cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Mon, 23 Oct 2017 15:46:02 GMT
this document 
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co

has idp-ssl-server.jks but no idp-ssl-key.jks.

On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
> I haven't used the APR connector. The following works for me in the tests,
> perhaps you could duplicate this config and get it working first before
> switching over to the APR connector:
>
>   <Connector port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass"
> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
> truststorePass="ispass" />
>
> Yes you will need to specify the truststore and keystore in cxf-tls.xml to
> communicate with the STS from the IdP. The truststore should contain the
> issuing cert of the Tomcat instance hosting your STS + then keystore the
> private key of your IdP.
>
> Colm.
>
> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> i am using my own certificate with APR in the tomcat server.xml.  I added
>> clientVerification="required" to SSLHostConfig but I still have the same
>> problem
>> <Connector port="9443" protocol="org.apache.coyote.ht
>> tp11.Http11AprProtocol"
>>                 maxThreads="150" SSLEnabled="true">
>>          <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
>> />
>>          <SSLHostConfig clientVerification="required">
>>              <Certificate certificateKeyFile="/etc/letse
>> ncrypt/live/domain.tld/privkey.pem"
>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem"
>>                           type="RSA" />
>>          </SSLHostConfig>
>>      </Connector>
>>
>> I commented the trustManagers and keyManagers in
>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the problem?
>> How would I use production certificates?
>> <http:conduit name="*.http-conduit">
>>          <http:tlsClientParameters
>>              disableCNCheck="true">
>>              <!-- <sec:trustManagers>
>>                  <sec:keyStore type="jks" password="ispass"
>> resource="idp-ssl-trust.jks" />
>>              </sec:trustManagers>
>>              <sec:keyManagers keyPassword="tompass">
>>                  <sec:keyStore type="jks" password="tompass"
>> resource="idp-ssl-key.jks"/>
>>              </sec:keyManagers> -->
>>          </http:tlsClientParameters>
>>      </http:conduit>
>>
>>
>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>
>>> ok...i fixed the last error by dropping the schema and restarting.
>>> but now i have this
>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>> thrown exception, unwinding now
>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>> stream: RequireClientCertificate is set, but no local certificates were
>>> negotiated.  Is the server set to ask for client authorization?
>>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>> InterceptorChain.java:308)
>>>      at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>>      ...
>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>> set, but no local certificates were negotiated.  Is the server set to ask
>>> for client authorization?
>>>      at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)
>>>      at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>      ... 154 more
>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
>>> RequireClientCertificate is set, but no local certificates were
>>> negotiated.  Is the server set to ask for client authorization?
>>>      at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>> ttpsTokenInterceptorProvider.java:143)
>>>      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>      ...
>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in
>>> retrieving a token
>>>
>>>
>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>
>>>> ok i now have a different error and it doesn't load the login screen
>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No
>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_LIST' not found
>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_READ' not found
>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'IDP_LIST' not found
>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'CLAIM_READ' not found
>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_LIST' not found
>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'APPLICATION_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Role 'TRUSTEDIDP_READ' not found
>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements
>>>> - Enriched AuthenticationToken added
>>>>
>>>> the previous one was caused by
>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>> /idp-sts/REALMMYREALM" />
>>>> should have been
>>>> <property name="stsUrl" value="https://domain.tld:0/idp-sts/REALMMYREALM"
>>>> />
>>>> according to original file
>>>>
>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>
>>>>> Hi Colm,
>>>>>
>>>>> Yes I have:
>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>> ...
>>>>>          <property name="applications">
>>>>>              <util:list>
>>>>>                  <ref bean="srv-fedizhelloworld" />
>>>>>          <!-- <ref bean="srv-oidc" /> -->
>>>>>              </util:list>
>>>>>          </property>
>>>>> ...
>>>>> </bean>
>>>>>
>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>          <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld"
>>>>> />
>>>>>          <property name="protocol" value="http://docs.oasis-open.
>>>>> org/wsfed/federation/200706" />
>>>>>          <property name="serviceDisplayName" value="Fedizhelloworld"
/>
>>>>>          <property name="serviceDescription" value="Web Application
to
>>>>> illustrate WS-Federation" />
>>>>>          <property name="role" value="ApplicationServiceType" />
>>>>>          <property name="tokenType" value="http://docs.oasis-open.
>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>          <property name="lifeTime" value="3600" />
>>>>>          <property name="passiveRequestorEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>          <property name="logoutEndpointConstraint"
>>>>> value="https://localhost:?(\d)*/.*" />
>>>>> </bean>
>>>>>
>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat
>>>>> ionClaimEntity">
>>>>>          <property name="application" ref="srv-fedizhelloworld" />
>>>>>          <property name="claim" ref="claim_role" />
>>>>>          <property name="optional" value="false" />
>>>>> </bean>
>>>>>
>>>>> etc.
>>>>>
>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Do you have an
>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>> instance in
>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with realm
>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i
am
>>>>>>> trying to
>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
it
>>>>>>> correctly redirects to the login page and seems to authenticate
ok
>>>>>>>
>>>>>>> but then i get the following error
>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token
>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
cached.
>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator
 - No
>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>
>>>>>>> Matthew
>>>>>>>
>>>>>>>
>>>>>>
>


Mime
View raw message