Hi Colm,
I am not sure that would be very easy to provide a test case? Everything
was working fine on localhost with the test certificates.
Testing on production is completely different using letsencrypt certs
and having to change lots of configuration files in the code? You would
be welcome to look directly at my setup although you are probably busy?
It looks as though the idpcert in the ststrust.jks is not being properly
sent and trusted by the idp during handshake? i am converting it using
openssl to pkcs12 and then importing it into a jks. then i export the
cert. is it possible the chain is being dropped?
openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
${cert}privkey.pem -out ${p12} -name mytomidpkey -password pass:tompass
keytool -importkeystore -deststorepass tompass -destkeypass tompass
-destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
-srcstorepass tompass -alias mytomidpkey
keytool -keystore ${idpKey} -storepass tompass -export -alias
mytomidpkey -file ${idpCert}
also i get a lot of these warnings when creating keystores. should i be
changing everything to use pkcs12?
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate
to PKCS12 which is an industry standard format using
Matthew
On 26/10/2017 10:43, Colm O hEigeartaigh wrote:
Could you create a test-case and upload it to github somewhere + I will
take a look?
Colm.
On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Thanks for pointing me in the right direction.
basically what the documentation lacks is that the ststrust.jks must
contain MyTCIDP.cer, i.e.
keytool -import -trustcacerts -keystore ststrust.jks -storepass storepass
-alias idpcert -file MyTCIDP.cer -noprompt
i looked through the original ststrust.jks and it contained the alias
idpcert which confirmed the suspicion
the other problem was that the cipher of the letsencrypt certificate was
not supported by java so i had to enable apr for openssl support.
-Djavax.net.debug=all helped to debug that.
but i still have some strange problems. when i first connect with
fedizhelloworld it pops up a box asking for a certificate. and also if i
leave it logged in for a while and then try to logout chrome tells me
This site can’t provide a secure connection
ERR_SSL_PROTOCOL_ERROR
On 25/10/2017 14:28, Colm O hEigeartaigh wrote:
Your truststore in cxf-tls.xml must trust the certificate presented by the
STS. Also, it must contain a keystore with the private key of the IdP,
which in turn must be trusted by the STS.
Colm.
On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Are the two keystores responsible for the trust between idp and sts are
supposed to be
stsrealm_a.jks and ststrust.jks
it is just that the cert it is not trusting is the idp-ssl-key.jks
(domain.tld) which makes sense if it is hitting domain.tls:9443/idp etc
does this mean ststrust.jks should contain MyTCIDP.cer as well as
MyTCRP.cer?
On 25/10/2017 14:03, Colm O hEigeartaigh wrote:
You'll need to go through the output to figure out why the cert is not
trusted. If you generate some test certs + create a testcase somewhere I
will take a look.
Colm.
On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
i get a load of stuff, but in the middle of the one before the error i
get
Warning: no suitable certificate found - continuing without client
authentication
On 25/10/2017 13:42, Matthew Broadhead wrote:
ahhh...
-Djavax.net.debug=all
On 25/10/2017 13:39, Matthew Broadhead wrote:
How would I enable the debug? services/idp/src/main/webapp/W
EB-INF/security-config.xml
<security:debug/>?
On 25/10/2017 13:37, Colm O hEigeartaigh wrote:
If you change it to "required" does it fail? If so, you could try
running
the Tomcat IdP with Java SSL debugging enabled and it should tell
you
why
the IdP can't connect to the STS.
Colm.
On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi Colm,
I realise now that this html file was included in the
examples/samplekeys
directory in the code. but i was taking it from the internet.
I am 100% using clientAuth="want" on my Tomcat connector but I am
still
getting the same error over and again. I can browse the wsdl
without
having to provide a client certificate. could you point me to the
part of
the idp-sts configuration which might be causing it to not ask for
the
keys
properly? or is it definitely a tomcat server.xml issue?
On 25/10/2017 12:55, Colm O hEigeartaigh wrote:
You can see the HTML here:
https://htmlpreview.github.io/?https://raw.githubusercontent
.com/apache/cxf-fediz/master/examples/samplekeys/HowToGener
ateKeysREADME.html
I'll update the webpage to point to github instead of SVN.
Colm.
On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi Colm
Firstly is there somewhere to see these instructions correctly
formatted
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
Secondly there is a massive difference between
https://github.com/apache/cxf-fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)
On the SVN one it doesn't mention adding the MyTCRP.cer key to
ststrust.jks.
I have some more things to try now so I will let you know if I
get
further
On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
Why not try the simple Connector configuration I gave earlier but
with
your
own keys?
Colm.
On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
in Tomcat 8 https://tomcat.apache.org/tomc
at-8.5-doc/config/http.html#
SSL_Support_-_Connector_-_NIO_and_NIO2 it says
clientAuth
This is an alias for the certificateVerification attribute of
the
default
SSLHostConfig element.
then
certificateVerification
Set to required if you want the SSL stack to require a valid
certificate
chain from the client before accepting a connection. Set to
optional if
you
want the SSL stack to request a client Certificate, but not
fail
if one
isn't presented. Set to optionalNoCA if you want client
certificates to
be
optional and you don't want Tomcat to check them against the
list
of
trusted CAs. If the TLS provider doesn't support this option
(OpenSSL
does,
JSSE does not) it is treated as if optional was specified. A
none
value
(which is the default) will not require a certificate chain
unless
the
client requests a resource protected by a security constraint
that
uses
CLIENT-CERT authentication.
so i changed clientAuth="want" to clientAuth="required". now i
cannot
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL
peer
cannot
verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
maybe i should try using Tomcat 7?
On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
The problem is that your Tomcat container hosting the STS is
not
asking
for
client authentication. You can check this by using a web
browser
or
curl
to
view the WSDL of the STS - if you can get it to work then the
configuration
is incorrect, as it should error on the browser not supplying
a
client
cert.
Colm.
On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
i spoke too soon.
i am completely stuck with the same stack trace and no amount
of
reloading
the certificates is helping. is there any way to debug what
the
actual
problem is?
2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor
for
{
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
2/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
model to
stream: RequireClientCertificate is set, but no local
certificates
were
negotiated. Is the server set to ask for client
authorization?
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
427)
at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
328)
at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
281)
at org.apache.cxf.ws.security.tru
st.AbstractSTSClient.issue(Abs
tractSTSClient.java:861)
at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:47)
at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:42)
at org.apache.cxf.fediz.service.i
dp.beans.STSClientAction.submi
t(STSClientAction.java:296)
at sun.reflect.NativeMethodAccess
orImpl.invoke0(Native
Method)
at sun.reflect.NativeMethodAccess
orImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
at sun.reflect.DelegatingMethodAc
cessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
at java.lang.reflect.Method.invok
e(Method.java:498)
at org.springframework.expression
.spel.support.ReflectiveMethod
Executor.execute(ReflectiveMethodExecutor.java:113)
at org.springframework.expression
.spel.ast.MethodReference.getV
alueInternal(MethodReference.java:129)
at org.springframework.expression
.spel.ast.MethodReference.
access$000(MethodReference.java:49)
at org.springframework.expression
.spel.ast.MethodReference$Meth
odValueRef.getValue(MethodReference.java:347)
at org.springframework.expression
.spel.ast.CompoundExpression.g
etValueInternal(CompoundExpression.java:88)
at org.springframework.expression
.spel.ast.SpelNodeImpl.
getTypedValue(SpelNodeImpl.java:131)
at org.springframework.expression
.spel.standard.SpelExpression.
getValue(SpelExpression.java:297)
at org.springframework.binding.ex
pression.spel.SpringELExpressi
on.getValue(SpringELExpression.java:84)
at org.springframework.webflow.ac
tion.EvaluateAction.doExecute(
EvaluateAction.java:75)
at org.springframework.webflow.ac
tion.AbstractAction.execute(Ab
stractAction.java:188)
at org.springframework.webflow.ex
ecution.AnnotatedAction.execut
e(AnnotatedAction.java:145)
at org.springframework.webflow.ex
ecution.ActionExecutor.execute
(ActionExecutor.java:51)
at org.springframework.webflow.en
gine.ActionList.execute(Action
List.java:154)
at org.springframework.webflow.en
gine.State.enter(State.java:19
3)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.en
gine.SubflowState.handleEvent(
SubflowState.java:116)
at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.en
dActiveFlowSession(FlowExecutionImpl.java:414)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.endActiveFlowSession(RequestControlContextImpl.java:
238)
at org.springframework.webflow.en
gine.EndState.doEnter(EndState
.java:107)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.start(RequestControlContextImpl.java:234)
at org.springframework.webflow.en
gine.SubflowState.doEnter(Subf
lowState.java:101)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:223)
at org.springframework.webflow.ex
ecutor.FlowExecutorImpl.launch
Execution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mv
c.servlet.FlowHandlerAdapter.
handle(FlowHandlerAdapter.java:263)
at org.springframework.web.servle
t.DispatcherServlet.doDispatch
(DispatcherServlet.java:967)
at org.springframework.web.servle
t.DispatcherServlet.doService(
DispatcherServlet.java:901)
at org.springframework.web.servle
t.FrameworkServlet.processRequ
est(FrameworkServlet.java:970)
at org.springframework.web.servle
t.FrameworkServlet.doGet(
FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet
.service(HttpServlet.java:635)
at org.springframework.web.servle
t.FrameworkServlet.service(
FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet
.service(HttpServlet.java:742)
at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.tomcat.websocket.se
rver.WsFilter.doFilter(WsFilte
r.java:52)
at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.w
eb.access.intercept.FilterSecu
rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.w
eb.access.intercept.FilterSecu
rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.access.ExceptionTranslation
Filter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.session.SessionManagementFi
lter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.authentication.AnonymousAut
henticationFilter.doFilter(AnonymousAuthenticationFilter.jav
a:113)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements.doFilter(GrantedAuthorityEntitlements.jav
a:97)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.servletapi.SecurityContextH
olderAwareRequestFilter.doFilter(SecurityContextHolder
AwareRequestFilter.java:154)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.savedrequest.RequestCacheAw
areFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.authentication.www.BasicAut
henticationFilter.doFilter(BasicAuthenticationFilter.java:
150)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.authentication.AbstractAuth
enticationProcessingFilter.doFilter(AbstractAuthenticatio
nProcessingFilter.java:199)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.authentication.logout.Logou
tFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.context.request.async.WebAs
yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
erIntegrationFilter.java:50)
at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.context.SecurityContextPers
istenceFilter.doFilter(SecurityContextPersistenceFilter.
java:87)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.i
dp.STSPortFilter.doFilter(STSP
ortFilter.java:74)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.access.channel.ChannelProce
ssingFilter.doFilter(ChannelProcessingFilter.java:144)
at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.w
eb.FilterChainProxy.doFilterIn
ternal(FilterChainProxy.java:192)
at org.springframework.security.w
eb.FilterChainProxy.doFilter(F
ilterChainProxy.java:160)
at org.springframework.web.filter
.DelegatingFilterProxy.invokeD
elegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter
.DelegatingFilterProxy.doFilte
r(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.springframework.web.filter
.CharacterEncodingFilter.doFil
terInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
at org.apache.catalina.core.Stand
ardWrapperValve.invoke(Standar
dWrapperValve.java:198)
at org.apache.catalina.core.Stand
ardContextValve.invoke(Standar
dContextValve.java:96)
at org.apache.catalina.core.Stand
ardHostValve.invoke(StandardHo
stValve.java:140)
at org.apache.catalina.valves.Err
orReportValve.invoke(ErrorRepo
rtValve.java:80)
at org.apache.catalina.valves.Abs
tractAccessLogValve.invoke(Abs
tractAccessLogValve.java:650)
at org.apache.catalina.core.Stand
ardEngineValve.invoke(Standard
EngineValve.java:87)
at org.apache.catalina.connector.
CoyoteAdapter.service(CoyoteAd
apter.java:342)
at org.apache.coyote.http2.Stream
Processor.service(StreamProces
sor.java:245)
at org.apache.coyote.AbstractProc
essorLight.process(AbstractPro
cessorLight.java:66)
at org.apache.coyote.http2.Stream
Processor.process(StreamProces
sor.java:65)
at org.apache.coyote.http2.Stream
Runnable.run(StreamRunnable.
java:35)
at java.util.concurrent.ThreadPoo
lExecutor.runWorker(ThreadPool
Executor.java:1142)
at java.util.concurrent.ThreadPoo
lExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
at org.apache.tomcat.util.threads
.TaskThread$WrappingRunnable.
run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated. Is the server
set to
ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.
java:255)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local certificates
were
negotiated. Is the server set to ask for client
authorization?
at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.onFirstWrite(HTTPConduit.java:1293)
at org.apache.cxf.transport.http.
URLConnectionHTTPConduit$URLCo
nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
Conduit.java:309)
at org.apache.cxf.io.AbstractWrap
pedOutputStream.write(Abstract
WrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThre
sholdOutputStream.unBuffer(Abs
tractThresholdOutputStream.java:89)
at org.apache.cxf.io.AbstractThre
sholdOutputStream.write(Abstra
ctThresholdOutputStream.java:63)
at com.ctc.wstx.io.UTF8Writer.flu
sh(UTF8Writer.java:100)
at com.ctc.wstx.sw.BufferingXmlWr
iter.flush(BufferingXmlWriter.
java:241)
at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.
java:253)
... 155 more
2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2]
ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction -
Error
in
retrieving a token
On 23/10/2017 19:41, Matthew Broadhead wrote:
Thanks for your help Colm. I now have it working using the
production
certificate by following this example
https://stackoverflow.com/a/21
41229/3052312 to export the pems into jks files.
but in the end i also had to copy idp-ssl-key.jks and
idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having them in
catalina
base.
this seems impractical in production as the certificates get
reissued
every
6 months. is it possible for sec:keyStore to define the
resource as
being
in catalina base?
On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
sec:keyStore supports either JKS or PKCS12 keystores. There
is
also
a
sec:certStore that works with PEM files, but only for
TrustStores I
think.
As a workaround you can just use the Java keytool command
to
import
your
PEM key/cert into a JKS keystore.
this document http://svn.apache.org/viewvc/c
xf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co has
idp-ssl-server.jks
but
no
idp-ssl-key.jks.
SVN is not used any more by CXF or Fediz, that page is old.
The
correct
version is on github:
https://github.com/apache/cxf-
fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
Colm.
On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi Colm,
is there any way for sec:keyStore to be pointed at a pem
certificate
instead of a java keystore? where is the doumentation for
sec:keyStore?
Matt
On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
I haven't used the APR connector. The following works for
me
in
the
tests,
perhaps you could duplicate this config and get it working
first
before
switching over to the APR connector:
<Connector port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Yes you will need to specify the truststore and keystore
in
cxf-tls.xml to
communicate with the STS from the IdP. The truststore
should
contain
the
issuing cert of the Tomcat instance hosting your STS +
then
keystore
the
private key of your IdP.
Colm.
On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
i am using my own certificate with APR in the tomcat
server.xml. I
added
clientVerification="required" to SSLHostConfig but I
still
have
the
same
problem
<Connector port="9443" protocol="org.apache.coyote.ht
tp11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true">
<UpgradeProtocol
className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
<SSLHostConfig
clientVerification="required">
<Certificate
certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencr
ypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/let
sencrypt/live/domain.tld/fullc
hain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml. Could
this
be the
problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<!-- <sec:trustManagers>
<sec:keyStore type="jks"
password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers
keyPassword="tompass">
<sec:keyStore type="jks"
password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>
On 22/10/2017 00:38, Matthew Broadhead wrote:
ok...i fixed the last error by dropping the schema and
restarting.
but now i have this
2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9]
WARN
org.apache.cxf.phase.PhaseInterceptorChain -
Interceptor
for
{
http://docs.oasis-open.org/ws-
sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis
-open.org/ws-sx/ws-trust/20051
2/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem writing
SAAJ
model
to
stream: RequireClientCertificate is set, but no local
certificates
were
negotiated. Is the server set to ask for client
authorization?
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:224)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:174)
at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
...
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated. Is the
server
set
to
ask
for client authorization?
at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.java
:255)
at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:215)
... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local
certificates
were
negotiated. Is the server set to ask for client
authorization?
at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOut
Interceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
...
2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9
]
ERROR
org.apache.cxf.fediz.service.idp.beans.STSClientAction
-
Error
in
retrieving a token
On 20/10/2017 23:05, Matthew Broadhead wrote:
ok i now have a different error and it doesn't load the
login
screen
2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2
]
WARN
org.apache.cxf.fediz.service.i
dp.beans.EndpointAddressValida
tor
-
No
service config found for
urn:org:apache:cxf:fediz:fediz
helloworld
2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5
]
INFO
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements
- Enriched AuthenticationToken added
the previous one was caused by
services/idp/src/main/webapp/W
EB-INF/idp-config-realm-myreal
m.xml
<property name="stsUrl" value="
https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="
https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file
On 20/10/2017 18:27, Matthew Broadhead wrote:
Hi Colm,
Yes I have:
<bean id="idp-realmXYZ" class="
org.apache.cxf.fediz.se
rvice.idp.service.jpa.IdpEntity">
...
<property name="applications">
<util:list>
<ref
bean="srv-fedizhelloworld"
/>
<!-- <ref bean="srv-oidc" /> -->
</util:list>
</property>
...
</bean>
<bean id="srv-fedizhelloworld" class="
org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
<property name="realm"
value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
<property name="protocol" value="
http://docs.oasis-open.
org/wsfed/federation/200706" />
<property name="serviceDisplayName"
value="Fedizhelloworld"
/>
<property name="serviceDescription"
value="Web
Application to
illustrate WS-Federation" />
<property name="role"
value="ApplicationServiceType"
/>
<property name="tokenType" value="
http://docs.oasis-open
.
org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
<property name="lifeTime"
value="3600"
/>
<property
name="passiveRequestorEndpoint
Constraint"
value="https://localhost:?(\d)*/.*" />
<property
name="logoutEndpointConstraint
"
value="https://localhost:?(\d)*/.*" />
</bean>
<bean class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.Applicat
ionClaimEntity">
<property name="application"
ref="srv-fedizhelloworld" />
<property name="claim"
ref="claim_role"
/>
<property name="optional"
value="false"
/>
</bean>
etc.
On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
Do you have an
org.apache.cxf.fediz.service.i
dp.service.jpa.ApplicationEnti
ty
instance in
your webapps/fediz-idp/WEB-INF/clas
ses/entities-realma.xml
with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?
Colm.
On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
matthew.broadh...@nbmlaw.co.uk> wrote:
Hi,
i have Fediz working now on (e.g.)
domain.tld:9443/idp
and i
am
trying to
use it from localhost:9443/fedizhelloworld
/secure/fedservlet.
it
correctly redirects to the login page and seems to
authenticate
ok
but then i get the following error
2017-10-20 15:56:17,424
[https-openssl-apr-9443-exec-8
]
INFO
org.apache.cxf.fediz.service.i
dp.beans.CacheSecurityToken
-
Token
[IDP_TOKEN=<something>] for realm [<something>]
successfully
cached.
2017-10-20 15:56:17,433
[https-openssl-apr-9443-exec-8
]
WARN
org.apache.cxf.fediz.service.i
dp.beans.EndpointAddressValida
tor
-
No
service config found for
urn:org:apache:cxf:fediz:fediz
helloworld
Matthew
