Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8DE5C200D24 for ; Tue, 24 Oct 2017 13:57:58 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 8C5F2160BF1; Tue, 24 Oct 2017 11:57:58 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0CBBD160BDB for ; Tue, 24 Oct 2017 13:57:56 +0200 (CEST) Received: (qmail 64748 invoked by uid 500); 24 Oct 2017 11:57:55 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 64737 invoked by uid 99); 24 Oct 2017 11:57:55 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Oct 2017 11:57:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id D525FC6A8A for ; Tue, 24 Oct 2017 11:57:54 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.1 X-Spam-Level: * X-Spam-Status: No, score=1.1 tagged_above=-999 required=6.31 tests=[KAM_COUK=1.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 9GbOO16v8nfu for ; Tue, 24 Oct 2017 11:57:51 +0000 (UTC) Received: from ns1.nbmlaw.co.uk (ns1.nbmlaw.co.uk [217.174.253.19]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 696FB5F3E1 for ; Tue, 24 Oct 2017 11:57:51 +0000 (UTC) Received: from Mac-mini-2.local (124.red-83-55-185.dynamicip.rima-tde.net [83.55.185.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by ns1.nbmlaw.co.uk (Postfix) with ESMTPSA id AABD42C36EF for ; Tue, 24 Oct 2017 12:57:43 +0100 (BST) DMARC-Filter: OpenDMARC Filter v1.3.2 ns1.nbmlaw.co.uk AABD42C36EF Authentication-Results: ns1.nbmlaw.co.uk; dmarc=fail (p=quarantine dis=none) header.from=nbmlaw.co.uk Authentication-Results: ns1.nbmlaw.co.uk; spf=fail smtp.mailfrom=matthew.broadhead@nbmlaw.co.uk Subject: Re: fediz production To: users@cxf.apache.org References: <9faf6731-ff67-206e-c680-720f9bcb2720@nbmlaw.co.uk> <626cf97d-69f5-d975-75d1-904af9df7ddd@nbmlaw.co.uk> <2c180bf7-a1e9-6449-fe9e-69a56a97667c@nbmlaw.co.uk> <87888a54-1da1-b826-7f9b-0d631b92434c@nbmlaw.co.uk> <7945a2d3-ac72-a608-c306-9ff278a5a46a@nbmlaw.co.uk> From: Matthew Broadhead Message-ID: <0c60e41a-2977-3f60-8a25-d024dfedab46@nbmlaw.co.uk> Date: Tue, 24 Oct 2017 13:57:43 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <7945a2d3-ac72-a608-c306-9ff278a5a46a@nbmlaw.co.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB archived-at: Tue, 24 Oct 2017 11:57:58 -0000 i spoke too soon. i am completely stuck with the same stack trace and no amount of reloading the certificates is helping.  is there any way to debug what the actual problem is? 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has thrown exception, unwinding now org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to stream: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224)     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174)     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281)     at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:861)     at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:47)     at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurityTokenResponse(IdpSTSClient.java:42)     at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submit(STSClientAction.java:296)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     at java.lang.reflect.Method.invoke(Method.java:498)     at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:113)     at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:129)     at org.springframework.expression.spel.ast.MethodReference.access$000(MethodReference.java:49)     at org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:347)     at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:88)     at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:131)     at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:297)     at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84)     at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)     at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)     at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)     at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)     at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)     at org.springframework.webflow.engine.State.enter(State.java:193)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)     at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)     at org.springframework.webflow.engine.SubflowState.handleEvent(SubflowState.java:116)     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.endActiveFlowSession(FlowExecutionImpl.java:414)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.endActiveFlowSession(RequestControlContextImpl.java:238)     at org.springframework.webflow.engine.EndState.doEnter(EndState.java:107)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)     at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)     at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)     at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)     at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)     at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Flow.start(Flow.java:527)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)     at org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)     at org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:101)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Transition.execute(Transition.java:228)     at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)     at org.springframework.webflow.engine.State.enter(State.java:194)     at org.springframework.webflow.engine.Flow.start(Flow.java:527)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)     at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)     at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)     at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:263)     at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)     at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)     at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)     at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)     at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)     at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)     at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)     at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:74)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)     at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)     at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)     at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:245)     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)     at org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:65)     at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)     at java.lang.Thread.run(Thread.java:748) Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255)     at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:215)     ... 154 more Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?     at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:143)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1780)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1323)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1293)     at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:309)     at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)     at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)     at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)     at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)     at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)     at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)     ... 155 more 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR org.apache.cxf.fediz.service.idp.beans.STSClientAction  - Error in retrieving a token On 23/10/2017 19:41, Matthew Broadhead wrote: > Thanks for your help Colm.  I now have it working using the production > certificate by following this example > https://stackoverflow.com/a/2141229/3052312 to export the pems into > jks files. > > but in the end i also had to copy idp-ssl-key.jks and > idp-ssl-trust.jks into webapps/idp/WEB-INF/classes as well as having > them in catalina base.  this seems impractical in production as the > certificates get reissued every 6 months.  is it possible for > sec:keyStore to define the resource as being in catalina base? > > On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >> sec:keyStore supports either JKS or PKCS12 keystores. There is also a >> sec:certStore that works with PEM files, but only for TrustStores I >> think. >> As a workaround you can just use the Java keytool command to import your >> PEM key/cert into a JKS keystore. >> >>> this document >>> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample >> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no >> idp-ssl-key.jks. >> >> SVN is not used any more by CXF or Fediz, that page is old. The correct >> version is on github: >> >> https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html >> >> >> Colm. >> >> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >> matthew.broadhead@nbmlaw.co.uk> wrote: >> >>> Hi Colm, >>> >>> is there any way for sec:keyStore to be pointed at a pem certificate >>> instead of a java keystore?  where is the doumentation for >>> sec:keyStore? >>> >>> Matt >>> >>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>> >>>> I haven't used the APR connector. The following works for me in the >>>> tests, >>>> perhaps you could duplicate this config and get it working first >>>> before >>>> switching over to the APR connector: >>>> >>>>    >>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" >>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>> keystorePass="tompass" >>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>> truststorePass="ispass" /> >>>> >>>> Yes you will need to specify the truststore and keystore in >>>> cxf-tls.xml to >>>> communicate with the STS from the IdP. The truststore should >>>> contain the >>>> issuing cert of the Tomcat instance hosting your STS + then >>>> keystore the >>>> private key of your IdP. >>>> >>>> Colm. >>>> >>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>> matthew.broadhead@nbmlaw.co.uk> wrote: >>>> >>>> i am using my own certificate with APR in the tomcat server.xml.  I >>>> added >>>>> clientVerification="required" to SSLHostConfig but I still have >>>>> the same >>>>> problem >>>>> >>>>                  maxThreads="150" SSLEnabled="true"> >>>>>           >>>> /> >>>>>           >>>>>               >>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem" >>>>>                            type="RSA" /> >>>>>           >>>>>       >>>>> >>>>> I commented the trustManagers and keyManagers in >>>>> services/idp/src/main/resources/cxf-tls.xml.  Could this be the >>>>> problem? >>>>> How would I use production certificates? >>>>> >>>>>           >>>>               disableCNCheck="true"> >>>>>               >>>>>           >>>>>       >>>>> >>>>> >>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>> >>>>> ok...i fixed the last error by dropping the schema and restarting. >>>>>> but now i have this >>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>> org.apache.cxf.phase.PhaseInterceptorChain  - Interceptor for { >>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue >>>>>> has >>>>>> thrown exception, unwinding now >>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>>>> stream: RequireClientCertificate is set, but no local >>>>>> certificates were >>>>>> negotiated.  Is the server set to ask for client authorization? >>>>>>       at >>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>       at >>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>       at >>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>>>> InterceptorChain.java:308) >>>>>>       at >>>>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java: >>>>>> 518) >>>>>>       ... >>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>> RequireClientCertificate >>>>>> is >>>>>> set, but no local certificates were negotiated.  Is the server >>>>>> set to >>>>>> ask >>>>>> for client authorization? >>>>>>       at >>>>>> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java >>>>>> :255) >>>>>>       at >>>>>> org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>       ... 154 more >>>>>> Caused by: >>>>>> org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept >>>>>> ion: >>>>>> RequireClientCertificate is set, but no local certificates were >>>>>> negotiated.  Is the server set to ask for client authorization? >>>>>>       at >>>>>> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>       at >>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>       at >>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>       ... >>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>>> retrieving a token >>>>>> >>>>>> >>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>> >>>>>> ok i now have a different error and it doesn't load the login screen >>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator >>>>>>> - No >>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'CLAIM_LIST' not found >>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'IDP_READ' not found >>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'IDP_LIST' not found >>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'CLAIM_READ' not found >>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'APPLICATION_READ' not found >>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>> horityEntitlements >>>>>>> - Enriched AuthenticationToken added >>>>>>> >>>>>>> the previous one was caused by >>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>>>>>> >>>>>>> should have been >>>>>>> >>>>>> /> >>>>>>> according to original file >>>>>>> >>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>> >>>>>>> Hi Colm, >>>>>>>> Yes I have: >>>>>>>> >>>>>>>> ... >>>>>>>>           >>>>>>>>               >>>>>>>>                   >>>>>>>>           >>>>>>>>               >>>>>>>>           >>>>>>>> ... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>           >>>>>>> /> >>>>>>>>           >>>>>>>>           >>>>>>> value="Fedizhelloworld" >>>>>>>> /> >>>>>>>>           >>>>>>>>           >>>>>>>>           >>>>>>> value="http://docs.oasis-open. >>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>           >>>>>>>>           >>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>           >>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>           >>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>           >>>>>>>>           >>>>>>>> >>>>>>>> >>>>>>>> etc. >>>>>>>> >>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>> >>>>>>>> Do you have an >>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>>>> instance in >>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with >>>>>>>>> realm >>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>> >>>>>>>>> Colm. >>>>>>>>> >>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>>>>>> trying to >>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it >>>>>>>>>> correctly redirects to the login page and seems to >>>>>>>>>> authenticate ok >>>>>>>>>> >>>>>>>>>> but then i get the following error >>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - >>>>>>>>>> Token >>>>>>>>>> [IDP_TOKEN=] for realm [] successfully >>>>>>>>>> cached. >>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator  >>>>>>>>>> - >>>>>>>>>> No >>>>>>>>>> service config found for >>>>>>>>>> urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>>>>> >>>>>>>>>> Matthew >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >> >