cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Wed, 25 Oct 2017 10:04:22 GMT
in Tomcat 8 
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2

it says
clientAuth
This is an alias for the certificateVerification attribute of the 
default SSLHostConfig element.

then
certificateVerification
Set to required if you want the SSL stack to require a valid certificate 
chain from the client before accepting a connection. Set to optional if 
you want the SSL stack to request a client Certificate, but not fail if 
one isn't presented. Set to optionalNoCA if you want client certificates 
to be optional and you don't want Tomcat to check them against the list 
of trusted CAs. If the TLS provider doesn't support this option (OpenSSL 
does, JSSE does not) it is treated as if optional was specified. A none 
value (which is the default) will not require a certificate chain unless 
the client requests a resource protected by a security constraint that 
uses CLIENT-CERT authentication.

so i changed clientAuth="want" to clientAuth="required". now i cannot 
access the site at all with
Secure Connection Failed
An error occurred during a connection to domain.tld:9443. SSL peer 
cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT

maybe i should try using Tomcat 7?

On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
> The problem is that your Tomcat container hosting the STS is not asking for
> client authentication. You can check this by using a web browser or curl to
> view the WSDL of the STS - if you can get it to work then the configuration
> is incorrect, as it should error on the browser not supplying a client cert.
>
> Colm.
>
> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i spoke too soon.
>>
>> i am completely stuck with the same stack trace and no amount of reloading
>> the certificates is helping.  is there any way to debug what the actual
>> problem is?
>>
>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>> thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>> stream: RequireClientCertificate is set, but no local certificates were
>> negotiated.  Is the server set to ask for client authorization?
>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>> InterceptorChain.java:308)
>>      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>>      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>>      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>>      at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>> tractSTSClient.java:861)
>>      at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>> yTokenResponse(IdpSTSClient.java:47)
>>      at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>> yTokenResponse(IdpSTSClient.java:42)
>>      at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>> t(STSClientAction.java:296)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:498)
>>      at org.springframework.expression.spel.support.ReflectiveMethod
>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>      at org.springframework.expression.spel.ast.MethodReference.getV
>> alueInternal(MethodReference.java:129)
>>      at org.springframework.expression.spel.ast.MethodReference.
>> access$000(MethodReference.java:49)
>>      at org.springframework.expression.spel.ast.MethodReference$Meth
>> odValueRef.getValue(MethodReference.java:347)
>>      at org.springframework.expression.spel.ast.CompoundExpression.g
>> etValueInternal(CompoundExpression.java:88)
>>      at org.springframework.expression.spel.ast.SpelNodeImpl.
>> getTypedValue(SpelNodeImpl.java:131)
>>      at org.springframework.expression.spel.standard.SpelExpression.
>> getValue(SpelExpression.java:297)
>>      at org.springframework.binding.expression.spel.SpringELExpressi
>> on.getValue(SpringELExpression.java:84)
>>      at org.springframework.webflow.action.EvaluateAction.doExecute(
>> EvaluateAction.java:75)
>>      at org.springframework.webflow.action.AbstractAction.execute(Ab
>> stractAction.java:188)
>>      at org.springframework.webflow.execution.AnnotatedAction.execut
>> e(AnnotatedAction.java:145)
>>      at org.springframework.webflow.execution.ActionExecutor.execute
>> (ActionExecutor.java:51)
>>      at org.springframework.webflow.engine.ActionList.execute(Action
>> List.java:154)
>>      at org.springframework.webflow.engine.State.enter(State.java:193)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>>      at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>>      at org.springframework.webflow.engine.SubflowState.handleEvent(
>> SubflowState.java:116)
>>      at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>      at org.springframework.webflow.engine.EndState.doEnter(EndState
>> .java:107)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>>      at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>>      at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>      at org.springframework.webflow.engine.ActionState.doEnter(Actio
>> nState.java:105)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>> ecute(FlowExecutionImpl.java:395)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.execute(RequestControlContextImpl.java:214)
>>      at org.springframework.webflow.engine.TransitionableState.handl
>> eEvent(TransitionableState.java:116)
>>      at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>> ndleEvent(FlowExecutionImpl.java:390)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>      at org.springframework.webflow.engine.ActionState.doEnter(Actio
>> nState.java:105)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:368)
>>      at org.springframework.webflow.engine.impl.RequestControlContex
>> tImpl.start(RequestControlContextImpl.java:234)
>>      at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>> lowState.java:101)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Transition.execute(Transi
>> tion.java:228)
>>      at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>> isionState.java:51)
>>      at org.springframework.webflow.engine.State.enter(State.java:194)
>>      at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:368)
>>      at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>> art(FlowExecutionImpl.java:223)
>>      at org.springframework.webflow.executor.FlowExecutorImpl.launch
>> Execution(FlowExecutorImpl.java:140)
>>      at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>> handle(FlowHandlerAdapter.java:263)
>>      at org.springframework.web.servlet.DispatcherServlet.doDispatch
>> (DispatcherServlet.java:967)
>>      at org.springframework.web.servlet.DispatcherServlet.doService(
>> DispatcherServlet.java:901)
>>      at org.springframework.web.servlet.FrameworkServlet.processRequ
>> est(FrameworkServlet.java:970)
>>      at org.springframework.web.servlet.FrameworkServlet.doGet(
>> FrameworkServlet.java:861)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>      at org.springframework.web.servlet.FrameworkServlet.service(
>> FrameworkServlet.java:846)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>      at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:231)
>>      at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>>      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>> r.java:52)
>>      at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>>      at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>>      at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>      at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.access.ExceptionTranslation
>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.session.SessionManagementFi
>> lter.doFilter(SessionManagementFilter.java:103)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.authentication.AnonymousAut
>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.servletapi.SecurityContextH
>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>> AwareRequestFilter.java:154)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.savedrequest.RequestCacheAw
>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.authentication.www.BasicAut
>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.authentication.AbstractAuth
>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>> nProcessingFilter.java:199)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.authentication.logout.Logou
>> tFilter.doFilter(LogoutFilter.java:110)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.context.request.async.WebAs
>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>> erIntegrationFilter.java:50)
>>      at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.context.SecurityContextPers
>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>> ortFilter.java:74)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.access.channel.ChannelProce
>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>      at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:342)
>>      at org.springframework.security.web.FilterChainProxy.doFilterIn
>> ternal(FilterChainProxy.java:192)
>>      at org.springframework.security.web.FilterChainProxy.doFilter(F
>> ilterChainProxy.java:160)
>>      at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>> elegate(DelegatingFilterProxy.java:346)
>>      at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>> r(DelegatingFilterProxy.java:262)
>>      at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>>      at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>>      at org.springframework.web.filter.CharacterEncodingFilter.doFil
>> terInternal(CharacterEncodingFilter.java:197)
>>      at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>>      at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:193)
>>      at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>>      at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>> dWrapperValve.java:198)
>>      at org.apache.catalina.core.StandardContextValve.invoke(Standar
>> dContextValve.java:96)
>>      at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>> stValve.java:140)
>>      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>> rtValve.java:80)
>>      at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>> tractAccessLogValve.java:650)
>>      at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>> EngineValve.java:87)
>>      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>> apter.java:342)
>>      at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>> sor.java:245)
>>      at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>> cessorLight.java:66)
>>      at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>> sor.java:65)
>>      at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
>>      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>> run(TaskThread.java:61)
>>      at java.lang.Thread.run(Thread.java:748)
>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>> set, but no local certificates were negotiated.  Is the server set to ask
>> for client authorization?
>>      at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>      ... 154 more
>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>> RequireClientCertificate is set, but no local certificates were
>> negotiated.  Is the server set to ask for client authorization?
>>      at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>> ttpsTokenInterceptorProvider.java:143)
>>      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.makeTrustDecision(HTTPConduit.java:1780)
>>      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.onFirstWrite(HTTPConduit.java:1293)
>>      at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>> Conduit.java:309)
>>      at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>> WrappedOutputStream.java:47)
>>      at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>> tractThresholdOutputStream.java:89)
>>      at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>> ctThresholdOutputStream.java:63)
>>      at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>      at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>> java:241)
>>      at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
>>      ... 155 more
>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in
>> retrieving a token
>>
>>
>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>
>>> Thanks for your help Colm.  I now have it working using the production
>>> certificate by following this example https://stackoverflow.com/a/21
>>> 41229/3052312 to export the pems into jks files.
>>>
>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>>> into webapps/idp/WEB-INF/classes as well as having them in catalina base.
>>> this seems impractical in production as the certificates get reissued every
>>> 6 months.  is it possible for sec:keyStore to define the resource as being
>>> in catalina base?
>>>
>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>
>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>> think.
>>>> As a workaround you can just use the Java keytool command to import your
>>>> PEM key/cert into a JKS keystore.
>>>>
>>>> this document http://svn.apache.org/viewvc/c
>>>>> xf/fediz/trunk/examples/sample
>>>>>
>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no
>>>> idp-ssl-key.jks.
>>>>
>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>>> version is on github:
>>>>
>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>> plekeys/HowToGenerateKeysREADME.html
>>>>
>>>> Colm.
>>>>
>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi Colm,
>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>> instead of a java keystore?  where is the doumentation for sec:keyStore?
>>>>>
>>>>> Matt
>>>>>
>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>
>>>>> I haven't used the APR connector. The following works for me in the
>>>>>> tests,
>>>>>> perhaps you could duplicate this config and get it working first
before
>>>>>> switching over to the APR connector:
>>>>>>
>>>>>>     <Connector port="9443"
>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>> truststorePass="ispass" />
>>>>>>
>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>> cxf-tls.xml to
>>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>>> the
>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>>> the
>>>>>> private key of your IdP.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> i am using my own certificate with APR in the tomcat server.xml.
 I
>>>>>> added
>>>>>>
>>>>>>> clientVerification="required" to SSLHostConfig but I still have
the
>>>>>>> same
>>>>>>> problem
>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>> tp11.Http11AprProtocol"
>>>>>>>                   maxThreads="150" SSLEnabled="true">
>>>>>>>            <UpgradeProtocol className="org.apache.coyote.h
>>>>>>> ttp2.Http2Protocol"
>>>>>>> />
>>>>>>>            <SSLHostConfig clientVerification="required">
>>>>>>>                <Certificate certificateKeyFile="/etc/letse
>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>>>>>>                             type="RSA" />
>>>>>>>            </SSLHostConfig>
>>>>>>>        </Connector>
>>>>>>>
>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the
>>>>>>> problem?
>>>>>>> How would I use production certificates?
>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>            <http:tlsClientParameters
>>>>>>>                disableCNCheck="true">
>>>>>>>                <!-- <sec:trustManagers>
>>>>>>>                    <sec:keyStore type="jks" password="ispass"
>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>                </sec:trustManagers>
>>>>>>>                <sec:keyManagers keyPassword="tompass">
>>>>>>>                    <sec:keyStore type="jks" password="tompass"
>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>                </sec:keyManagers> -->
>>>>>>>            </http:tlsClientParameters>
>>>>>>>        </http:conduit>
>>>>>>>
>>>>>>>
>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>
>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>
>>>>>>>> but now i have this
>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor
for {
>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
>>>>>>>> has
>>>>>>>> thrown exception, unwinding now
>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ
model to
>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>> were
>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>        at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>        at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>        at org.apache.cxf.phase.PhaseInte
>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>> InterceptorChain.java:308)
>>>>>>>>        at org.apache.cxf.endpoint.Client
>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>> 518)
>>>>>>>>        ...
>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>> RequireClientCertificate
>>>>>>>> is
>>>>>>>> set, but no local certificates were negotiated.  Is the server
set to
>>>>>>>> ask
>>>>>>>> for client authorization?
>>>>>>>>        at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>> :255)
>>>>>>>>        at org.apache.cxf.binding.soap.sa
>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>        ... 154 more
>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>> ion:
>>>>>>>> RequireClientCertificate is set, but no local certificates
were
>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>        at org.apache.cxf.ws.security.pol
>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>        at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>        at org.apache.cxf.transport.http.
>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>        ...
>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction -
Error in
>>>>>>>> retrieving a token
>>>>>>>>
>>>>>>>>
>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>
>>>>>>>> ok i now have a different error and it doesn't load the login
screen
>>>>>>>>
>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2]
WARN
>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
-
>>>>>>>>> No
>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
ERROR
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5]
INFO
>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>> horityEntitlements
>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>
>>>>>>>>> the previous one was caused by
>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>> should have been
>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>> />
>>>>>>>>> according to original file
>>>>>>>>>
>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> Hi Colm,
>>>>>>>>>
>>>>>>>>>> Yes I have:
>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>> ...
>>>>>>>>>>            <property name="applications">
>>>>>>>>>>                <util:list>
>>>>>>>>>>                    <ref bean="srv-fedizhelloworld"
/>
>>>>>>>>>>            <!-- <ref bean="srv-oidc" />
-->
>>>>>>>>>>                </util:list>
>>>>>>>>>>            </property>
>>>>>>>>>> ...
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>            <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>> />
>>>>>>>>>>            <property name="protocol" value="http://docs.oasis-open.
>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>            <property name="serviceDisplayName"
>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>> />
>>>>>>>>>>            <property name="serviceDescription"
value="Web
>>>>>>>>>> Application to
>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>            <property name="role" value="ApplicationServiceType"
/>
>>>>>>>>>>            <property name="tokenType" value="http://docs.oasis-open
>>>>>>>>>> .
>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
>>>>>>>>>>            <property name="lifeTime" value="3600"
/>
>>>>>>>>>>            <property name="passiveRequestorEndpointConstraint"
>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>            <property name="logoutEndpointConstraint"
>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>            <property name="application" ref="srv-fedizhelloworld"
/>
>>>>>>>>>>            <property name="claim" ref="claim_role"
/>
>>>>>>>>>>            <property name="optional" value="false"
/>
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> etc.
>>>>>>>>>>
>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>
>>>>>>>>>> Do you have an
>>>>>>>>>>
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>> instance in
>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml
with
>>>>>>>>>>> realm
>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>
>>>>>>>>>>> Colm.
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead
<
>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp
and i am
>>>>>>>>>>>> trying to
>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
it
>>>>>>>>>>>> correctly redirects to the login page and
seems to authenticate
>>>>>>>>>>>> ok
>>>>>>>>>>>>
>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8]
INFO
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken
-
>>>>>>>>>>>> Token
>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>]
successfully
>>>>>>>>>>>> cached.
>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8]
WARN
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
>>>>>>>>>>>> -
>>>>>>>>>>>> No
>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>> helloworld
>>>>>>>>>>>>
>>>>>>>>>>>> Matthew
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>


Mime
View raw message