cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: fediz production
Date Wed, 25 Oct 2017 10:39:47 GMT
Hi Colm

Firstly is there somewhere to see these instructions correctly formatted 
in html?
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html

Secondly there is a massive difference between
https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html
and
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co
(svn being the one linked from the main fediz pages)

On the SVN one it doesn't mention adding the MyTCRP.cer key to ststrust.jks.

I have some more things to try now so I will let you know if I get further

On 25/10/2017 12:11, Colm O hEigeartaigh wrote:
> Why not try the simple Connector configuration I gave earlier but with your
> own keys?
>
> Colm.
>
> On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#
>> SSL_Support_-_Connector_-_NIO_and_NIO2 it says
>> clientAuth
>> This is an alias for the certificateVerification attribute of the default
>> SSLHostConfig element.
>>
>> then
>> certificateVerification
>> Set to required if you want the SSL stack to require a valid certificate
>> chain from the client before accepting a connection. Set to optional if you
>> want the SSL stack to request a client Certificate, but not fail if one
>> isn't presented. Set to optionalNoCA if you want client certificates to be
>> optional and you don't want Tomcat to check them against the list of
>> trusted CAs. If the TLS provider doesn't support this option (OpenSSL does,
>> JSSE does not) it is treated as if optional was specified. A none value
>> (which is the default) will not require a certificate chain unless the
>> client requests a resource protected by a security constraint that uses
>> CLIENT-CERT authentication.
>>
>> so i changed clientAuth="want" to clientAuth="required". now i cannot
>> access the site at all with
>> Secure Connection Failed
>> An error occurred during a connection to domain.tld:9443. SSL peer cannot
>> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
>>
>> maybe i should try using Tomcat 7?
>>
>> On 25/10/2017 11:42, Colm O hEigeartaigh wrote:
>>
>>> The problem is that your Tomcat container hosting the STS is not asking
>>> for
>>> client authentication. You can check this by using a web browser or curl
>>> to
>>> view the WSDL of the STS - if you can get it to work then the
>>> configuration
>>> is incorrect, as it should error on the browser not supplying a client
>>> cert.
>>>
>>> Colm.
>>>
>>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> i spoke too soon.
>>>> i am completely stuck with the same stack trace and no amount of
>>>> reloading
>>>> the certificates is helping.  is there any way to debug what the actual
>>>> problem is?
>>>>
>>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN
>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has
>>>> thrown exception, unwinding now
>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to
>>>> stream: RequireClientCertificate is set, but no local certificates were
>>>> negotiated.  Is the server set to ask for client authorization?
>>>>       at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>       at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase
>>>> InterceptorChain.java:308)
>>>>       at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)
>>>>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)
>>>>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)
>>>>       at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)
>>>>       at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs
>>>> tractSTSClient.java:861)
>>>>       at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>> yTokenResponse(IdpSTSClient.java:47)
>>>>       at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit
>>>> yTokenResponse(IdpSTSClient.java:42)
>>>>       at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi
>>>> t(STSClientAction.java:296)
>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>>       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>>       at java.lang.reflect.Method.invoke(Method.java:498)
>>>>       at org.springframework.expression.spel.support.ReflectiveMethod
>>>> Executor.execute(ReflectiveMethodExecutor.java:113)
>>>>       at org.springframework.expression.spel.ast.MethodReference.getV
>>>> alueInternal(MethodReference.java:129)
>>>>       at org.springframework.expression.spel.ast.MethodReference.
>>>> access$000(MethodReference.java:49)
>>>>       at org.springframework.expression.spel.ast.MethodReference$Meth
>>>> odValueRef.getValue(MethodReference.java:347)
>>>>       at org.springframework.expression.spel.ast.CompoundExpression.g
>>>> etValueInternal(CompoundExpression.java:88)
>>>>       at org.springframework.expression.spel.ast.SpelNodeImpl.
>>>> getTypedValue(SpelNodeImpl.java:131)
>>>>       at org.springframework.expression.spel.standard.SpelExpression.
>>>> getValue(SpelExpression.java:297)
>>>>       at org.springframework.binding.expression.spel.SpringELExpressi
>>>> on.getValue(SpringELExpression.java:84)
>>>>       at org.springframework.webflow.action.EvaluateAction.doExecute(
>>>> EvaluateAction.java:75)
>>>>       at org.springframework.webflow.action.AbstractAction.execute(Ab
>>>> stractAction.java:188)
>>>>       at org.springframework.webflow.execution.AnnotatedAction.execut
>>>> e(AnnotatedAction.java:145)
>>>>       at org.springframework.webflow.execution.ActionExecutor.execute
>>>> (ActionExecutor.java:51)
>>>>       at org.springframework.webflow.engine.ActionList.execute(Action
>>>> List.java:154)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:193)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>       at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>>       at org.springframework.webflow.engine.SubflowState.handleEvent(
>>>> SubflowState.java:116)
>>>>       at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.en
>>>> dActiveFlowSession(FlowExecutionImpl.java:414)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238)
>>>>       at org.springframework.webflow.engine.EndState.doEnter(EndState
>>>> .java:107)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>       at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>>       at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>       at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>> nState.java:105)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>>> ecute(FlowExecutionImpl.java:395)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.execute(RequestControlContextImpl.java:214)
>>>>       at org.springframework.webflow.engine.TransitionableState.handl
>>>> eEvent(TransitionableState.java:116)
>>>>       at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav
>>>> a:547)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha
>>>> ndleEvent(FlowExecutionImpl.java:390)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.handleEvent(RequestControlContextImpl.java:210)
>>>>       at org.springframework.webflow.engine.ActionState.doEnter(Actio
>>>> nState.java:105)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:368)
>>>>       at org.springframework.webflow.engine.impl.RequestControlContex
>>>> tImpl.start(RequestControlContextImpl.java:234)
>>>>       at org.springframework.webflow.engine.SubflowState.doEnter(Subf
>>>> lowState.java:101)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Transition.execute(Transi
>>>> tion.java:228)
>>>>       at org.springframework.webflow.engine.DecisionState.doEnter(Dec
>>>> isionState.java:51)
>>>>       at org.springframework.webflow.engine.State.enter(State.java:194)
>>>>       at org.springframework.webflow.engine.Flow.start(Flow.java:527)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:368)
>>>>       at org.springframework.webflow.engine.impl.FlowExecutionImpl.st
>>>> art(FlowExecutionImpl.java:223)
>>>>       at org.springframework.webflow.executor.FlowExecutorImpl.launch
>>>> Execution(FlowExecutorImpl.java:140)
>>>>       at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.
>>>> handle(FlowHandlerAdapter.java:263)
>>>>       at org.springframework.web.servlet.DispatcherServlet.doDispatch
>>>> (DispatcherServlet.java:967)
>>>>       at org.springframework.web.servlet.DispatcherServlet.doService(
>>>> DispatcherServlet.java:901)
>>>>       at org.springframework.web.servlet.FrameworkServlet.processRequ
>>>> est(FrameworkServlet.java:970)
>>>>       at org.springframework.web.servlet.FrameworkServlet.doGet(
>>>> FrameworkServlet.java:861)
>>>>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
>>>>       at org.springframework.web.servlet.FrameworkServlet.service(
>>>> FrameworkServlet.java:846)
>>>>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:231)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>>       at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>> r.java:52)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:330)
>>>>       at org.springframework.security.web.access.intercept.FilterSecu
>>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118)
>>>>       at org.springframework.security.web.access.intercept.FilterSecu
>>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.access.ExceptionTranslation
>>>> Filter.doFilter(ExceptionTranslationFilter.java:113)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.session.SessionManagementFi
>>>> lter.doFilter(SessionManagementFilter.java:103)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.authentication.AnonymousAut
>>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.servletapi.SecurityContextH
>>>> olderAwareRequestFilter.doFilter(SecurityContextHolder
>>>> AwareRequestFilter.java:154)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.savedrequest.RequestCacheAw
>>>> areFilter.doFilter(RequestCacheAwareFilter.java:45)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.authentication.www.BasicAut
>>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.authentication.AbstractAuth
>>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio
>>>> nProcessingFilter.java:199)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.authentication.logout.Logou
>>>> tFilter.doFilter(LogoutFilter.java:110)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.context.request.async.WebAs
>>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag
>>>> erIntegrationFilter.java:50)
>>>>       at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>> (OncePerRequestFilter.java:107)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.context.SecurityContextPers
>>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP
>>>> ortFilter.java:74)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.access.channel.ChannelProce
>>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144)
>>>>       at org.springframework.security.web.FilterChainProxy$VirtualFil
>>>> terChain.doFilter(FilterChainProxy.java:342)
>>>>       at org.springframework.security.web.FilterChainProxy.doFilterIn
>>>> ternal(FilterChainProxy.java:192)
>>>>       at org.springframework.security.web.FilterChainProxy.doFilter(F
>>>> ilterChainProxy.java:160)
>>>>       at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>>> elegate(DelegatingFilterProxy.java:346)
>>>>       at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>>> r(DelegatingFilterProxy.java:262)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>>       at org.springframework.web.filter.CharacterEncodingFilter.doFil
>>>> terInternal(CharacterEncodingFilter.java:197)
>>>>       at org.springframework.web.filter.OncePerRequestFilter.doFilter
>>>> (OncePerRequestFilter.java:107)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>> lter(ApplicationFilterChain.java:193)
>>>>       at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>> licationFilterChain.java:166)
>>>>       at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>> dWrapperValve.java:198)
>>>>       at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>> dContextValve.java:96)
>>>>       at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>> stValve.java:140)
>>>>       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>> rtValve.java:80)
>>>>       at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>>>> tractAccessLogValve.java:650)
>>>>       at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>> EngineValve.java:87)
>>>>       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>> apter.java:342)
>>>>       at org.apache.coyote.http2.StreamProcessor.service(StreamProces
>>>> sor.java:245)
>>>>       at org.apache.coyote.AbstractProcessorLight.process(AbstractPro
>>>> cessorLight.java:66)
>>>>       at org.apache.coyote.http2.StreamProcessor.process(StreamProces
>>>> sor.java:65)
>>>>       at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.
>>>> java:35)
>>>>       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>>       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>>       at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>>>> run(TaskThread.java:61)
>>>>       at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is
>>>> set, but no local certificates were negotiated.  Is the server set to ask
>>>> for client authorization?
>>>>       at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>> java:255)
>>>>       at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE
>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>       ... 154 more
>>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept
>>>> ion:
>>>> RequireClientCertificate is set, but no local certificates were
>>>> negotiated.  Is the server set to ask for client authorization?
>>>>       at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt
>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>> ttpsTokenInterceptorProvider.java:143)
>>>>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>>>> m.onFirstWrite(HTTPConduit.java:1293)
>>>>       at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo
>>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP
>>>> Conduit.java:309)
>>>>       at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract
>>>> WrappedOutputStream.java:47)
>>>>       at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs
>>>> tractThresholdOutputStream.java:89)
>>>>       at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra
>>>> ctThresholdOutputStream.java:63)
>>>>       at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
>>>>       at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.
>>>> java:241)
>>>>       at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.
>>>> java:253)
>>>>       ... 155 more
>>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR
>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in
>>>> retrieving a token
>>>>
>>>>
>>>> On 23/10/2017 19:41, Matthew Broadhead wrote:
>>>>
>>>> Thanks for your help Colm.  I now have it working using the production
>>>>> certificate by following this example https://stackoverflow.com/a/21
>>>>> 41229/3052312 to export the pems into jks files.
>>>>>
>>>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks
>>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina
>>>>> base.
>>>>> this seems impractical in production as the certificates get reissued
>>>>> every
>>>>> 6 months.  is it possible for sec:keyStore to define the resource as
>>>>> being
>>>>> in catalina base?
>>>>>
>>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote:
>>>>>
>>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a
>>>>>> sec:certStore that works with PEM files, but only for TrustStores I
>>>>>> think.
>>>>>> As a workaround you can just use the Java keytool command to import
>>>>>> your
>>>>>> PEM key/cert into a JKS keystore.
>>>>>>
>>>>>> this document http://svn.apache.org/viewvc/c
>>>>>>
>>>>>>> xf/fediz/trunk/examples/sample
>>>>>>>
>>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but
>>>>>> no
>>>>>> idp-ssl-key.jks.
>>>>>>
>>>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct
>>>>>> version is on github:
>>>>>>
>>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam
>>>>>> plekeys/HowToGenerateKeysREADME.html
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead <
>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>
>>>>>> Hi Colm,
>>>>>>
>>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate
>>>>>>> instead of a java keystore?  where is the doumentation for
>>>>>>> sec:keyStore?
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> I haven't used the APR connector. The following works for me in the
>>>>>>>
>>>>>>>> tests,
>>>>>>>> perhaps you could duplicate this config and get it working first
>>>>>>>> before
>>>>>>>> switching over to the APR connector:
>>>>>>>>
>>>>>>>>      <Connector port="9443"
>>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>>>>>> maxThreads="150"
>>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want"
>>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
>>>>>>>> keystorePass="tompass"
>>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
>>>>>>>> truststorePass="ispass" />
>>>>>>>>
>>>>>>>> Yes you will need to specify the truststore and keystore in
>>>>>>>> cxf-tls.xml to
>>>>>>>> communicate with the STS from the IdP. The truststore should contain
>>>>>>>> the
>>>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore
>>>>>>>> the
>>>>>>>> private key of your IdP.
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead <
>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>
>>>>>>>> i am using my own certificate with APR in the tomcat server.xml.  I
>>>>>>>> added
>>>>>>>>
>>>>>>>> clientVerification="required" to SSLHostConfig but I still have the
>>>>>>>>> same
>>>>>>>>> problem
>>>>>>>>> <Connector port="9443" protocol="org.apache.coyote.ht
>>>>>>>>> tp11.Http11AprProtocol"
>>>>>>>>>                    maxThreads="150" SSLEnabled="true">
>>>>>>>>>             <UpgradeProtocol className="org.apache.coyote.h
>>>>>>>>> ttp2.Http2Protocol"
>>>>>>>>> />
>>>>>>>>>             <SSLHostConfig clientVerification="required">
>>>>>>>>>                 <Certificate certificateKeyFile="/etc/letse
>>>>>>>>> ncrypt/live/domain.tld/privkey.pem"
>>>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem"
>>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc
>>>>>>>>> hain.pem"
>>>>>>>>>                              type="RSA" />
>>>>>>>>>             </SSLHostConfig>
>>>>>>>>>         </Connector>
>>>>>>>>>
>>>>>>>>> I commented the trustManagers and keyManagers in
>>>>>>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the
>>>>>>>>> problem?
>>>>>>>>> How would I use production certificates?
>>>>>>>>> <http:conduit name="*.http-conduit">
>>>>>>>>>             <http:tlsClientParameters
>>>>>>>>>                 disableCNCheck="true">
>>>>>>>>>                 <!-- <sec:trustManagers>
>>>>>>>>>                     <sec:keyStore type="jks" password="ispass"
>>>>>>>>> resource="idp-ssl-trust.jks" />
>>>>>>>>>                 </sec:trustManagers>
>>>>>>>>>                 <sec:keyManagers keyPassword="tompass">
>>>>>>>>>                     <sec:keyStore type="jks" password="tompass"
>>>>>>>>> resource="idp-ssl-key.jks"/>
>>>>>>>>>                 </sec:keyManagers> -->
>>>>>>>>>             </http:tlsClientParameters>
>>>>>>>>>         </http:conduit>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote:
>>>>>>>>>
>>>>>>>>> ok...i fixed the last error by dropping the schema and restarting.
>>>>>>>>>
>>>>>>>>> but now i have this
>>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN
>>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {
>>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT
>>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051
>>>>>>>>>> 2/}Issue
>>>>>>>>>> has
>>>>>>>>>> thrown exception, unwinding now
>>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model
>>>>>>>>>> to
>>>>>>>>>> stream: RequireClientCertificate is set, but no local certificates
>>>>>>>>>> were
>>>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)
>>>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)
>>>>>>>>>>         at org.apache.cxf.phase.PhaseInte
>>>>>>>>>> rceptorChain.doIntercept(Phase
>>>>>>>>>> InterceptorChain.java:308)
>>>>>>>>>>         at org.apache.cxf.endpoint.Client
>>>>>>>>>> Impl.doInvoke(ClientImpl.java:
>>>>>>>>>> 518)
>>>>>>>>>>         ...
>>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException:
>>>>>>>>>> RequireClientCertificate
>>>>>>>>>> is
>>>>>>>>>> set, but no local certificates were negotiated.  Is the server set
>>>>>>>>>> to
>>>>>>>>>> ask
>>>>>>>>>> for client authorization?
>>>>>>>>>>         at com.ctc.wstx.sw.BaseStreamWrit
>>>>>>>>>> er.flush(BaseStreamWriter.java
>>>>>>>>>> :255)
>>>>>>>>>>         at org.apache.cxf.binding.soap.sa
>>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE
>>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)
>>>>>>>>>>         ... 154 more
>>>>>>>>>> Caused by: org.apache.cxf.transport.http.
>>>>>>>>>> UntrustedURLConnectionIOExcept
>>>>>>>>>> ion:
>>>>>>>>>> RequireClientCertificate is set, but no local certificates were
>>>>>>>>>> negotiated.  Is the server set to ask for client authorization?
>>>>>>>>>>         at org.apache.cxf.ws.security.pol
>>>>>>>>>> icy.interceptors.HttpsTokenInt
>>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H
>>>>>>>>>> ttpsTokenInterceptorProvider.java:143)
>>>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780)
>>>>>>>>>>         at org.apache.cxf.transport.http.
>>>>>>>>>> HTTPConduit$WrappedOutputStrea
>>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323)
>>>>>>>>>>         ...
>>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR
>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in
>>>>>>>>>> retrieving a token
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote:
>>>>>>>>>>
>>>>>>>>>> ok i now have a different error and it doesn't load the login
>>>>>>>>>> screen
>>>>>>>>>>
>>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator -
>>>>>>>>>>> No
>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld
>>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'CLAIM_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'IDP_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'IDP_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'CLAIM_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'APPLICATION_LIST' not found
>>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'APPLICATION_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found
>>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO
>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut
>>>>>>>>>>> horityEntitlements
>>>>>>>>>>> - Enriched AuthenticationToken added
>>>>>>>>>>>
>>>>>>>>>>> the previous one was caused by
>>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml
>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:9443
>>>>>>>>>>> /idp-sts/REALMMYREALM" />
>>>>>>>>>>> should have been
>>>>>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id
>>>>>>>>>>> p-sts/REALMMYREALM"
>>>>>>>>>>> />
>>>>>>>>>>> according to original file
>>>>>>>>>>>
>>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Colm,
>>>>>>>>>>>
>>>>>>>>>>> Yes I have:
>>>>>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.IdpEntity">
>>>>>>>>>>>> ...
>>>>>>>>>>>>             <property name="applications">
>>>>>>>>>>>>                 <util:list>
>>>>>>>>>>>>                     <ref bean="srv-fedizhelloworld" />
>>>>>>>>>>>>             <!-- <ref bean="srv-oidc" /> -->
>>>>>>>>>>>>                 </util:list>
>>>>>>>>>>>>             </property>
>>>>>>>>>>>> ...
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.ApplicationEntity">
>>>>>>>>>>>>             <property name="realm" value="urn:org:apache:cxf:fedi
>>>>>>>>>>>> z:fedizhelloworld"
>>>>>>>>>>>> />
>>>>>>>>>>>>             <property name="protocol" value="
>>>>>>>>>>>> http://docs.oasis-open.
>>>>>>>>>>>> org/wsfed/federation/200706" />
>>>>>>>>>>>>             <property name="serviceDisplayName"
>>>>>>>>>>>> value="Fedizhelloworld"
>>>>>>>>>>>> />
>>>>>>>>>>>>             <property name="serviceDescription" value="Web
>>>>>>>>>>>> Application to
>>>>>>>>>>>> illustrate WS-Federation" />
>>>>>>>>>>>>             <property name="role" value="ApplicationServiceType"
>>>>>>>>>>>> />
>>>>>>>>>>>>             <property name="tokenType" value="
>>>>>>>>>>>> http://docs.oasis-open
>>>>>>>>>>>> .
>>>>>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
>>>>>>>>>>>>             <property name="lifeTime" value="3600" />
>>>>>>>>>>>>             <property name="passiveRequestorEndpointConstraint"
>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>>             <property name="logoutEndpointConstraint"
>>>>>>>>>>>> value="https://localhost:?(\d)*/.*" />
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> <bean class="org.apache.cxf.fediz.se
>>>>>>>>>>>> rvice.idp.service.jpa.Applicat
>>>>>>>>>>>> ionClaimEntity">
>>>>>>>>>>>>             <property name="application"
>>>>>>>>>>>> ref="srv-fedizhelloworld" />
>>>>>>>>>>>>             <property name="claim" ref="claim_role" />
>>>>>>>>>>>>             <property name="optional" value="false" />
>>>>>>>>>>>> </bean>
>>>>>>>>>>>>
>>>>>>>>>>>> etc.
>>>>>>>>>>>>
>>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Do you have an
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity
>>>>>>>>>>>>> instance in
>>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with
>>>>>>>>>>>>> realm
>>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead <
>>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am
>>>>>>>>>>>>>
>>>>>>>>>>>>>> trying to
>>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet.
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate
>>>>>>>>>>>>>> ok
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> but then i get the following error
>>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken -
>>>>>>>>>>>>>> Token
>>>>>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully
>>>>>>>>>>>>>> cached.
>>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN
>>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida
>>>>>>>>>>>>>> tor
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> No
>>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz
>>>>>>>>>>>>>> helloworld
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Matthew
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>



Mime
View raw message