Re: fediz production

Tue, 31 Oct 2017 12:36:07 -0700 

Hi Matthew
Thanks for the feedback. Finally I get a chance to contribute to this thread :-). Putting aside the fact KeyCloak is a high quality project, I'd like to say the fact you could not figure out how to set up the keys is not sufficient to conclude Fediz is not ready for use in production. I'm not sure you if were referring to the WS-Fed or not. 


FYI, Fediz OIDC is currently is in production. The actual number is 
small. And the team behind one of this productions put a lot of effort 
into getting it in. I agree and I believe we all do, a major effort is 
needed to push it to the next level, which is really making it very 
straightforward for the users to get started with it fast.


Thanks, Sergey
On 31/10/17 16:55, Matthew Broadhead wrote:

Thanks Colm,


I really appreciate the time you took to respond to my emails.  I spent 
a lot of time trying to get Fediz to work.  I also submitted a couple of 
PRs on github.



But in the end I have moved to keycloak.  It is a much more mature 
project and has an installation program and a web interface.   I had it 
fully working in under 2 hours!


Fediz could move to the next level if it could be:
- simply installed standalone without any configuration whatsover

- reside behind apache httpd for ssl certificates rather than using 
tomcat connector
- all configuration done in a web interface and stored in the database 
rather than "spring" configuration files



I would be happy to offer some time towards helping achieve that goal 
but at the moment I don't think Fediz is ready for use in production.


Cheers,
Matthew

On 31/10/2017 11:50, Colm O hEigeartaigh wrote:

Are you using the same Tomcat instance for the IdP and the STS? Or is the
Tomcat IdP instance set to ask for client authentication? Failing that, I

don't have any more ideas - I need to see a test-case to help any 
further.


Colm.

On Mon, Oct 30, 2017 at 8:35 AM, Matthew Broadhead <
[email protected]> wrote:


hi Colm,

Sorry to keep bothering you with this issue.


It is still prompting me for a certificate when redirecting to the 
idp.  I
have checked line by line the differences between the original code 
and my
production code and cannot see any major difference.  i have tried 
with the
production certificate and with a custom generated certificate but 
both are

the same.

Is there anything else I can try for debugging?

Matthew

On 26/10/2017 14:58, Matthew Broadhead wrote:


comments below

On 26/10/2017 13:46, Colm O hEigeartaigh wrote:


Are you using Java 9? If so please try with Java 8 instead. The 
warnings

should be harmless, however I haven't tested Fediz with Java 9.


i am using openjdk 1.8.0.151


"when i first connect with fedizhelloworld it pops up a box asking 
for a
certificate." - can you reproduce this with a test-case? It sounds 
as if

you are not using the "up" endpoint of the IdP but instead the client
cert
endpoint?


my fediz_config.xml has
<issuer>https://domain.tld:9443/idp/federation</issuer>

security-up-config.xml is the same as the example except with the
endpoints changed from localhost:9443 to domain.tld:9443

if it is not related to that can you tell me where i should be looking
for the endpoint config?


Colm.

On Thu, Oct 26, 2017 at 12:06 PM, Matthew Broadhead <
[email protected]> wrote:

Hi Colm,

I am not sure that would be very easy to provide a test case? 
Everything

was working fine on localhost with the test certificates.

Testing on production is completely different using letsencrypt certs
and

having to change lots of configuration files in the code? You 
would be

welcome to look directly at my setup although you are probably busy?


It looks as though the idpcert in the ststrust.jks is not being 
properly
sent and trusted by the idp during handshake?  i am converting it 
using
openssl to pkcs12 and then importing it into a jks.  then i export 
the

cert.  is it possible the chain is being dropped?
openssl pkcs12 -export -in ${cert}fullchain.pem -inkey
${cert}privkey.pem
-out ${p12} -name mytomidpkey -password pass:tompass
keytool -importkeystore -deststorepass tompass -destkeypass tompass
-destkeystore ${idpKey} -srckeystore ${p12} -srcstoretype PKCS12
-srcstorepass tompass -alias mytomidpkey
keytool -keystore ${idpKey} -storepass tompass -export -alias
mytomidpkey
-file ${idpCert}


also i get a lot of these warnings when creating keystores. should 
i be

changing everything to use pkcs12?
Warning:

The JKS keystore uses a proprietary format. It is recommended to 
migrate

to PKCS12 which is an industry standard format using

Matthew

On 26/10/2017 10:43, Colm O hEigeartaigh wrote:


Could you create a test-case and upload it to github somewhere + I 
will

take a look?

Colm.

On Wed, Oct 25, 2017 at 10:39 PM, Matthew Broadhead <
[email protected]> wrote:

Thanks for pointing me in the right direction.


basically what the documentation lacks is that the ststrust.jks 
must

contain MyTCIDP.cer, i.e.
keytool -import -trustcacerts -keystore ststrust.jks -storepass
storepass
-alias idpcert -file MyTCIDP.cer -noprompt

i looked through the original ststrust.jks and it contained the 
alias

idpcert which confirmed the suspicion


the other problem was that the cipher of the letsencrypt 
certificate

was
not supported by java so i had to enable apr for openssl support.
-Djavax.net.debug=all helped to debug that.

but i still have some strange problems.  when i first connect with

fedizhelloworld it pops up a box asking for a certificate.  and 
also

if i

leave it logged in for a while and then try to logout chrome 
tells me

This site can’t provide a secure connection
ERR_SSL_PROTOCOL_ERROR

On 25/10/2017 14:28, Colm O hEigeartaigh wrote:


Your truststore in cxf-tls.xml must trust the certificate 
presented by



the
STS. Also, it must contain a keystore with the private key of the
IdP,
which in turn must be trusted by the STS.

Colm.

On Wed, Oct 25, 2017 at 1:19 PM, Matthew Broadhead <
[email protected]> wrote:


Are the two keystores responsible for the trust between idp and 
sts

are

supposed to be

stsrealm_a.jks and ststrust.jks


it is just that the cert it is not trusting is the 
idp-ssl-key.jks
(domain.tld) which makes sense if it is hitting 
domain.tls:9443/idp

etc

does this mean ststrust.jks should contain MyTCIDP.cer as well as
MyTCRP.cer?

On 25/10/2017 14:03, Colm O hEigeartaigh wrote:


You'll need to go through the output to figure out why the 
cert is

not

trusted. If you generate some test certs + create a testcase

somewhere I
will take a look.

Colm.

On Wed, Oct 25, 2017 at 12:47 PM, Matthew Broadhead <
[email protected]> wrote:

i get a load of stuff, but in the middle of the one before the
error i
get


Warning: no suitable certificate found - continuing without 
client



authentication


On 25/10/2017 13:42, Matthew Broadhead wrote:

ahhh...

-Djavax.net.debug=all


On 25/10/2017 13:39, Matthew Broadhead wrote:

How would I enable the debug? services/idp/src/main/webapp/W

EB-INF/security-config.xml


<security:debug/>?

On 25/10/2017 13:37, Colm O hEigeartaigh wrote:

If you change it to "required" does it fail? If so, you could
try

running


the Tomcat IdP with Java SSL debugging enabled and it should
tell
you
why
the IdP can't connect to the STS.

Colm.

On Wed, Oct 25, 2017 at 12:34 PM, Matthew Broadhead <
[email protected]> wrote:

Hi Colm,

I realise now that this html file was included in the

examples/samplekeys

directory in the code.  but i was taking it from the 
internet.



I am 100% using clientAuth="want" on my Tomcat connector 
but

I am
still

getting the same error over and again.  I can browse the 
wsdl

without

having to provide a client certificate. could you point 
me to

the
part of

the idp-sts configuration which might be causing it to 
not ask

for
the
keys
properly?  or is it definitely a tomcat server.xml issue?

On 25/10/2017 12:55, Colm O hEigeartaigh wrote:

You can see the HTML here:


https://htmlpreview.github.io/?https://raw.githubusercontent 



.com/apache/cxf-fediz/master/examples/samplekeys/HowToGener

ateKeysREADME.html

I'll update the webpage to point to github instead of SVN.

Colm.

On Wed, Oct 25, 2017 at 11:39 AM, Matthew Broadhead <
[email protected]> wrote:

Hi Colm

Firstly is there somewhere to see these instructions
correctly

formatted


in html?
https://github.com/apache/cxf-
fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html

Secondly there is a massive difference between
https://github.com/apache/cxf-
fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/c
xf/fediz/trunk/examples/sample
keys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)


On the SVN one it doesn't mention adding the 
MyTCRP.cer key

to
ststrust.jks.

I have some more things to try now so I will let you know
if I
get
further

On 25/10/2017 12:11, Colm O hEigeartaigh wrote:

Why not try the simple Connector configuration I gave
earlier
but
with

your

own keys?


Colm.

On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
[email protected]> wrote:

in Tomcat 8 https://tomcat.apache.org/tomc
at-8.5-doc/config/http.html#

SSL_Support_-_Connector_-_NIO_and_NIO2 it says

clientAuth


This is an alias for the certificateVerification 
attribute

of
the
default
SSLHostConfig element.

then
certificateVerification
Set to required if you want the SSL stack to require a
valid
certificate

chain from the client before accepting a connection. 
Set

to
optional if
you
want the SSL stack to request a client Certificate, but
not
fail
if one
isn't presented. Set to optionalNoCA if you want client
certificates to
be

optional and you don't want Tomcat to check them 
against

the
list
of
trusted CAs. If the TLS provider doesn't support this
option
(OpenSSL
does,
JSSE does not) it is treated as if optional was
specified. A
none
value
(which is the default) will not require a certificate
chain
unless
the
client requests a resource protected by a security
constraint
that
uses
CLIENT-CERT authentication.


so i changed clientAuth="want" to 
clientAuth="required".

now
i
cannot
access the site at all with
Secure Connection Failed

An error occurred during a connection to 
domain.tld:9443.

SSL
peer
cannot
verify your certificate. Error code:
SSL_ERROR_BAD_CERT_ALERT

maybe i should try using Tomcat 7?

On 25/10/2017 11:42, Colm O hEigeartaigh wrote:


The problem is that your Tomcat container hosting 
the STS

is
not
asking

for


client authentication. You can check this by using a 
web


browser

or
curl
to

view the WSDL of the STS - if you can get it to 
work then

the
configuration
is incorrect, as it should error on the browser not
supplying
a
client
cert.

Colm.

On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
[email protected]> wrote:

i spoke too soon.

i am completely stuck with the same stack trace and no
amount
of

reloading


the certificates is helping.  is there any way to 
debug

what


the
actual
problem is?


2017-10-24 12:55:58,155 
[https-openssl-apr-9443-exec-2]

WARN
org.apache.cxf.phase.PhaseInterceptorChain  -
Interceptor
for
{
http://docs.oasis-open.org/ws-
sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis
-open.org/ws-sx/ws-trust/20051
2/}Issue
has
thrown exception, unwinding now

org.apache.cxf.binding.soap.SoapFault: Problem 
writing

SAAJ
model to
stream: RequireClientCertificate is set, but no local
certificates
were
negotiated.  Is the server set to ask for client
authorization?
             at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:224)
             at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:174)
             at org.apache.cxf.phase.PhaseInte
rceptorChain.doIntercept(Phase
InterceptorChain.java:308)
             at org.apache.cxf.endpoint.Client
Impl.doInvoke(ClientImpl.java:
518)
             at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
427)
             at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
328)
             at org.apache.cxf.endpoint.Client
Impl.invoke(ClientImpl.java:
281)
             at org.apache.cxf.ws.security.tru
st.AbstractSTSClient.issue(Abs
tractSTSClient.java:861)
             at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:47)
             at org.apache.cxf.fediz.service.i
dp.IdpSTSClient.requestSecurit
yTokenResponse(IdpSTSClient.java:42)
             at org.apache.cxf.fediz.service.i
dp.beans.STSClientAction.submi
t(STSClientAction.java:296)
             at sun.reflect.NativeMethodAccess
orImpl.invoke0(Native
Method)
             at sun.reflect.NativeMethodAccess
orImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
             at sun.reflect.DelegatingMethodAc
cessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
             at java.lang.reflect.Method.invok
e(Method.java:498)
             at org.springframework.expression
.spel.support.ReflectiveMethod
Executor.execute(ReflectiveMethodExecutor.java:113)
             at org.springframework.expression
.spel.ast.MethodReference.getV
alueInternal(MethodReference.java:129)
             at org.springframework.expression
.spel.ast.MethodReference.
access$000(MethodReference.java:49)
             at org.springframework.expression
.spel.ast.MethodReference$Meth
odValueRef.getValue(MethodReference.java:347)
             at org.springframework.expression
.spel.ast.CompoundExpression.g
etValueInternal(CompoundExpression.java:88)
             at org.springframework.expression
.spel.ast.SpelNodeImpl.
getTypedValue(SpelNodeImpl.java:131)
             at org.springframework.expression
.spel.standard.SpelExpression.
getValue(SpelExpression.java:297)
             at org.springframework.binding.ex
pression.spel.SpringELExpressi
on.getValue(SpringELExpression.java:84)
             at org.springframework.webflow.ac
tion.EvaluateAction.doExecute(
EvaluateAction.java:75)
             at org.springframework.webflow.ac
tion.AbstractAction.execute(Ab
stractAction.java:188)
             at org.springframework.webflow.ex
ecution.AnnotatedAction.execut
e(AnnotatedAction.java:145)
             at org.springframework.webflow.ex
ecution.ActionExecutor.execute
(ActionExecutor.java:51)
             at org.springframework.webflow.en
gine.ActionList.execute(Action
List.java:154)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
3)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
             at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
             at org.springframework.webflow.en
gine.SubflowState.handleEvent(
SubflowState.java:116)
             at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.en
dActiveFlowSession(FlowExecutionImpl.java:414)
             at org.springframework.webflow.en
gine.impl.RequestControlContex

tImpl.endActiveFlowSession(RequestControlContextImpl.java: 



238)
             at org.springframework.webflow.en
gine.EndState.doEnter(EndState
.java:107)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
             at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
             at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
             at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ex
ecute(FlowExecutionImpl.java:395)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.execute(RequestControlContextImpl.java:214)
             at org.springframework.webflow.en
gine.TransitionableState.handl
eEvent(TransitionableState.java:116)
             at org.springframework.webflow.en
gine.Flow.handleEvent(Flow.jav
a:547)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.ha
ndleEvent(FlowExecutionImpl.java:390)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.handleEvent(RequestControlContextImpl.java:210)
             at org.springframework.webflow.en
gine.ActionState.doEnter(Actio
nState.java:105)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
             at org.springframework.webflow.en
gine.impl.RequestControlContex
tImpl.start(RequestControlContextImpl.java:234)
             at org.springframework.webflow.en
gine.SubflowState.doEnter(Subf
lowState.java:101)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Transition.execute(Transi
tion.java:228)
             at org.springframework.webflow.en
gine.DecisionState.doEnter(Dec
isionState.java:51)
             at org.springframework.webflow.en
gine.State.enter(State.java:19
4)
             at org.springframework.webflow.en
gine.Flow.start(Flow.java:527)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:368)
             at org.springframework.webflow.en
gine.impl.FlowExecutionImpl.st
art(FlowExecutionImpl.java:223)
             at org.springframework.webflow.ex
ecutor.FlowExecutorImpl.launch
Execution(FlowExecutorImpl.java:140)
             at org.springframework.webflow.mv
c.servlet.FlowHandlerAdapter.
handle(FlowHandlerAdapter.java:263)
             at org.springframework.web.servle
t.DispatcherServlet.doDispatch
(DispatcherServlet.java:967)
             at org.springframework.web.servle
t.DispatcherServlet.doService(
DispatcherServlet.java:901)
             at org.springframework.web.servle
t.FrameworkServlet.processRequ
est(FrameworkServlet.java:970)
             at org.springframework.web.servle
t.FrameworkServlet.doGet(
FrameworkServlet.java:861)
             at javax.servlet.http.HttpServlet
.service(HttpServlet.java:635)
             at org.springframework.web.servle
t.FrameworkServlet.service(
FrameworkServlet.java:846)
             at javax.servlet.http.HttpServlet
.service(HttpServlet.java:742)
             at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:231)
             at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
             at org.apache.tomcat.websocket.se
rver.WsFilter.doFilter(WsFilte
r.java:52)
             at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
             at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:330)
             at org.springframework.security.w
eb.access.intercept.FilterSecu

rityInterceptor.invoke(FilterSecurityInterceptor.java:118) 



             at org.springframework.security.w
eb.access.intercept.FilterSecu
rityInterceptor.doFilter(Filte
rSecurityInterceptor.java:84)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.access.ExceptionTranslation
Filter.doFilter(ExceptionTranslationFilter.java:113)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.session.SessionManagementFi
lter.doFilter(SessionManagementFilter.java:103)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.authentication.AnonymousAut
henticationFilter.doFilter(Ano
nymousAuthenticationFilter.jav
a:113)

             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut
horityEntitlements.doFilter(Gr
antedAuthorityEntitlements.jav
a:97)

             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.servletapi.SecurityContextH

olderAwareRequestFilter.doFilter(SecurityContextHolder 


AwareRequestFilter.java:154)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.savedrequest.RequestCacheAw
areFilter.doFilter(RequestCacheAwareFilter.java:45)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.authentication.www.BasicAut

henticationFilter.doFilter(BasicAuthenticationFilter.java: 



150)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.authentication.AbstractAuth

enticationProcessingFilter.doFilter(AbstractAuthenticatio 



nProcessingFilter.java:199)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.authentication.logout.Logou
tFilter.doFilter(LogoutFilter.java:110)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.context.request.async.WebAs

yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag 



erIntegrationFilter.java:50)
             at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.context.SecurityContextPers

istenceFilter.doFilter(SecurityContextPersistenceFilter. 



java:87)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.apache.cxf.fediz.service.i
dp.STSPortFilter.doFilter(STSP
ortFilter.java:74)
             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.access.channel.ChannelProce

ssingFilter.doFilter(ChannelProcessingFilter.java:144) 


             at org.springframework.security.w
eb.FilterChainProxy$VirtualFil
terChain.doFilter(FilterChainProxy.java:342)
             at org.springframework.security.w
eb.FilterChainProxy.doFilterIn
ternal(FilterChainProxy.java:192)
             at org.springframework.security.w
eb.FilterChainProxy.doFilter(F
ilterChainProxy.java:160)
             at org.springframework.web.filter
.DelegatingFilterProxy.invokeD
elegate(DelegatingFilterProxy.java:346)
             at org.springframework.web.filter
.DelegatingFilterProxy.doFilte
r(DelegatingFilterProxy.java:262)
             at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
             at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
             at org.springframework.web.filter
.CharacterEncodingFilter.doFil
terInternal(CharacterEncodingFilter.java:197)
             at org.springframework.web.filter
.OncePerRequestFilter.doFilter
(OncePerRequestFilter.java:107)
             at org.apache.catalina.core.Appli
cationFilterChain.internalDoFi
lter(ApplicationFilterChain.java:193)
             at org.apache.catalina.core.Appli
cationFilterChain.doFilter(App
licationFilterChain.java:166)
             at org.apache.catalina.core.Stand
ardWrapperValve.invoke(Standar
dWrapperValve.java:198)
             at org.apache.catalina.core.Stand
ardContextValve.invoke(Standar
dContextValve.java:96)
             at org.apache.catalina.core.Stand
ardHostValve.invoke(StandardHo
stValve.java:140)
             at org.apache.catalina.valves.Err
orReportValve.invoke(ErrorRepo
rtValve.java:80)
             at org.apache.catalina.valves.Abs
tractAccessLogValve.invoke(Abs
tractAccessLogValve.java:650)
             at org.apache.catalina.core.Stand
ardEngineValve.invoke(Standard
EngineValve.java:87)
             at org.apache.catalina.connector.
CoyoteAdapter.service(CoyoteAd
apter.java:342)
             at org.apache.coyote.http2.Stream
Processor.service(StreamProces
sor.java:245)
             at org.apache.coyote.AbstractProc
essorLight.process(AbstractPro
cessorLight.java:66)
             at org.apache.coyote.http2.Stream
Processor.process(StreamProces
sor.java:65)
             at org.apache.coyote.http2.Stream
Runnable.run(StreamRunnable.
java:35)
             at java.util.concurrent.ThreadPoo
lExecutor.runWorker(ThreadPool
Executor.java:1142)
             at java.util.concurrent.ThreadPoo
lExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
             at org.apache.tomcat.util.threads
.TaskThread$WrappingRunnable.
run(TaskThread.java:61)
             at java.lang.Thread.run(Thread.java:748)
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is

set, but no local certificates were negotiated. Is 
the

server
set to
ask
for client authorization?
             at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.
java:255)
             at org.apache.cxf.binding.soap.sa
aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:215)
             ... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local
certificates
were
negotiated.  Is the server set to ask for client
authorization?
             at org.apache.cxf.ws.security.pol
icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOut
Interceptor$1.establishTrust(H
ttpsTokenInterceptorProvider.java:143)
             at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)
             at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.handleHeadersTrustCaching(HTTPConduit.java:1323)
             at org.apache.cxf.transport.http.
HTTPConduit$WrappedOutputStrea
m.onFirstWrite(HTTPConduit.java:1293)
             at org.apache.cxf.transport.http.
URLConnectionHTTPConduit$URLCo

nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP 



Conduit.java:309)
             at org.apache.cxf.io.AbstractWrap
pedOutputStream.write(Abstract
WrappedOutputStream.java:47)
             at org.apache.cxf.io.AbstractThre
sholdOutputStream.unBuffer(Abs
tractThresholdOutputStream.java:89)
             at org.apache.cxf.io.AbstractThre
sholdOutputStream.write(Abstra
ctThresholdOutputStream.java:63)
             at com.ctc.wstx.io.UTF8Writer.flu
sh(UTF8Writer.java:100)
             at com.ctc.wstx.sw.BufferingXmlWr
iter.flush(BufferingXmlWriter.
java:241)
             at com.ctc.wstx.sw.BaseStreamWrit
er.flush(BaseStreamWriter.
java:253)
             ... 155 more

2017-10-24 12:55:58,158 
[https-openssl-apr-9443-exec-2]

ERROR

org.apache.cxf.fediz.service.idp.beans.STSClientAction 


-
Error
in
retrieving a token


On 23/10/2017 19:41, Matthew Broadhead wrote:


Thanks for your help Colm.  I now have it working 
using

the
production

certificate by following this example
https://stackoverflow.com/a/21

41229/3052312 to export the pems into jks files.

but in the end i also had to copy idp-ssl-key.jks and


idp-ssl-trust.jks
into webapps/idp/WEB-INF/classes as well as having
them in
catalina
base.
this seems impractical in production as the
certificates
get
reissued
every
6 months.  is it possible for sec:keyStore to define
the
resource as
being
in catalina base?

On 23/10/2017 18:11, Colm O hEigeartaigh wrote:


sec:keyStore supports either JKS or PKCS12 
keystores.

There
is
also
a


sec:certStore that works with PEM files, but only 
for

TrustStores I

think.

As a workaround you can just use the Java keytool
command


to
import
your
PEM key/cert into a JKS keystore.

this document http://svn.apache.org/viewvc/c

xf/fediz/trunk/examples/sample

keys/HowToGenerateKeysREADME.html?view=co has

idp-ssl-server.jks

but

no

idp-ssl-key.jks.


SVN is not used any more by CXF or Fediz, that 
page

is


old.
The
correct
version is on github:

https://github.com/apache/cxf-
fediz/blob/master/examples/sam
plekeys/HowToGenerateKeysREADME.html

Colm.


On Mon, Oct 23, 2017 at 4:40 PM, Matthew 
Broadhead <

[email protected]> wrote:

Hi Colm,


is there any way for sec:keyStore to be pointed 
at a

pem
certificate


instead of a java keystore?  where is the 
doumentation

for

sec:keyStore?

Matt

On 23/10/2017 17:11, Colm O hEigeartaigh wrote:


I haven't used the APR connector. The following 
works

for
me
in
the

tests,

perhaps you could duplicate this config and get it
working

first

before

switching over to the APR connector:

<Connector port="9443"

protocol="org.apache.coyote.http11.Http11NioProtocol" 



maxThreads="150"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="want"
sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass"
keyPass="tompass" truststoreFile="idp-ssl-trust.
jks"
truststorePass="ispass" />

Yes you will need to specify the truststore and
keystore
in
cxf-tls.xml to
communicate with the STS from the IdP. The
truststore
should
contain
the
issuing cert of the Tomcat instance hosting your
STS +
then
keystore
the
private key of your IdP.

Colm.


On Sun, Oct 22, 2017 at 9:23 AM, Matthew 
Broadhead <

[email protected]> wrote:


i am using my own certificate with APR in the 
tomcat

server.xml.  I
added


clientVerification="required" to SSLHostConfig 
but I

still
have
the

same

problem

<Connector port="9443" protocol="
org.apache.coyote.ht


tp11.Http11AprProtocol"
                          maxThreads="150"
SSLEnabled="true">
<UpgradeProtocol
className="org.apache.coyote.h
ttp2.Http2Protocol"
/>
<SSLHostConfig
clientVerification="required">
                       <Certificate
certificateKeyFile="/etc/letse
ncrypt/live/domain.tld/privkey.pem"
certificateFile="/etc/letsencr
ypt/live/domain.tld/cert.pem"
certificateChainFile="/etc/let
sencrypt/live/domain.tld/fullc

hain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>

I commented the trustManagers and keyManagers in
services/idp/src/main/resources/cxf-tls.xml.
Could
this
be the
problem?
How would I use production certificates?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
                       <!-- <sec:trustManagers>

                           <sec:keyStore 
type="jks"

password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
                       <sec:keyManagers
keyPassword="tompass">

                           <sec:keyStore 
type="jks"

password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers> -->
</http:tlsClientParameters>
</http:conduit>


On 22/10/2017 00:38, Matthew Broadhead wrote:


ok...i fixed the last error by dropping the 
schema

and
restarting.

but now i have this

2017-10-21 21:58:19,541
[https-openssl-apr-9443-exec-9
]
WARN

org.apache.cxf.phase.PhaseInterceptorChain -
Interceptor

for


{
http://docs.oasis-open.org/ws-
sx/ws-trust/200512/}SecurityT
okenService#{http://docs.oasis
-open.org/ws-sx/ws-trust/20051
2/}Issue
has
thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Problem
writing
SAAJ
model
to
stream: RequireClientCertificate is set, but no
local
certificates
were

negotiated.  Is the server set to ask for 
client

authorization?

               at 
org.apache.cxf.binding.soap.sa

aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:224)


               at 
org.apache.cxf.binding.soap.sa

aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:174)


               at 
org.apache.cxf.phase.PhaseInte

rceptorChain.doIntercept(Phase
InterceptorChain.java:308)

               at 
org.apache.cxf.endpoint.Client

Impl.doInvoke(ClientImpl.java:
518)
               ...
Caused by: com.ctc.wstx.exc.WstxIOException:
RequireClientCertificate
is
set, but no local certificates were negotiated.
Is
the
server
set
to
ask
for client authorization?

               at 
com.ctc.wstx.sw.BaseStreamWrit

er.flush(BaseStreamWriter.java
:255)

               at 
org.apache.cxf.binding.soap.sa

aj.SAAJOutInterceptor$SAAJOutE
ndingInterceptor.handleMessage
(SAAJOutInterceptor.java:215)

               ... 154 more
Caused by: org.apache.cxf.transport.http.
UntrustedURLConnectionIOExcept
ion:
RequireClientCertificate is set, but no local
certificates
were

negotiated.  Is the server set to ask for 
client

authorization?

               at 
org.apache.cxf.ws.security.pol

icy.interceptors.HttpsTokenInt
erceptorProvider$HttpsTokenOut
Interceptor$1.establishTrust(H

ttpsTokenInterceptorProvider.java:143)

               at 
org.apache.cxf.transport.http.

HTTPConduit$WrappedOutputStrea
m.makeTrustDecision(HTTPConduit.java:1780)

               at 
org.apache.cxf.transport.http.

HTTPConduit$WrappedOutputStrea

m.handleHeadersTrustCaching(HTTPConduit.java:1323) 



               ...
2017-10-21 21:58:19,542
[https-openssl-apr-9443-exec-9
]
ERROR
org.apache.cxf.fediz.service.i
dp.beans.STSClientAction
-
Error
in
retrieving a token


On 20/10/2017 23:05, Matthew Broadhead wrote:

ok i now have a different error and it doesn't
load
the
login
screen

2017-10-20 19:25:39,175
[https-openssl-apr-9443-exec-2
]
WARN

org.apache.cxf.fediz.service.i
dp.beans.EndpointAddressValida


tor

-


No
service config found for
urn:org:apache:cxf:fediz:fediz
helloworld
2017-10-20 19:26:18,084
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'CLAIM_LIST' not found
2017-10-20 19:26:18,085
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'IDP_READ' not found
2017-10-20 19:26:18,090
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'IDP_LIST' not found
2017-10-20 19:26:18,091
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'TRUSTEDIDP_LIST' not found
2017-10-20 19:26:18,092
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'CLAIM_READ' not found
2017-10-20 19:26:18,094
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'APPLICATION_LIST' not found
2017-10-20 19:26:18,095
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'APPLICATION_READ' not found
2017-10-20 19:26:18,096
[https-openssl-apr-9443-exec-5
]
ERROR
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Role 'TRUSTEDIDP_READ' not found
2017-10-20 19:26:18,096
[https-openssl-apr-9443-exec-5
]
INFO
org.apache.cxf.fediz.service.i
dp.service.security.GrantedAut

horityEntitlements
- Enriched AuthenticationToken added

the previous one was caused by
services/idp/src/main/webapp/W
EB-INF/idp-config-realm-myreal

m.xml
<property name="stsUrl" value="
https://domain.tld:9443
/idp-sts/REALMMYREALM" />
should have been
<property name="stsUrl" value="
https://domain.tld:0/id
p-sts/REALMMYREALM"
/>
according to original file

On 20/10/2017 18:27, Matthew Broadhead wrote:

Hi Colm,

Yes I have:

<bean id="idp-realmXYZ" class="
org.apache.cxf.fediz.se

rvice.idp.service.jpa.IdpEntity">

...


<property name="applications">
<util:list>
                           <ref
bean="srv-fedizhelloworld"
/>

                   <!-- <ref 
bean="srv-oidc" />

-->
</util:list>
                   </property>
...
</bean>

<bean id="srv-fedizhelloworld" class="
org.apache.cxf.fediz.se
rvice.idp.service.jpa.ApplicationEntity">
                   <property name="realm"
value="urn:org:apache:cxf:fedi
z:fedizhelloworld"
/>
                   <property name="protocol"
value="
http://docs.oasis-open.
org/wsfed/federation/200706" />
                   <property
name="serviceDisplayName"
value="Fedizhelloworld"
/>
                   <property
name="serviceDescription"
value="Web
Application to
illustrate WS-Federation" />
                   <property name="role"
value="ApplicationServiceType"
/>
                   <property name="tokenType"
value="
http://docs.oasis-open
.

org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" 



/>
                   <property name="lifeTime"
value="3600"
/>
                   <property
name="passiveRequestorEndpoint
Constraint"
value="https://localhost:?(\d)*/.*" />
                   <property
name="logoutEndpointConstraint
"
value="https://localhost:?(\d)*/.*" />
</bean>

<bean class="org.apache.cxf.fediz.se
rvice.idp.service.jpa.Applicat
ionClaimEntity">

                   <property 
name="application"

ref="srv-fedizhelloworld" />
                   <property name="claim"
ref="claim_role"
/>
                   <property name="optional"
value="false"
/>
</bean>

etc.


On 20/10/2017 18:08, Colm O hEigeartaigh 
wrote:


Do you have an

org.apache.cxf.fediz.service.i
dp.service.jpa.ApplicationEnti

ty

instance in

your webapps/fediz-idp/WEB-INF/clas

ses/entities-realma.xml


with
realm
"urn:org:apache:cxf:fediz:fedizhelloworld"?

Colm.

On Fri, Oct 20, 2017 at 4:09 PM, Matthew
Broadhead <
[email protected]> wrote:

Hi,

i have Fediz working now on (e.g.)
domain.tld:9443/idp
and i
am

trying to

use it from localhost:9443/fedizhelloworld

/secure/fedservlet.

it

correctly redirects to the login page and
seems
to
authenticate
ok

but then i get the following error
2017-10-20 15:56:17,424
[https-openssl-apr-9443-exec-8
]
INFO
org.apache.cxf.fediz.service.i
dp.beans.CacheSecurityToken

-
Token
[IDP_TOKEN=<something>] for realm
[<something>]
successfully
cached.
2017-10-20 15:56:17,433
[https-openssl-apr-9443-exec-8
]
WARN
org.apache.cxf.fediz.service.i
dp.beans.EndpointAddressValida
tor
-
No
service config found for
urn:org:apache:cxf:fediz:fediz
helloworld

Matthew













































					Reply via email to