>>>>>>>>>>> configuration >>>>>>>>>>>> is incorrect, as it should error on the browser not supplying a >>>>>>>>>>>> client >>>>>>>>>>>> cert. >>>>>>>>>>>> >>>>>>>>>>>> Colm. >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> i spoke too soon. >>>>>>>>>>>> >>>>>>>>>>>> i am completely stuck with the same stack trace and no amount of >>>>>>>>>>>> >>>>>>>>>>>> reloading >>>>>>>>>>>>> the certificates is helping. is there any way to debug what >>>>>>>>>>>>> the >>>>>>>>>>>>> actual >>>>>>>>>>>>> problem is? >>>>>>>>>>>>> >>>>>>>>>>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for >>>>>>>>>>>>> { >>>>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>> has >>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ >>>>>>>>>>>>> model to >>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>> certificates >>>>>>>>>>>>> were >>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>> 518) >>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>> 427) >>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>> 328) >>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>> Impl.invoke(ClientImpl.java: >>>>>>>>>>>>> 281) >>>>>>>>>>>>> at org.apache.cxf.ws.security.tru >>>>>>>>>>>>> st.AbstractSTSClient.issue(Abs >>>>>>>>>>>>> tractSTSClient.java:861) >>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:47) >>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>> dp.IdpSTSClient.requestSecurit >>>>>>>>>>>>> yTokenResponse(IdpSTSClient.java:42) >>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>> dp.beans.STSClientAction.submi >>>>>>>>>>>>> t(STSClientAction.java:296) >>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>> orImpl.invoke0(Native >>>>>>>>>>>>> Method) >>>>>>>>>>>>> at sun.reflect.NativeMethodAccess >>>>>>>>>>>>> orImpl.invoke(NativeMethodAcce >>>>>>>>>>>>> ssorImpl.java:62) >>>>>>>>>>>>> at sun.reflect.DelegatingMethodAc >>>>>>>>>>>>> cessorImpl.invoke(DelegatingMe >>>>>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.support.ReflectiveMethod >>>>>>>>>>>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.ast.MethodReference.getV >>>>>>>>>>>>> alueInternal(MethodReference.java:129) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.ast.MethodReference. >>>>>>>>>>>>> access$000(MethodReference.java:49) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.ast.MethodReference$Meth >>>>>>>>>>>>> odValueRef.getValue(MethodReference.java:347) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.ast.CompoundExpression.g >>>>>>>>>>>>> etValueInternal(CompoundExpression.java:88) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.ast.SpelNodeImpl. >>>>>>>>>>>>> getTypedValue(SpelNodeImpl.java:131) >>>>>>>>>>>>> at org.springframework.expression >>>>>>>>>>>>> .spel.standard.SpelExpression. >>>>>>>>>>>>> getValue(SpelExpression.java:297) >>>>>>>>>>>>> at org.springframework.binding.ex >>>>>>>>>>>>> pression.spel.SpringELExpressi >>>>>>>>>>>>> on.getValue(SpringELExpression.java:84) >>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>> tion.EvaluateAction.doExecute( >>>>>>>>>>>>> EvaluateAction.java:75) >>>>>>>>>>>>> at org.springframework.webflow.ac >>>>>>>>>>>>> tion.AbstractAction.execute(Ab >>>>>>>>>>>>> stractAction.java:188) >>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>> ecution.AnnotatedAction.execut >>>>>>>>>>>>> e(AnnotatedAction.java:145) >>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>> ecution.ActionExecutor.execute >>>>>>>>>>>>> (ActionExecutor.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.ActionList.execute(Action >>>>>>>>>>>>> List.java:154) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 3) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.SubflowState.handleEvent( >>>>>>>>>>>>> SubflowState.java:116) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>> a:547) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.en >>>>>>>>>>>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.EndState.doEnter(EndState >>>>>>>>>>>>> .java:107) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>> a:547) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ex >>>>>>>>>>>>> ecute(FlowExecutionImpl.java:395) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.execute(RequestControlContextImpl.java:214) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.TransitionableState.handl >>>>>>>>>>>>> eEvent(TransitionableState.java:116) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Flow.handleEvent(Flow.jav >>>>>>>>>>>>> a:547) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.ha >>>>>>>>>>>>> ndleEvent(FlowExecutionImpl.java:390) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.ActionState.doEnter(Actio >>>>>>>>>>>>> nState.java:105) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.RequestControlContex >>>>>>>>>>>>> tImpl.start(RequestControlContextImpl.java:234) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.SubflowState.doEnter(Subf >>>>>>>>>>>>> lowState.java:101) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Transition.execute(Transi >>>>>>>>>>>>> tion.java:228) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.DecisionState.doEnter(Dec >>>>>>>>>>>>> isionState.java:51) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.State.enter(State.java:19 >>>>>>>>>>>>> 4) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.Flow.start(Flow.java:527) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>> art(FlowExecutionImpl.java:368) >>>>>>>>>>>>> at org.springframework.webflow.en >>>>>>>>>>>>> gine.impl.FlowExecutionImpl.st >>>>>>>>>>>>> art(FlowExecutionImpl.java:223) >>>>>>>>>>>>> at org.springframework.webflow.ex >>>>>>>>>>>>> ecutor.FlowExecutorImpl.launch >>>>>>>>>>>>> Execution(FlowExecutorImpl.java:140) >>>>>>>>>>>>> at org.springframework.webflow.mv >>>>>>>>>>>>> c.servlet.FlowHandlerAdapter. >>>>>>>>>>>>> handle(FlowHandlerAdapter.java:263) >>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>> t.DispatcherServlet.doDispatch >>>>>>>>>>>>> (DispatcherServlet.java:967) >>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>> t.DispatcherServlet.doService( >>>>>>>>>>>>> DispatcherServlet.java:901) >>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>> t.FrameworkServlet.processRequ >>>>>>>>>>>>> est(FrameworkServlet.java:970) >>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>> t.FrameworkServlet.doGet( >>>>>>>>>>>>> FrameworkServlet.java:861) >>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>> .service(HttpServlet.java:635) >>>>>>>>>>>>> at org.springframework.web.servle >>>>>>>>>>>>> t.FrameworkServlet.service( >>>>>>>>>>>>> FrameworkServlet.java:846) >>>>>>>>>>>>> at javax.servlet.http.HttpServlet >>>>>>>>>>>>> .service(HttpServlet.java:742) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>> lter(ApplicationFilterChain.java:231) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>> at org.apache.tomcat.websocket.se >>>>>>>>>>>>> rver.WsFilter.doFilter(WsFilte >>>>>>>>>>>>> r.java:52) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:330) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.access.intercept.FilterSecu >>>>>>>>>>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.access.ExceptionTranslation >>>>>>>>>>>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.session.SessionManagementFi >>>>>>>>>>>>> lter.doFilter(SessionManagementFilter.java:103) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.authentication.AnonymousAut >>>>>>>>>>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.jav >>>>>>>>>>>>> a:113) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav >>>>>>>>>>>>> a:97) >>>>>>>>>>>>> >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.servletapi.SecurityContextH >>>>>>>>>>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>>>>>>>>>>> AwareRequestFilter.java:154) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.savedrequest.RequestCacheAw >>>>>>>>>>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.authentication.www.BasicAut >>>>>>>>>>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.authentication.AbstractAuth >>>>>>>>>>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>>>>>>>>>>> nProcessingFilter.java:199) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.authentication.logout.Logou >>>>>>>>>>>>> tFilter.doFilter(LogoutFilter.java:110) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.context.request.async.WebAs >>>>>>>>>>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>>>>>>>>>>> erIntegrationFilter.java:50) >>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.context.SecurityContextPers >>>>>>>>>>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter. >>>>>>>>>>>>> java:87) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.apache.cxf.fediz.service.i >>>>>>>>>>>>> dp.STSPortFilter.doFilter(STSP >>>>>>>>>>>>> ortFilter.java:74) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.access.channel.ChannelProce >>>>>>>>>>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy$VirtualFil >>>>>>>>>>>>> terChain.doFilter(FilterChainProxy.java:342) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy.doFilterIn >>>>>>>>>>>>> ternal(FilterChainProxy.java:192) >>>>>>>>>>>>> at org.springframework.security.w >>>>>>>>>>>>> eb.FilterChainProxy.doFilter(F >>>>>>>>>>>>> ilterChainProxy.java:160) >>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>> .DelegatingFilterProxy.invokeD >>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:346) >>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>> .DelegatingFilterProxy.doFilte >>>>>>>>>>>>> r(DelegatingFilterProxy.java:262) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>> .CharacterEncodingFilter.doFil >>>>>>>>>>>>> terInternal(CharacterEncodingFilter.java:197) >>>>>>>>>>>>> at org.springframework.web.filter >>>>>>>>>>>>> .OncePerRequestFilter.doFilter >>>>>>>>>>>>> (OncePerRequestFilter.java:107) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.internalDoFi >>>>>>>>>>>>> lter(ApplicationFilterChain.java:193) >>>>>>>>>>>>> at org.apache.catalina.core.Appli >>>>>>>>>>>>> cationFilterChain.doFilter(App >>>>>>>>>>>>> licationFilterChain.java:166) >>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>> ardWrapperValve.invoke(Standar >>>>>>>>>>>>> dWrapperValve.java:198) >>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>> ardContextValve.invoke(Standar >>>>>>>>>>>>> dContextValve.java:96) >>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>> ardHostValve.invoke(StandardHo >>>>>>>>>>>>> stValve.java:140) >>>>>>>>>>>>> at org.apache.catalina.valves.Err >>>>>>>>>>>>> orReportValve.invoke(ErrorRepo >>>>>>>>>>>>> rtValve.java:80) >>>>>>>>>>>>> at org.apache.catalina.valves.Abs >>>>>>>>>>>>> tractAccessLogValve.invoke(Abs >>>>>>>>>>>>> tractAccessLogValve.java:650) >>>>>>>>>>>>> at org.apache.catalina.core.Stand >>>>>>>>>>>>> ardEngineValve.invoke(Standard >>>>>>>>>>>>> EngineValve.java:87) >>>>>>>>>>>>> at org.apache.catalina.connector. >>>>>>>>>>>>> CoyoteAdapter.service(CoyoteAd >>>>>>>>>>>>> apter.java:342) >>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>> Processor.service(StreamProces >>>>>>>>>>>>> sor.java:245) >>>>>>>>>>>>> at org.apache.coyote.AbstractProc >>>>>>>>>>>>> essorLight.process(AbstractPro >>>>>>>>>>>>> cessorLight.java:66) >>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>> Processor.process(StreamProces >>>>>>>>>>>>> sor.java:65) >>>>>>>>>>>>> at org.apache.coyote.http2.Stream >>>>>>>>>>>>> Runnable.run(StreamRunnable. >>>>>>>>>>>>> java:35) >>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>> lExecutor.runWorker(ThreadPool >>>>>>>>>>>>> Executor.java:1142) >>>>>>>>>>>>> at java.util.concurrent.ThreadPoo >>>>>>>>>>>>> lExecutor$Worker.run(ThreadPoo >>>>>>>>>>>>> lExecutor.java:617) >>>>>>>>>>>>> at org.apache.tomcat.util.threads >>>>>>>>>>>>> .TaskThread$WrappingRunnable. >>>>>>>>>>>>> run(TaskThread.java:61) >>>>>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>> is >>>>>>>>>>>>> set, but no local certificates were negotiated. Is the server >>>>>>>>>>>>> set to >>>>>>>>>>>>> ask >>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>> java:255) >>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>> ion: >>>>>>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>> m.onFirstWrite(HTTPConduit.java:1293) >>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>> URLConnectionHTTPConduit$URLCo >>>>>>>>>>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>>>>>>>>>>> Conduit.java:309) >>>>>>>>>>>>> at org.apache.cxf.io.AbstractWrap >>>>>>>>>>>>> pedOutputStream.write(Abstract >>>>>>>>>>>>> WrappedOutputStream.java:47) >>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>> sholdOutputStream.unBuffer(Abs >>>>>>>>>>>>> tractThresholdOutputStream.java:89) >>>>>>>>>>>>> at org.apache.cxf.io.AbstractThre >>>>>>>>>>>>> sholdOutputStream.write(Abstra >>>>>>>>>>>>> ctThresholdOutputStream.java:63) >>>>>>>>>>>>> at com.ctc.wstx.io.UTF8Writer.flu >>>>>>>>>>>>> sh(UTF8Writer.java:100) >>>>>>>>>>>>> at com.ctc.wstx.sw.BufferingXmlWr >>>>>>>>>>>>> iter.flush(BufferingXmlWriter. >>>>>>>>>>>>> java:241) >>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>> er.flush(BaseStreamWriter. >>>>>>>>>>>>> java:253) >>>>>>>>>>>>> ... 155 more >>>>>>>>>>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - >>>>>>>>>>>>> Error >>>>>>>>>>>>> in >>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for your help Colm. I now have it working using the >>>>>>>>>>>>> production >>>>>>>>>>>>> >>>>>>>>>>>>> certificate by following this example >>>>>>>>>>>>> https://stackoverflow.com/a/21 >>>>>>>>>>>>> >>>>>>>>>>>>> 41229/3052312 to export the pems into jks files. >>>>>>>>>>>>>> >>>>>>>>>>>>>> but in the end i also had to copy idp-ssl-key.jks and >>>>>>>>>>>>>> idp-ssl-trust.jks >>>>>>>>>>>>>> into webapps/idp/WEB-INF/classes as well as having them in >>>>>>>>>>>>>> catalina >>>>>>>>>>>>>> base. >>>>>>>>>>>>>> this seems impractical in production as the certificates get >>>>>>>>>>>>>> reissued >>>>>>>>>>>>>> every >>>>>>>>>>>>>> 6 months. is it possible for sec:keyStore to define the >>>>>>>>>>>>>> resource as >>>>>>>>>>>>>> being >>>>>>>>>>>>>> in catalina base? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is >>>>>>>>>>>>>> also >>>>>>>>>>>>>> a >>>>>>>>>>>>>> >>>>>>>>>>>>>> sec:certStore that works with PEM files, but only for >>>>>>>>>>>>>> TrustStores I >>>>>>>>>>>>>> >>>>>>>>>>>>>> think. >>>>>>>>>>>>>>> As a workaround you can just use the Java keytool command to >>>>>>>>>>>>>>> import >>>>>>>>>>>>>>> your >>>>>>>>>>>>>>> PEM key/cert into a JKS keystore. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> this document http://svn.apache.org/viewvc/c >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> xf/fediz/trunk/examples/sample >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> idp-ssl-server.jks >>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> idp-ssl-key.jks. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> SVN is not used any more by CXF or Fediz, that page is old. >>>>>>>>>>>>>>> The >>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>> version is on github: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>>>>>>>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> is there any way for sec:keyStore to be pointed at a pem >>>>>>>>>>>>>>> certificate >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> instead of a java keystore? where is the doumentation for >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> sec:keyStore? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Matt >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I haven't used the APR connector. The following works for me >>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> tests, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> perhaps you could duplicate this config and get it working >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> first >>>>>>>>>>>>>>>>> before >>>>>>>>>>>>>>>>> switching over to the APR connector: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <Connector port="9443" >>>>>>>>>>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>>>>>>>>>>> maxThreads="150" >>>>>>>>>>>>>>>>> SSLEnabled="true" scheme="https" secure="true" >>>>>>>>>>>>>>>>> clientAuth="want" >>>>>>>>>>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>>>>>>>>>>> keystorePass="tompass" >>>>>>>>>>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>>>>>>>>>>> truststorePass="ispass" /> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>>>>>>>>>>>> cxf-tls.xml to >>>>>>>>>>>>>>>>> communicate with the STS from the IdP. The truststore >>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>> contain >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then >>>>>>>>>>>>>>>>> keystore >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> private key of your IdP. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> i am using my own certificate with APR in the tomcat >>>>>>>>>>>>>>>>> server.xml. I >>>>>>>>>>>>>>>>> added >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> clientVerification="required" to SSLHostConfig but I still >>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> same >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> problem >>>>>>>>>>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>>>>>>>>>>>>>> tp11.Http11AprProtocol" >>>>>>>>>>>>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>>>>>>>>>>>> <UpgradeProtocol >>>>>>>>>>>>>>>>>> className="org.apache.coyote.h >>>>>>>>>>>>>>>>>> ttp2.Http2Protocol" >>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>> <SSLHostConfig >>>>>>>>>>>>>>>>>> clientVerification="required"> >>>>>>>>>>>>>>>>>> <Certificate >>>>>>>>>>>>>>>>>> certificateKeyFile="/etc/letse >>>>>>>>>>>>>>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>>>>>>>>>>>>>> certificateFile="/etc/letsencr >>>>>>>>>>>>>>>>>> ypt/live/domain.tld/cert.pem" >>>>>>>>>>>>>>>>>> certificateChainFile="/etc/let >>>>>>>>>>>>>>>>>> sencrypt/live/domain.tld/fullc >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> hain.pem" >>>>>>>>>>>>>>>>>> type="RSA" /> >>>>>>>>>>>>>>>>>> </SSLHostConfig> >>>>>>>>>>>>>>>>>> </Connector> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>>>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this >>>>>>>>>>>>>>>>>> be the >>>>>>>>>>>>>>>>>> problem? >>>>>>>>>>>>>>>>>> How would I use production certificates? >>>>>>>>>>>>>>>>>> <http:conduit name="*.http-conduit"> >>>>>>>>>>>>>>>>>> <http:tlsClientParameters >>>>>>>>>>>>>>>>>> disableCNCheck="true"> >>>>>>>>>>>>>>>>>> <!-- <sec:trustManagers> >>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>> password="ispass" >>>>>>>>>>>>>>>>>> resource="idp-ssl-trust.jks" /> >>>>>>>>>>>>>>>>>> </sec:trustManagers> >>>>>>>>>>>>>>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>>>>>>>>>>>>>> <sec:keyStore type="jks" >>>>>>>>>>>>>>>>>> password="tompass" >>>>>>>>>>>>>>>>>> resource="idp-ssl-key.jks"/> >>>>>>>>>>>>>>>>>> </sec:keyManagers> --> >>>>>>>>>>>>>>>>>> </http:tlsClientParameters> >>>>>>>>>>>>>>>>>> </http:conduit> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ok...i fixed the last error by dropping the schema and >>>>>>>>>>>>>>>>>> restarting. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> but now i have this >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] >>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor >>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>>>>> http://docs.oasis-open.org/ws- >>>>>>>>>>>>>>>>>>> sx/ws-trust/200512/}SecurityT >>>>>>>>>>>>>>>>>>> okenService#{http://docs.oasis >>>>>>>>>>>>>>>>>>> -open.org/ws-sx/ws-trust/20051 >>>>>>>>>>>>>>>>>>> 2/}Issue >>>>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>>>>> thrown exception, unwinding now >>>>>>>>>>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing >>>>>>>>>>>>>>>>>>> SAAJ >>>>>>>>>>>>>>>>>>> model >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>> stream: RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:224) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:174) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>>>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>>>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>>>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>>>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>>>>>>>>>>> 518) >>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>>>>>>>>>>> RequireClientCertificate >>>>>>>>>>>>>>>>>>> is >>>>>>>>>>>>>>>>>>> set, but no local certificates were negotiated. Is the >>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>>> ask >>>>>>>>>>>>>>>>>>> for client authorization? >>>>>>>>>>>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>>>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>>>>>>>>>>> :255) >>>>>>>>>>>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>>>>>>>>>>> ndingInterceptor.handleMessage >>>>>>>>>>>>>>>>>>> (SAAJOutInterceptor.java:215) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ... 154 more >>>>>>>>>>>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>>>>>>>>>>> ion: >>>>>>>>>>>>>>>>>>> RequireClientCertificate is set, but no local >>>>>>>>>>>>>>>>>>> certificates >>>>>>>>>>>>>>>>>>> were >>>>>>>>>>>>>>>>>>> negotiated. Is the server set to ask for client >>>>>>>>>>>>>>>>>>> authorization? >>>>>>>>>>>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>>>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>>>>>>>>>>> erceptorProvider$HttpsTokenOut >>>>>>>>>>>>>>>>>>> Interceptor$1.establishTrust(H >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>>>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>>>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] >>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - >>>>>>>>>>>>>>>>>>> Error >>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>> retrieving a token >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ok i now have a different error and it doesn't load the >>>>>>>>>>>>>>>>>>> login >>>>>>>>>>>>>>>>>>> screen >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] >>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> ERROR >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] >>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>> dp.service.security.GrantedAut >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> horityEntitlements >>>>>>>>>>>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> the previous one was caused by >>>>>>>>>>>>>>>>>>>> services/idp/src/main/webapp/W >>>>>>>>>>>>>>>>>>>> EB-INF/idp-config-realm-myreal >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> m.xml >>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>>>>>>>>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>>>>>>>>>>>>>> should have been >>>>>>>>>>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>>>>>>>>>>>>>> p-sts/REALMMYREALM" >>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>> according to original file >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hi Colm, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Yes I have: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>> <property name="applications"> >>>>>>>>>>>>>>>>>>>>> <util:list> >>>>>>>>>>>>>>>>>>>>> <ref bean="srv-fedizhelloworld" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>>>>>>>>>>>>>> </util:list> >>>>>>>>>>>>>>>>>>>>> </property> >>>>>>>>>>>>>>>>>>>>> ... >>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class=" >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>>>>>>>>>>>>>> <property name="realm" >>>>>>>>>>>>>>>>>>>>> value="urn:org:apache:cxf:fedi >>>>>>>>>>>>>>>>>>>>> z:fedizhelloworld" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <property name="protocol" value=" >>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open. >>>>>>>>>>>>>>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>>>>>>>>>>>>>> <property name="serviceDisplayName" >>>>>>>>>>>>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <property name="serviceDescription" >>>>>>>>>>>>>>>>>>>>> value="Web >>>>>>>>>>>>>>>>>>>>> Application to >>>>>>>>>>>>>>>>>>>>> illustrate WS-Federation" /> >>>>>>>>>>>>>>>>>>>>> <property name="role" >>>>>>>>>>>>>>>>>>>>> value="ApplicationServiceType" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <property name="tokenType" value=" >>>>>>>>>>>>>>>>>>>>> http://docs.oasis-open >>>>>>>>>>>>>>>>>>>>> . >>>>>>>>>>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>>>>>>>>>>>>>> <property name="lifeTime" value="3600" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <property name="passiveRequestorEndpoint >>>>>>>>>>>>>>>>>>>>> Constraint" >>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>> <property name="logoutEndpointConstraint >>>>>>>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se >>>>>>>>>>>>>>>>>>>>> rvice.idp.service.jpa.Applicat >>>>>>>>>>>>>>>>>>>>> ionClaimEntity"> >>>>>>>>>>>>>>>>>>>>> <property name="application" >>>>>>>>>>>>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>>>>>>>>>>> <property name="claim" ref="claim_role" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> <property name="optional" value="false" >>>>>>>>>>>>>>>>>>>>> /> >>>>>>>>>>>>>>>>>>>>> </bean> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Do you have an >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>> dp.service.jpa.ApplicationEnti >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ty >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> instance in >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/clas >>>>>>>>>>>>>>>>>>>>>> ses/entities-realma.xml >>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>> realm >>>>>>>>>>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Colm. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp >>>>>>>>>>>>>>>>>>>>>> and i >>>>>>>>>>>>>>>>>>>>>> am >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> trying to >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> /secure/fedservlet. >>>>>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>>>>>>>>>>>>>>> authenticate >>>>>>>>>>>>>>>>>>>>>>> ok >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 >>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>> INFO >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>> dp.beans.CacheSecurityToken >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>> Token >>>>>>>>>>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] >>>>>>>>>>>>>>>>>>>>>>> successfully >>>>>>>>>>>>>>>>>>>>>>> cached. >>>>>>>>>>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 >>>>>>>>>>>>>>>>>>>>>>> [https-openssl-apr-9443-exec-8 >>>>>>>>>>>>>>>>>>>>>>> ] >>>>>>>>>>>>>>>>>>>>>>> WARN >>>>>>>>>>>>>>>>>>>>>>> org.apache.cxf.fediz.service.i >>>>>>>>>>>>>>>>>>>>>>> dp.beans.EndpointAddressValida >>>>>>>>>>>>>>>>>>>>>>> tor >>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>> No >>>>>>>>>>>>>>>>>>>>>>> service config found for >>>>>>>>>>>>>>>>>>>>>>> urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>> >>>>> >>>> >>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
