You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by tazouxme <jo...@gmail.com> on 2015/08/23 00:00:38 UTC
Sorry, CXF Fediz IDP cannot satisfy your request.
Hi everybody.
I'm facing problems with the STS.
Let me explain what I did and which errors are appearing...
So I have two projects
- IDP
- STS
Both are located in a Tomcat 8 container. This container has the following
SSL config in the server.xml file
<Connector
SSLEnabled="true"
clientAuth="want"
maxThreads="150"
port="9443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
SSLVerifyClient="optional"
keystoreFile="E:\Certificates\identity-provider\tazouxme-idp-key.jks"
keystorePass="tompass"
truststoreFile="E:\Certificates\identity-provider\tazouxme-idp-trust.jks"
truststorePass="ispass"
truststoreType="JKS" />
All ports begin with 9*.
I launch my Tomcat and try to access Metadata and WSDL.
Here are the results:
- When I want to access the Metdata (via the idp url), it's fine ; the XML
is well displayed.
- When I want to access the WSDL (via the sts url), it's not displayed!
I understand that the server requires the client certificate.
It's seems that this step does not work... I'm using Firefox.
So here I'm blocked and if I want to connect an webapp to the IdP system, it
does not after setting the credentials in te Authetication box. the
following page is displayed
Sorry, CXF Fediz IDP cannot satisfy your request.
Reason : IDP is unavailable, please contact the administrator
And the root cause Exception is:
Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
RequireClientCertificate is set, but no local certificates were negotiated.
Is the server set to ask for client authorization?
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:136)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1739)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1292)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1262)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:211)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at
org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)
at
org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)
at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)
at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
... 177 more
Do you have any idea how to solve this server-client cert. request?
Thanks again for your big help !!
Joël
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
Let's imagine I modify the default realm by "TAZOUXME".
I modified it everywhere it's needed.
Then I do it correctly. I think a I do... :)
Anyway, I just wanted to test the Single Sign Out with my already existing
self-signed certificates.
I will move back to Fediz 1.0 as I make it working without troubles.
Thanks a lot for all your effort and help, really appreciate !!
Joël
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760494.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by Colm O hEigeartaigh <co...@apache.org>.
The problem is that you are not following the HowToGenerateKeysREADME.html
exactly. The default realm is "Realm A" and so you need to generate a key
for this realm + import the cert into tazouxme-trust.jks. I got it working
with the default realm A cert by just doing:
keytool -import -trustcacerts -keystore tazouxme-trust.jks -storepass
storepass -alias realma -file realma.cert -noprompt
+ then copy tazouxme-trust.jks into the Tomcat RP module (as well as the
STS webapp). You also have to add in "tazouxme-trust.jks" to
stsTruststore.properties in the STS if you haven't already.
Colm.
On Wed, Aug 26, 2015 at 3:42 PM, tazouxme <jo...@gmail.com> wrote:
> I followed the instructions from the web file HowToGenerateKeysREADME.html.
> Here are the steps
>
> keytool -genkeypair -validity 730 -alias tazouxmeidp -keystore
> D:\Certificates\tazouxme\tazouxme-idp-tomcat.jks -dname "cn=localhost"
> -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
>
> keytool -keystore D:\Certificates\tazouxme\tazouxme-idp-tomcat.jks
> -storepass tompass -export -alias tazouxmeidp -file
> D:\Certificates\tazouxme\tazouxmeidp.crt
>
> keytool -genkeypair -validity 730 -alias tazouxmerp -keystore
> D:\Certificates\tazouxme\tazouxme-rp-tomcat.jks -dname "cn=localhost"
> -keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
>
> keytool -keystore D:\Certificates\tazouxme\tazouxme-rp-tomcat.jks
> -storepass
> tompass -export -alias tazouxmerp -file
> D:\Certificates\tazouxme\tazouxmerp.crt
>
> keytool -import -trustcacerts -keystore
> D:\Certificates\tazouxme\tazouxme-idp-trust.jks -storepass ispass -alias
> tazouxmeidp -file D:\Certificates\tazouxme\tazouxmeidp.crt -noprompt
>
> keytool -genkeypair -keyalg RSA -validity 3600 -alias tazouxme -keystore
> D:\Certificates\tazouxme\tazouxme.jks -dname "cn=TAZOUXME" -keypass
> tazouxme
> -storepass storepass -keysize 2048
>
> keytool -export -rfc -keystore D:\Certificates\tazouxme\tazouxme.jks
> -storepass storepass -alias tazouxme -file
> D:\Certificates\tazouxme\tazouxme.crt
>
> keytool -import -trustcacerts -keystore
> D:\Certificates\tazouxme\tazouxme-trust.jks -storepass storepass -alias
> tazouxme -file D:\Certificates\tazouxme\tazouxme.crt -noprompt
>
> keytool -import -trustcacerts -keystore
> D:\Certificates\tazouxme\tazouxme-trust.jks -storepass storepass -alias
> tazouxmerp -file D:\Certificates\tazouxme\tazouxmerp.crt -noprompt
>
> And I finally added the *.crt in JRE cacerts to make it work.
>
> In the <http:conduit> are present
> - tazouxme-idp-tomcat.jks in <keyManagers>
> - tazouxme-idp-trust.jks in <trustManagers>
>
> In IDP tomcat I set
> - tazouxme-idp-tomcat.jks
> - tazouxme-idp-trust.jks
>
> In RP tomcat I set
> - tazouxme-rp-tomcat.jks
>
> In IDP Webapp I put
> - tazouxme-idp-tomcat.jks
> - tazouxme-idp-trust.jks
> - tazouxme.jks
>
> In STS Webapp I put
> - tazouxme.jks
> - tazouxme-trust.jks
>
> So finally in the RP Webapp is present
> - tazouxme-trust.jks
>
> So here you have all aliases and passwords needed to test.
> If it works then my complete IdP is bugged and I will have to rebuild it...
>
> Joël
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760467.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
I followed the instructions from the web file HowToGenerateKeysREADME.html.
Here are the steps
keytool -genkeypair -validity 730 -alias tazouxmeidp -keystore
D:\Certificates\tazouxme\tazouxme-idp-tomcat.jks -dname "cn=localhost"
-keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
keytool -keystore D:\Certificates\tazouxme\tazouxme-idp-tomcat.jks
-storepass tompass -export -alias tazouxmeidp -file
D:\Certificates\tazouxme\tazouxmeidp.crt
keytool -genkeypair -validity 730 -alias tazouxmerp -keystore
D:\Certificates\tazouxme\tazouxme-rp-tomcat.jks -dname "cn=localhost"
-keypass tompass -storepass tompass -keysize 2048 -keyalg RSA
keytool -keystore D:\Certificates\tazouxme\tazouxme-rp-tomcat.jks -storepass
tompass -export -alias tazouxmerp -file
D:\Certificates\tazouxme\tazouxmerp.crt
keytool -import -trustcacerts -keystore
D:\Certificates\tazouxme\tazouxme-idp-trust.jks -storepass ispass -alias
tazouxmeidp -file D:\Certificates\tazouxme\tazouxmeidp.crt -noprompt
keytool -genkeypair -keyalg RSA -validity 3600 -alias tazouxme -keystore
D:\Certificates\tazouxme\tazouxme.jks -dname "cn=TAZOUXME" -keypass tazouxme
-storepass storepass -keysize 2048
keytool -export -rfc -keystore D:\Certificates\tazouxme\tazouxme.jks
-storepass storepass -alias tazouxme -file
D:\Certificates\tazouxme\tazouxme.crt
keytool -import -trustcacerts -keystore
D:\Certificates\tazouxme\tazouxme-trust.jks -storepass storepass -alias
tazouxme -file D:\Certificates\tazouxme\tazouxme.crt -noprompt
keytool -import -trustcacerts -keystore
D:\Certificates\tazouxme\tazouxme-trust.jks -storepass storepass -alias
tazouxmerp -file D:\Certificates\tazouxme\tazouxmerp.crt -noprompt
And I finally added the *.crt in JRE cacerts to make it work.
In the <http:conduit> are present
- tazouxme-idp-tomcat.jks in <keyManagers>
- tazouxme-idp-trust.jks in <trustManagers>
In IDP tomcat I set
- tazouxme-idp-tomcat.jks
- tazouxme-idp-trust.jks
In RP tomcat I set
- tazouxme-rp-tomcat.jks
In IDP Webapp I put
- tazouxme-idp-tomcat.jks
- tazouxme-idp-trust.jks
- tazouxme.jks
In STS Webapp I put
- tazouxme.jks
- tazouxme-trust.jks
So finally in the RP Webapp is present
- tazouxme-trust.jks
So here you have all aliases and passwords needed to test.
If it works then my complete IdP is bugged and I will have to rebuild it...
Joël
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760467.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are your self-signed keys/certs just for testing purposes? If so you could
attach them + I'll try to reproduce with the simpleWebapp demo.
Colm.
On Wed, Aug 26, 2015 at 1:22 PM, tazouxme <jo...@gmail.com> wrote:
> Yes the applicationContext is correctly set.
> I deeply debugged to understand how the HTTPConduit is built and it seems
> that the <http:conduit> config is not considered...
>
> Here calls I found during the debug:
>
> PhaseInterceptorChain::doIntercept
> MessageSenderInterceptor::handleMessage
> HTTPConduit::prepare
> URLConnectionHTTPConduit::setupConnection -->
> message.put(KEY_HTTP_CONNECTION, connection);
> URLConnectionHTTPConduit::createConnection
> HttpsURLConnectionFactory::createConnection -->
> tlsClientParameters ==
> null
> HttpsURLConnectionFactory::decorateWithTLS
> --> socketFactory == null -->
> keyManagers == null
> URLConnectionHTTPConduit::createOutputStream
> new URLConnectionWrappedOutputStream
> ...
> SAAJOutInterceptor::handleMessage
> ...
> UTF8Writer::mOut <- URLConnectionWrappedOutputStream
> ...
> URLConnectionWrappedOutputStream::getHttpsURLConnectionInfo -->
> returns new
> HttpsURLConnectionInfo with empty localCertificates
>
> Is it a normal behavior? It there something I don't understand or I
> misunderstand?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760465.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
Yes the applicationContext is correctly set.
I deeply debugged to understand how the HTTPConduit is built and it seems
that the <http:conduit> config is not considered...
Here calls I found during the debug:
PhaseInterceptorChain::doIntercept
MessageSenderInterceptor::handleMessage
HTTPConduit::prepare
URLConnectionHTTPConduit::setupConnection -->
message.put(KEY_HTTP_CONNECTION, connection);
URLConnectionHTTPConduit::createConnection
HttpsURLConnectionFactory::createConnection --> tlsClientParameters ==
null
HttpsURLConnectionFactory::decorateWithTLS --> socketFactory == null -->
keyManagers == null
URLConnectionHTTPConduit::createOutputStream
new URLConnectionWrappedOutputStream
...
SAAJOutInterceptor::handleMessage
...
UTF8Writer::mOut <- URLConnectionWrappedOutputStream
...
URLConnectionWrappedOutputStream::getHttpsURLConnectionInfo --> returns new
HttpsURLConnectionInfo with empty localCertificates
Is it a normal behavior? It there something I don't understand or I
misunderstand?
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760465.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by Colm O hEigeartaigh <co...@apache.org>.
The error is thrown when the IdP is trying to contact the STS. Have you
updated the IdP TLS configuration in
webapps/fediz-idp/WEB-INF/applicationContext.xml?
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers>
</http:tlsClientParameters>
</http:conduit>
Colm.
On Tue, Aug 25, 2015 at 6:32 PM, tazouxme <jo...@gmail.com> wrote:
> Hi Colm,
>
> So I tried with delivered IDP/STS. Here is another Exception
>
> org.apache.cxf.service.factory.ServiceConstructionException: Failed to
> create service.
> at
> org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.createClient(AbstractSTSClient.java:646)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:728)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51)
> at
>
> com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationProvider.handleUsernamePassword(STSUPAuthenticationProvider.java:74)
> at
>
> com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationProvider.authenticate(STSUPAuthenticationProvider.java:59)
> at
>
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
> at
>
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
> at
>
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:177)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:96)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> com.tazouxme.security.saml.idp.STSPortFilter.doFilter(STSPortFilter.java:56)
> at
>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
>
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
> at
>
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
> at
>
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
>
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
>
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
>
> org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:151)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> at
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
> at
>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> at
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
> at
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> at
>
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
> at
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
> at
>
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
> at
>
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
> at
>
> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
> at
>
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1517)
> at
>
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1474)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> at
>
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR:
> Problem parsing
> '
> https://localhost:9443/tazouxme-security-saml-sts/REALMA/STSServiceTransportUT?wsdl'
> .:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: signature check failed
> at
> com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
> at
> com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
> at
> com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
> at
>
> org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:231)
> at
>
> org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:163)
> at
> org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
> ... 58 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: signature check failed
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> at sun.security.ssl.Handshaker.process_record(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
> Source)
> at
>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown
> Source)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown
> Source)
> at
>
> com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown
> Source)
> at
> com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown
> Source)
> at
> com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
> ... 63 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: signature check
> failed
> at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
> at sun.security.validator.PKIXValidator.engineValidate(Unknown
> Source)
> at sun.security.validator.Validator.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown
> Source)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
> ... 84 more
> Caused by: java.security.cert.CertPathValidatorException: signature check
> failed
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
> Source)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown
> Source)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown
> Source)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
> Source)
> at java.security.cert.CertPathValidator.validate(Unknown Source)
> ... 90 more
> Caused by: java.security.SignatureException: Signature does not match.
> at sun.security.x509.X509CertImpl.verify(Unknown Source)
> at
> sun.security.provider.certpath.BasicChecker.verifySignature(Unknown
> Source)
> at sun.security.provider.certpath.BasicChecker.check(Unknown
> Source)
> ... 95 more
>
> Joël
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760427.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
One last StackTrace when I work with my own self-signed certificates.
This occurs if I try to display the WSDL in Firefox (sorry it's French :)
org.apache.cxf.interceptor.Fault: java.io.IOException: Une connexion
existante a dû être fermée par l’hôte distant
at
org.apache.cxf.frontend.WSDLGetOutInterceptor.handleMessage(WSDLGetOutInterceptor.java:61)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at
org.apache.cxf.interceptor.OutgoingChainInterceptor.handleMessage(OutgoingChainInterceptor.java:83)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at
org.apache.cxf.phase.PhaseInterceptorChain.doInterceptStartingAt(PhaseInterceptorChain.java:470)
at
org.apache.cxf.frontend.WSDLGetInterceptor.handleMessage(WSDLGetInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:151)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1517)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1474)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: com.ctc.wstx.exc.WstxIOException: java.io.IOException: Une
connexion existante a dû être fermée par l’hôte distant
at
com.ctc.wstx.sw.BaseNsStreamWriter.doWriteAttr(BaseNsStreamWriter.java:519)
at
com.ctc.wstx.sw.SimpleNsStreamWriter.writeAttribute(SimpleNsStreamWriter.java:88)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1004)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:1022)
at org.apache.cxf.staxutils.StaxUtils.writeElement(StaxUtils.java:920)
at org.apache.cxf.staxutils.StaxUtils.writeNode(StaxUtils.java:1057)
at org.apache.cxf.staxutils.StaxUtils.writeDocument(StaxUtils.java:898)
at
org.apache.cxf.frontend.WSDLGetOutInterceptor.handleMessage(WSDLGetOutInterceptor.java:56)
... 42 more
Caused by: org.apache.catalina.connector.ClientAbortException:
java.io.IOException: Une connexion existante a dû être fermée par l’hôte
distant
at
org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:393)
at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:426)
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:339)
at
org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:418)
at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:406)
at
org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.java:97)
at
org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51)
at com.ctc.wstx.io.UTF8Writer.write(UTF8Writer.java:143)
at
com.ctc.wstx.sw.BufferingXmlWriter.flushBuffer(BufferingXmlWriter.java:1405)
at
com.ctc.wstx.sw.BufferingXmlWriter.writeAttrValue(BufferingXmlWriter.java:1149)
at
com.ctc.wstx.sw.BufferingXmlWriter.writeAttribute(BufferingXmlWriter.java:1045)
at
com.ctc.wstx.sw.BaseNsStreamWriter.doWriteAttr(BaseNsStreamWriter.java:506)
... 72 more
Caused by: java.io.IOException: Une connexion existante a dû être fermée par
l’hôte distant
at sun.nio.ch.SocketDispatcher.write0(Native Method)
at sun.nio.ch.SocketDispatcher.write(Unknown Source)
at sun.nio.ch.IOUtil.writeFromNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.write(Unknown Source)
at sun.nio.ch.SocketChannelImpl.write(Unknown Source)
at
org.apache.tomcat.util.net.SecureNioChannel.flush(SecureNioChannel.java:134)
at
org.apache.tomcat.util.net.SecureNioChannel.write(SecureNioChannel.java:510)
at
org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:101)
at
org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:173)
at
org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:139)
at
org.apache.coyote.http11.InternalNioOutputBuffer.addToBB(InternalNioOutputBuffer.java:197)
at
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:41)
at
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:320)
at
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:116)
at
org.apache.coyote.http11.AbstractOutputBuffer.doWrite(AbstractOutputBuffer.java:256)
at org.apache.coyote.Response.doWrite(Response.java:503)
at
org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:388)
... 83 more
Thanks again a lot for all your help !
Joël
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760434.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
Hi Colm,
So I tried with delivered IDP/STS. Here is another Exception
org.apache.cxf.service.factory.ServiceConstructionException: Failed to
create service.
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.createClient(AbstractSTSClient.java:646)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:728)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:61)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:55)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:51)
at
com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationProvider.handleUsernamePassword(STSUPAuthenticationProvider.java:74)
at
com.tazouxme.security.saml.idp.authentication.provider.STSUPAuthenticationProvider.authenticate(STSUPAuthenticationProvider.java:59)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:177)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:96)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
com.tazouxme.security.saml.idp.STSPortFilter.doFilter(STSPortFilter.java:56)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:151)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1517)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1474)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR:
Problem parsing
'https://localhost:9443/tazouxme-security-saml-sts/REALMA/STSServiceTransportUT?wsdl'.:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:231)
at
org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:163)
at
org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
... 58 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(Unknown
Source)
at
com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(Unknown
Source)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
Source)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown
Source)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown
Source)
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown
Source)
at
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
... 63 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: signature check
failed
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 84 more
Caused by: java.security.cert.CertPathValidatorException: signature check
failed
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown
Source)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(Unknown
Source)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 90 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(Unknown Source)
at sun.security.provider.certpath.BasicChecker.verifySignature(Unknown
Source)
at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
... 95 more
Joël
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760427.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you deploy the Fediz IDP + STS from the 1.2.1 release using the keys
provided in the distribution does it work? If not, then please detail the
exact steps you are following + I will try to reproduce it.
Colm.
On Tue, Aug 25, 2015 at 9:27 AM, tazouxme <jo...@gmail.com> wrote:
> Debugging, I found out that when building the SSL connection, it actually
> uses a DummyX509KeyManager, meaning the configuration was not loaded.
> TrustManager seems to be correctly loaded...
>
> Could be a bug?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760408.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
Debugging, I found out that when building the SSL connection, it actually
uses a DummyX509KeyManager, meaning the configuration was not loaded.
TrustManager seems to be correctly loaded...
Could be a bug?
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760408.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by tazouxme <jo...@gmail.com>.
Hi Colm,
Thanks for your reply. Unfortunately it does not work.
A really strange thing is that:
- If I have modules IDP + STS in the Tomcat container, I cannot see the WSDL
- If I have only the STS module in the Tomcat container, I can see the WSDL
There's something that I missed :)
--
View this message in context: http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366p5760392.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Sorry, CXF Fediz IDP cannot satisfy your request.
Posted by Colm O hEigeartaigh <co...@apache.org>.
I tried to access the WSDL of the STS using Fediz 1.2.1 and the same
configuration you have given and it worked fine. The only thing I spotted
was that you have omitted the "keyPass" value. Here is my working snippet
using the keys that ship with Fediz 1.2.1:
<Connector
SSLEnabled="true"
clientAuth="want"
maxThreads="150"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
SSLVerifyClient="optional"
keystoreFile="idp-ssl-key.jks"
keystorePass="tompass"
keyPass="tompass"
truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass"
truststoreType="JKS" />
Try adding in "keyPass" and see if it works. If it doesn't then try with
the keys that ship with Fediz (idp-ssl-key.jks + idp-ssl-trust.jks) and see
if that works.
Colm.
On Sat, Aug 22, 2015 at 11:00 PM, tazouxme <jo...@gmail.com> wrote:
> Hi everybody.
>
> I'm facing problems with the STS.
> Let me explain what I did and which errors are appearing...
>
> So I have two projects
> - IDP
> - STS
>
> Both are located in a Tomcat 8 container. This container has the following
> SSL config in the server.xml file
>
> <Connector
> SSLEnabled="true"
> clientAuth="want"
> maxThreads="150"
> port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https"
> secure="true"
> sslProtocol="TLS"
> SSLVerifyClient="optional"
> keystoreFile="E:\Certificates\identity-provider\tazouxme-idp-key.jks"
> keystorePass="tompass"
> truststoreFile="E:\Certificates\identity-provider\tazouxme-idp-trust.jks"
> truststorePass="ispass"
> truststoreType="JKS" />
>
> All ports begin with 9*.
>
> I launch my Tomcat and try to access Metadata and WSDL.
> Here are the results:
>
> - When I want to access the Metdata (via the idp url), it's fine ; the XML
> is well displayed.
> - When I want to access the WSDL (via the sts url), it's not displayed!
>
> I understand that the server requires the client certificate.
> It's seems that this step does not work... I'm using Firefox.
>
> So here I'm blocked and if I want to connect an webapp to the IdP system,
> it
> does not after setting the credentials in te Authetication box. the
> following page is displayed
>
> Sorry, CXF Fediz IDP cannot satisfy your request.
> Reason : IDP is unavailable, please contact the administrator
>
> And the root cause Exception is:
>
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException:
> RequireClientCertificate is set, but no local certificates were negotiated.
> Is the server set to ask for client authorization?
> at
>
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:136)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1739)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1292)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1262)
> at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:211)
> at
>
> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
> at
>
> org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89)
> at
>
> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63)
> at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100)
> at
> com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter.java:241)
> at
> com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253)
> ... 177 more
>
> Do you have any idea how to solve this server-client cert. request?
>
> Thanks again for your big help !!
> Joël
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Sorry-CXF-Fediz-IDP-cannot-satisfy-your-request-tp5760366.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com