Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id F1D5C200D27 for ; Wed, 25 Oct 2017 12:39:59 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id ED6EF160BDA; Wed, 25 Oct 2017 10:39:59 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 686821609E5 for ; Wed, 25 Oct 2017 12:39:58 +0200 (CEST) Received: (qmail 33406 invoked by uid 500); 25 Oct 2017 10:39:57 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 33395 invoked by uid 99); 25 Oct 2017 10:39:57 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Oct 2017 10:39:57 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 414271A08A4 for ; Wed, 25 Oct 2017 10:39:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.098 X-Spam-Level: * X-Spam-Status: No, score=1.098 tagged_above=-999 required=6.31 tests=[KAM_COUK=1.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id fpbtkS4fexwX for ; Wed, 25 Oct 2017 10:39:49 +0000 (UTC) Received: from ns1.nbmlaw.co.uk (ns1.nbmlaw.co.uk [217.174.253.19]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 270035FB9F for ; Wed, 25 Oct 2017 10:39:49 +0000 (UTC) Received: from Mac-mini-2.local (124.red-83-55-185.dynamicip.rima-tde.net [83.55.185.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by ns1.nbmlaw.co.uk (Postfix) with ESMTPSA id DD7572C0CFA for ; Wed, 25 Oct 2017 11:39:47 +0100 (BST) DMARC-Filter: OpenDMARC Filter v1.3.2 ns1.nbmlaw.co.uk DD7572C0CFA Authentication-Results: ns1.nbmlaw.co.uk; dmarc=fail (p=quarantine dis=none) header.from=nbmlaw.co.uk Authentication-Results: ns1.nbmlaw.co.uk; spf=fail smtp.mailfrom=matthew.broadhead@nbmlaw.co.uk Subject: Re: fediz production To: users@cxf.apache.org References: <9faf6731-ff67-206e-c680-720f9bcb2720@nbmlaw.co.uk> <626cf97d-69f5-d975-75d1-904af9df7ddd@nbmlaw.co.uk> <2c180bf7-a1e9-6449-fe9e-69a56a97667c@nbmlaw.co.uk> <87888a54-1da1-b826-7f9b-0d631b92434c@nbmlaw.co.uk> <7945a2d3-ac72-a608-c306-9ff278a5a46a@nbmlaw.co.uk> <0c60e41a-2977-3f60-8a25-d024dfedab46@nbmlaw.co.uk> <16f497db-d256-d85b-73ae-fcc1a937efe2@nbmlaw.co.uk> From: Matthew Broadhead Message-ID: Date: Wed, 25 Oct 2017 12:39:47 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB archived-at: Wed, 25 Oct 2017 10:40:00 -0000 Hi Colm Firstly is there somewhere to see these instructions correctly formatted in html? https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html Secondly there is a massive difference between https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html and http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?view=co (svn being the one linked from the main fediz pages) On the SVN one it doesn't mention adding the MyTCRP.cer key to ststrust.jks. I have some more things to try now so I will let you know if I get further On 25/10/2017 12:11, Colm O hEigeartaigh wrote: > Why not try the simple Connector configuration I gave earlier but with your > own keys? > > Colm. > > On Wed, Oct 25, 2017 at 11:04 AM, Matthew Broadhead < > matthew.broadhead@nbmlaw.co.uk> wrote: > >> in Tomcat 8 https://tomcat.apache.org/tomcat-8.5-doc/config/http.html# >> SSL_Support_-_Connector_-_NIO_and_NIO2 it says >> clientAuth >> This is an alias for the certificateVerification attribute of the default >> SSLHostConfig element. >> >> then >> certificateVerification >> Set to required if you want the SSL stack to require a valid certificate >> chain from the client before accepting a connection. Set to optional if you >> want the SSL stack to request a client Certificate, but not fail if one >> isn't presented. Set to optionalNoCA if you want client certificates to be >> optional and you don't want Tomcat to check them against the list of >> trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, >> JSSE does not) it is treated as if optional was specified. A none value >> (which is the default) will not require a certificate chain unless the >> client requests a resource protected by a security constraint that uses >> CLIENT-CERT authentication. >> >> so i changed clientAuth="want" to clientAuth="required". now i cannot >> access the site at all with >> Secure Connection Failed >> An error occurred during a connection to domain.tld:9443. SSL peer cannot >> verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT >> >> maybe i should try using Tomcat 7? >> >> On 25/10/2017 11:42, Colm O hEigeartaigh wrote: >> >>> The problem is that your Tomcat container hosting the STS is not asking >>> for >>> client authentication. You can check this by using a web browser or curl >>> to >>> view the WSDL of the STS - if you can get it to work then the >>> configuration >>> is incorrect, as it should error on the browser not supplying a client >>> cert. >>> >>> Colm. >>> >>> On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < >>> matthew.broadhead@nbmlaw.co.uk> wrote: >>> >>> i spoke too soon. >>>> i am completely stuck with the same stack trace and no amount of >>>> reloading >>>> the certificates is helping. is there any way to debug what the actual >>>> problem is? >>>> >>>> 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN >>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has >>>> thrown exception, unwinding now >>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>> stream: RequireClientCertificate is set, but no local certificates were >>>> negotiated. Is the server set to ask for client authorization? >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>> InterceptorChain.java:308) >>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281) >>>> at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs >>>> tractSTSClient.java:861) >>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>>> yTokenResponse(IdpSTSClient.java:47) >>>> at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit >>>> yTokenResponse(IdpSTSClient.java:42) >>>> at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi >>>> t(STSClientAction.java:296) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>> ssorImpl.java:62) >>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>> thodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at org.springframework.expression.spel.support.ReflectiveMethod >>>> Executor.execute(ReflectiveMethodExecutor.java:113) >>>> at org.springframework.expression.spel.ast.MethodReference.getV >>>> alueInternal(MethodReference.java:129) >>>> at org.springframework.expression.spel.ast.MethodReference. >>>> access$000(MethodReference.java:49) >>>> at org.springframework.expression.spel.ast.MethodReference$Meth >>>> odValueRef.getValue(MethodReference.java:347) >>>> at org.springframework.expression.spel.ast.CompoundExpression.g >>>> etValueInternal(CompoundExpression.java:88) >>>> at org.springframework.expression.spel.ast.SpelNodeImpl. >>>> getTypedValue(SpelNodeImpl.java:131) >>>> at org.springframework.expression.spel.standard.SpelExpression. >>>> getValue(SpelExpression.java:297) >>>> at org.springframework.binding.expression.spel.SpringELExpressi >>>> on.getValue(SpringELExpression.java:84) >>>> at org.springframework.webflow.action.EvaluateAction.doExecute( >>>> EvaluateAction.java:75) >>>> at org.springframework.webflow.action.AbstractAction.execute(Ab >>>> stractAction.java:188) >>>> at org.springframework.webflow.execution.AnnotatedAction.execut >>>> e(AnnotatedAction.java:145) >>>> at org.springframework.webflow.execution.ActionExecutor.execute >>>> (ActionExecutor.java:51) >>>> at org.springframework.webflow.engine.ActionList.execute(Action >>>> List.java:154) >>>> at org.springframework.webflow.engine.State.enter(State.java:193) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>> ecute(FlowExecutionImpl.java:395) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.execute(RequestControlContextImpl.java:214) >>>> at org.springframework.webflow.engine.TransitionableState.handl >>>> eEvent(TransitionableState.java:116) >>>> at org.springframework.webflow.engine.SubflowState.handleEvent( >>>> SubflowState.java:116) >>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>> a:547) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>> ndleEvent(FlowExecutionImpl.java:390) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.en >>>> dActiveFlowSession(FlowExecutionImpl.java:414) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) >>>> at org.springframework.webflow.engine.EndState.doEnter(EndState >>>> .java:107) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>> ecute(FlowExecutionImpl.java:395) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.execute(RequestControlContextImpl.java:214) >>>> at org.springframework.webflow.engine.TransitionableState.handl >>>> eEvent(TransitionableState.java:116) >>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>> a:547) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>> ndleEvent(FlowExecutionImpl.java:390) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>>> nState.java:105) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>> ecute(FlowExecutionImpl.java:395) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.execute(RequestControlContextImpl.java:214) >>>> at org.springframework.webflow.engine.TransitionableState.handl >>>> eEvent(TransitionableState.java:116) >>>> at org.springframework.webflow.engine.Flow.handleEvent(Flow.jav >>>> a:547) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha >>>> ndleEvent(FlowExecutionImpl.java:390) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.handleEvent(RequestControlContextImpl.java:210) >>>> at org.springframework.webflow.engine.ActionState.doEnter(Actio >>>> nState.java:105) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>> art(FlowExecutionImpl.java:368) >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.start(RequestControlContextImpl.java:234) >>>> at org.springframework.webflow.engine.SubflowState.doEnter(Subf >>>> lowState.java:101) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Transition.execute(Transi >>>> tion.java:228) >>>> at org.springframework.webflow.engine.DecisionState.doEnter(Dec >>>> isionState.java:51) >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> at org.springframework.webflow.engine.Flow.start(Flow.java:527) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>> art(FlowExecutionImpl.java:368) >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.st >>>> art(FlowExecutionImpl.java:223) >>>> at org.springframework.webflow.executor.FlowExecutorImpl.launch >>>> Execution(FlowExecutorImpl.java:140) >>>> at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter. >>>> handle(FlowHandlerAdapter.java:263) >>>> at org.springframework.web.servlet.DispatcherServlet.doDispatch >>>> (DispatcherServlet.java:967) >>>> at org.springframework.web.servlet.DispatcherServlet.doService( >>>> DispatcherServlet.java:901) >>>> at org.springframework.web.servlet.FrameworkServlet.processRequ >>>> est(FrameworkServlet.java:970) >>>> at org.springframework.web.servlet.FrameworkServlet.doGet( >>>> FrameworkServlet.java:861) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) >>>> at org.springframework.web.servlet.FrameworkServlet.service( >>>> FrameworkServlet.java:846) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:231) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:166) >>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte >>>> r.java:52) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:193) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:166) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:330) >>>> at org.springframework.security.web.access.intercept.FilterSecu >>>> rityInterceptor.invoke(FilterSecurityInterceptor.java:118) >>>> at org.springframework.security.web.access.intercept.FilterSecu >>>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.access.ExceptionTranslation >>>> Filter.doFilter(ExceptionTranslationFilter.java:113) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.session.SessionManagementFi >>>> lter.doFilter(SessionManagementFilter.java:103) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.authentication.AnonymousAut >>>> henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>> horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.servletapi.SecurityContextH >>>> olderAwareRequestFilter.doFilter(SecurityContextHolder >>>> AwareRequestFilter.java:154) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.savedrequest.RequestCacheAw >>>> areFilter.doFilter(RequestCacheAwareFilter.java:45) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.authentication.www.BasicAut >>>> henticationFilter.doFilter(BasicAuthenticationFilter.java:150) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.authentication.AbstractAuth >>>> enticationProcessingFilter.doFilter(AbstractAuthenticatio >>>> nProcessingFilter.java:199) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.authentication.logout.Logou >>>> tFilter.doFilter(LogoutFilter.java:110) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.context.request.async.WebAs >>>> yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag >>>> erIntegrationFilter.java:50) >>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>>> (OncePerRequestFilter.java:107) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.context.SecurityContextPers >>>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP >>>> ortFilter.java:74) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.access.channel.ChannelProce >>>> ssingFilter.doFilter(ChannelProcessingFilter.java:144) >>>> at org.springframework.security.web.FilterChainProxy$VirtualFil >>>> terChain.doFilter(FilterChainProxy.java:342) >>>> at org.springframework.security.web.FilterChainProxy.doFilterIn >>>> ternal(FilterChainProxy.java:192) >>>> at org.springframework.security.web.FilterChainProxy.doFilter(F >>>> ilterChainProxy.java:160) >>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD >>>> elegate(DelegatingFilterProxy.java:346) >>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte >>>> r(DelegatingFilterProxy.java:262) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:193) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:166) >>>> at org.springframework.web.filter.CharacterEncodingFilter.doFil >>>> terInternal(CharacterEncodingFilter.java:197) >>>> at org.springframework.web.filter.OncePerRequestFilter.doFilter >>>> (OncePerRequestFilter.java:107) >>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi >>>> lter(ApplicationFilterChain.java:193) >>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App >>>> licationFilterChain.java:166) >>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar >>>> dWrapperValve.java:198) >>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar >>>> dContextValve.java:96) >>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>> stValve.java:140) >>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>> rtValve.java:80) >>>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs >>>> tractAccessLogValve.java:650) >>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>> EngineValve.java:87) >>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>> apter.java:342) >>>> at org.apache.coyote.http2.StreamProcessor.service(StreamProces >>>> sor.java:245) >>>> at org.apache.coyote.AbstractProcessorLight.process(AbstractPro >>>> cessorLight.java:66) >>>> at org.apache.coyote.http2.StreamProcessor.process(StreamProces >>>> sor.java:65) >>>> at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable. >>>> java:35) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >>>> run(TaskThread.java:61) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is >>>> set, but no local certificates were negotiated. Is the server set to ask >>>> for client authorization? >>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>> java:255) >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>> ... 154 more >>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept >>>> ion: >>>> RequireClientCertificate is set, but no local certificates were >>>> negotiated. Is the server set to ask for client authorization? >>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>> ttpsTokenInterceptorProvider.java:143) >>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.onFirstWrite(HTTPConduit.java:1293) >>>> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo >>>> nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP >>>> Conduit.java:309) >>>> at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract >>>> WrappedOutputStream.java:47) >>>> at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs >>>> tractThresholdOutputStream.java:89) >>>> at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra >>>> ctThresholdOutputStream.java:63) >>>> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) >>>> at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter. >>>> java:241) >>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter. >>>> java:253) >>>> ... 155 more >>>> 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR >>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>> retrieving a token >>>> >>>> >>>> On 23/10/2017 19:41, Matthew Broadhead wrote: >>>> >>>> Thanks for your help Colm. I now have it working using the production >>>>> certificate by following this example https://stackoverflow.com/a/21 >>>>> 41229/3052312 to export the pems into jks files. >>>>> >>>>> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks >>>>> into webapps/idp/WEB-INF/classes as well as having them in catalina >>>>> base. >>>>> this seems impractical in production as the certificates get reissued >>>>> every >>>>> 6 months. is it possible for sec:keyStore to define the resource as >>>>> being >>>>> in catalina base? >>>>> >>>>> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >>>>> >>>>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a >>>>>> sec:certStore that works with PEM files, but only for TrustStores I >>>>>> think. >>>>>> As a workaround you can just use the Java keytool command to import >>>>>> your >>>>>> PEM key/cert into a JKS keystore. >>>>>> >>>>>> this document http://svn.apache.org/viewvc/c >>>>>> >>>>>>> xf/fediz/trunk/examples/sample >>>>>>> >>>>>>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but >>>>>> no >>>>>> idp-ssl-key.jks. >>>>>> >>>>>> SVN is not used any more by CXF or Fediz, that page is old. The correct >>>>>> version is on github: >>>>>> >>>>>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>>>>> plekeys/HowToGenerateKeysREADME.html >>>>>> >>>>>> Colm. >>>>>> >>>>>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>>>>> matthew.broadhead@nbmlaw.co.uk> wrote: >>>>>> >>>>>> Hi Colm, >>>>>> >>>>>>> is there any way for sec:keyStore to be pointed at a pem certificate >>>>>>> instead of a java keystore? where is the doumentation for >>>>>>> sec:keyStore? >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>>>>> >>>>>>> I haven't used the APR connector. The following works for me in the >>>>>>> >>>>>>>> tests, >>>>>>>> perhaps you could duplicate this config and get it working first >>>>>>>> before >>>>>>>> switching over to the APR connector: >>>>>>>> >>>>>>>> >>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>>> maxThreads="150" >>>>>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>>>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" >>>>>>>> keystorePass="tompass" >>>>>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>>>>> truststorePass="ispass" /> >>>>>>>> >>>>>>>> Yes you will need to specify the truststore and keystore in >>>>>>>> cxf-tls.xml to >>>>>>>> communicate with the STS from the IdP. The truststore should contain >>>>>>>> the >>>>>>>> issuing cert of the Tomcat instance hosting your STS + then keystore >>>>>>>> the >>>>>>>> private key of your IdP. >>>>>>>> >>>>>>>> Colm. >>>>>>>> >>>>>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote: >>>>>>>> >>>>>>>> i am using my own certificate with APR in the tomcat server.xml. I >>>>>>>> added >>>>>>>> >>>>>>>> clientVerification="required" to SSLHostConfig but I still have the >>>>>>>>> same >>>>>>>>> problem >>>>>>>>> >>>>>>>> maxThreads="150" SSLEnabled="true"> >>>>>>>>> >>>>>>>> /> >>>>>>>>> >>>>>>>>> >>>>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullc >>>>>>>>> hain.pem" >>>>>>>>> type="RSA" /> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I commented the trustManagers and keyManagers in >>>>>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the >>>>>>>>> problem? >>>>>>>>> How would I use production certificates? >>>>>>>>> >>>>>>>>> >>>>>>>> disableCNCheck="true"> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>>>>> >>>>>>>>> ok...i fixed the last error by dropping the schema and restarting. >>>>>>>>> >>>>>>>>> but now i have this >>>>>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/20051 >>>>>>>>>> 2/}Issue >>>>>>>>>> has >>>>>>>>>> thrown exception, unwinding now >>>>>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model >>>>>>>>>> to >>>>>>>>>> stream: RequireClientCertificate is set, but no local certificates >>>>>>>>>> were >>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>>>>> rceptorChain.doIntercept(Phase >>>>>>>>>> InterceptorChain.java:308) >>>>>>>>>> at org.apache.cxf.endpoint.Client >>>>>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>>>>> 518) >>>>>>>>>> ... >>>>>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>>>>> RequireClientCertificate >>>>>>>>>> is >>>>>>>>>> set, but no local certificates were negotiated. Is the server set >>>>>>>>>> to >>>>>>>>>> ask >>>>>>>>>> for client authorization? >>>>>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>>>>> er.flush(BaseStreamWriter.java >>>>>>>>>> :255) >>>>>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>>>>> ... 154 more >>>>>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>>>>> UntrustedURLConnectionIOExcept >>>>>>>>>> ion: >>>>>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>>>>> at org.apache.cxf.ws.security.pol >>>>>>>>>> icy.interceptors.HttpsTokenInt >>>>>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>>>>> at org.apache.cxf.transport.http. >>>>>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>>>>> ... >>>>>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>>>>>>> retrieving a token >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>>>>> >>>>>>>>>> ok i now have a different error and it doesn't load the login >>>>>>>>>> screen >>>>>>>>>> >>>>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - >>>>>>>>>>> No >>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'IDP_READ' not found >>>>>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'IDP_LIST' not found >>>>>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>>>>> horityEntitlements >>>>>>>>>>> - Enriched AuthenticationToken added >>>>>>>>>>> >>>>>>>>>>> the previous one was caused by >>>>>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>>>>>>>>>> >>>>>>>>>>> should have been >>>>>>>>>>> >>>>>>>>>> /> >>>>>>>>>>> according to original file >>>>>>>>>>> >>>>>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Colm, >>>>>>>>>>> >>>>>>>>>>> Yes I have: >>>>>>>>>>>> >>>>>>>>>>>> ... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> /> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> value="Fedizhelloworld" >>>>>>>>>>>> /> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> /> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>> >>>>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> ref="srv-fedizhelloworld" /> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> etc. >>>>>>>>>>>> >>>>>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>>>>> >>>>>>>>>>>> Do you have an >>>>>>>>>>>> >>>>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>>>>>>>> instance in >>>>>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with >>>>>>>>>>>>> realm >>>>>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>>>>> >>>>>>>>>>>>> Colm. >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>>>>> matthew.broadhead@nbmlaw.co.uk> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>>>>>>>>> >>>>>>>>>>>>>> trying to >>>>>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. >>>>>>>>>>>>>> it >>>>>>>>>>>>>> correctly redirects to the login page and seems to authenticate >>>>>>>>>>>>>> ok >>>>>>>>>>>>>> >>>>>>>>>>>>>> but then i get the following error >>>>>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - >>>>>>>>>>>>>> Token >>>>>>>>>>>>>> [IDP_TOKEN=] for realm [] successfully >>>>>>>>>>>>>> cached. >>>>>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValida >>>>>>>>>>>>>> tor >>>>>>>>>>>>>> - >>>>>>>>>>>>>> No >>>>>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>>>>> helloworld >>>>>>>>>>>>>> >>>>>>>>>>>>>> Matthew >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >