Fwd: Issues with getting Fediz up and running

[frank <fr...@gmail.com>]

Hi,

After having configured the IDP/STS and the RP sample, I run into the issue
that after the redirect to the IDP, a page with "*Access to the specified
resource (Requesting security token failed) has been forbidden.*" appears.
Tomcat's error trace suggests that there is something wrong with the
certificates.

Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target

Possibly this is caused by the rather unclear path to creating the
keystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is
sufficient to get the web application up and running, but in this process
stsstore.jks also needs to be created for MyIDP.cer. Strangely enough,
fediz-config.xml points to stsstore.jks in the conf directory whereas the
table for the keystores states that fediz-config.xml point tot
tomcat-rp.jks, which according to the same table should be in the base
directory of the RP samples.

What is the way out of this situation? How can I get things up and running?
Any help would be appreciated.

I tried generating my own keystores as well as using the keystores provided
in the source code samples. Neither of these work.

Cheers,

Frank

Re: Fwd: Issues with getting Fediz up and running

[frank <fr...@gmail.com>]

Hi Glen,

I incorrectly assumed that I was using 10.0.1. I was using 10.0.0..

I redid the whole setup and made sure to stay as close to the instructions
as I could.

There are however a few minor things that do need some intervention. The
WARs in the package are called fediz-idp-1.0.1.war
and fediz-idp-sts-1.0.1.war respectively. Both need to be renamed prior to
deployment to (fedizidp.war and fedizidpsts.war).

The HTTPS configurations for the IDP/STS and the example plugin will not
work with the configurations as described on the web site. An error message
stating that the SSLCertificateFile parameter is required will appear. This
can be solved by changing the value of the protocol parameter on the SSL
configurations to "org.apache.coyote.http11.Http11Protocol".

Not so clear on the web site, but clearer from the README's that go with
the examples, the sample keystores need to be copied to the root of the
Tomcat installations for the IDP/STS and RP.

After that, things are fine and dandy!

Cheers,

Frank

On Fri, Aug 31, 2012 at 7:56 PM, Glen Mazza <gm...@talend.com> wrote:

> Oh, to clarify, Frank, for Fediz 1.0.1, you should not need to create any
> keys or make any keystore changes to get the samples to run--just use the
> sample app and Tomcat keystores provided in the 1.0.1 download, they are
> all there and already configured for you.
>
> It's only when you're moving to production do you need to create your own
> keystores, with different passwords, etc.
>
> Glen
>
>
> On 08/31/2012 01:42 PM, Glen Mazza wrote:
>
>> On 08/31/2012 01:19 PM, frank wrote:
>>
>>> Hi Glen,
>>>
>>> I have managed to get a but further in the process. As it turns out, the
>>> self-signed certificate for the IDP/STS needs to be added to the cacerts
>>> keystore of the JRE!!!
>>>
>>
>> Again, what version of Fediz are you using?  Setup/Key-wise, 1.0.0 and
>> 1.0.1 are as different as night and day--stick with 1.0.1. I've tested
>> Fediz 1.0.1 several times and never needed to add anything to the JRE's
>> cacerts, neither have others.  I don't think its good to deviate from the
>> instructions; rather, follow them to the letter and complain on this list
>> when it doesn't work--if the bug is on our side we'll either fix the
>> documentation or try to figure out why it's not working on your end.
>>
>> Adding the self-signed cert to the IDP/STS to the JRE's cacerts forms a
>> security hole because now *everything* using that JRE will trust the STS,
>> normally not something you want.  Further it makes it harder to see the
>> necessary (i.e., minimal) trust relationships within the system, making it
>> difficult for you to reproduce and deploy Fediz in different environments.
>>
>>
>>  Possible this is caused by the fact the the keystore
>>> is created using the -trustcacerts parameter. I.e. omitting it will
>>> probably obviate the need to add the certificate to JRE's keystore.
>>>
>>
>> No, the -trustcacerts setting just means import the public cert and not
>> the private key.  You *don't* want to be putting any external private key
>> in any truststore.  In a keystore/truststore combo, you'll just have the
>> single private key of the server or app and the public keys (-trustcacerts)
>> of whatever it's supposed to trust.
>>
>>
>>
>>
>>> However, further down the line (after a message exchange between IDP and
>>> STS), the same type of problem reappears. In an attempt to solve this, I
>>> have also added the RP certificate to the cacerts keystore, but this
>>> doesn't make the problem go away,
>>>
>>
>> Until you follow a formal process, namely, here:
>> http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**samplekeys/**
>> HowToGenerateKeysREADME.html?**revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>, you're just going to be slapping public certs in truststores left and
>> right until things seem to work, but it will be undocumentable and
>> unmaintainable, especially as you try to deploy on different environments.
>>  Getting the trust relationships right is just as important as getting the
>> samples to run.
>>
>> Regards,
>> Glen
>>
>>
>>> Any ideas would be appreciated.
>>>
>>> Cheers,
>>>
>>> Frank
>>>
>>> On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <gm...@talend.com> wrote:
>>>
>>>  Hi, are you using Fediz 1.0.1?  It was released a couple of days ago,
>>>> featuring new sample keystores and several other changes. More comments
>>>> below:
>>>>
>>>>
>>>> On 08/31/2012 12:04 PM, frank wrote:
>>>>
>>>>  Hi,
>>>>>
>>>>> After having configured the IDP/STS and the RP sample, I run into the
>>>>> issue
>>>>> that after the redirect to the IDP, a page with "*Access to the
>>>>> specified
>>>>> resource (Requesting security token failed) has been forbidden.*"
>>>>> appears.
>>>>>
>>>>> Tomcat's error trace suggests that there is something wrong with the
>>>>> certificates.
>>>>>
>>>>> Caused by: sun.security.validator.****ValidatorException: PKIX path
>>>>> building
>>>>> failed: sun.security.provider.****certpath.****
>>>>> SunCertPathBuilderException:
>>>>> unable
>>>>> to find valid certification path to requested target
>>>>>
>>>>>  ... normally indicating a key was missing from a truststore
>>>>
>>>>
>>>>  Possibly this is caused by the rather unclear path to creating the
>>>>> keystores. It would seem that creating tomcat-idp.jks and
>>>>> tomcat-rp.jks is
>>>>> sufficient to get the web application up and running, but in this
>>>>> process
>>>>> stsstore.jks also needs to be created for MyIDP.cer.
>>>>>
>>>>>  Are you following this chart: http://svn.apache.org/viewvc/****<http://svn.apache.org/viewvc/**>
>>>> cxf/fediz/trunk/examples/****samplekeys/****
>>>> HowToGenerateKeysREADME.html?****
>>>> revision=1364769&view=co<http:**//svn.apache.org/viewvc/cxf/**
>>>> fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?**
>>>> revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>>(and
>>>> using the sample Tomcat keys already provided in this folder?)
>>>>
>>>> Further, stsstore.jks does not need to be "created" (it does for
>>>> production, but not for running the sample), it should already be in the
>>>> STS war.
>>>>
>>>>
>>>>
>>>>   Strangely enough,
>>>>
>>>>> fediz-config.xml points to stsstore.jks in the conf directory whereas
>>>>> the
>>>>> table for the keystores states that fediz-config.xml point tot
>>>>> tomcat-rp.jks, which according to the same table should be in the base
>>>>> directory of the RP samples.
>>>>>
>>>>>  It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to
>>>> tomcat-rp.jks:
>>>>
>>>> http://svn.apache.org/viewvc/****cxf/fediz/trunk/examples/**<http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**>
>>>> simpleWebapp/src/main/config/****fediz_config.xml?revision=**
>>>> 1364755&view=markup<http://**svn.apache.org/viewvc/cxf/**
>>>> fediz/trunk/examples/**simpleWebapp/src/main/config/**
>>>> fediz_config.xml?revision=**1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup>>
>>>>
>>>>
>>>> I don't know why your version has it pointing to stsstore.jks. Fediz
>>>> 1.0.0
>>>> had it that way, but that was updated in 1.0.1.
>>>>
>>>> HTH,
>>>> Glen
>>>>
>>>>
>>>>
>>>>  What is the way out of this situation? How can I get things up and
>>>>> running?
>>>>> Any help would be appreciated.
>>>>>
>>>>> I tried generating my own keystores as well as using the keystores
>>>>> provided
>>>>> in the source code samples. Neither of these work.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Frank
>>>>>
>>>>>
>>>>>  --
>>>> Glen Mazza
>>>> Talend Community Coders - coders.talend.com
>>>> blog: www.jroller.com/gmazza
>>>>
>>>>
>>>>
>>
>>
>
> --
> Glen Mazza
> Talend Community Coders - coders.talend.com
> blog: www.jroller.com/gmazza
>
>

Re: Fwd: Issues with getting Fediz up and running

[Glen Mazza <gm...@talend.com>]

Oh, to clarify, Frank, for Fediz 1.0.1, you should not need to create 
any keys or make any keystore changes to get the samples to run--just 
use the sample app and Tomcat keystores provided in the 1.0.1 download, 
they are all there and already configured for you.

It's only when you're moving to production do you need to create your 
own keystores, with different passwords, etc.

Glen

On 08/31/2012 01:42 PM, Glen Mazza wrote:
> On 08/31/2012 01:19 PM, frank wrote:
>> Hi Glen,
>>
>> I have managed to get a but further in the process. As it turns out, the
>> self-signed certificate for the IDP/STS needs to be added to the cacerts
>> keystore of the JRE!!!
>
> Again, what version of Fediz are you using?  Setup/Key-wise, 1.0.0 and 
> 1.0.1 are as different as night and day--stick with 1.0.1. I've tested 
> Fediz 1.0.1 several times and never needed to add anything to the 
> JRE's cacerts, neither have others.  I don't think its good to deviate 
> from the instructions; rather, follow them to the letter and complain 
> on this list when it doesn't work--if the bug is on our side we'll 
> either fix the documentation or try to figure out why it's not working 
> on your end.
>
> Adding the self-signed cert to the IDP/STS to the JRE's cacerts forms 
> a security hole because now *everything* using that JRE will trust the 
> STS, normally not something you want.  Further it makes it harder to 
> see the necessary (i.e., minimal) trust relationships within the 
> system, making it difficult for you to reproduce and deploy Fediz in 
> different environments.
>
>
>> Possible this is caused by the fact the the keystore
>> is created using the -trustcacerts parameter. I.e. omitting it will
>> probably obviate the need to add the certificate to JRE's keystore.
>
> No, the -trustcacerts setting just means import the public cert and 
> not the private key.  You *don't* want to be putting any external 
> private key in any truststore.  In a keystore/truststore combo, you'll 
> just have the single private key of the server or app and the public 
> keys (-trustcacerts) of whatever it's supposed to trust.
>
>
>
>>
>> However, further down the line (after a message exchange between IDP and
>> STS), the same type of problem reappears. In an attempt to solve this, I
>> have also added the RP certificate to the cacerts keystore, but this
>> doesn't make the problem go away,
>
> Until you follow a formal process, namely, here: 
> http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co 
> , you're just going to be slapping public certs in truststores left 
> and right until things seem to work, but it will be undocumentable and 
> unmaintainable, especially as you try to deploy on different 
> environments.  Getting the trust relationships right is just as 
> important as getting the samples to run.
>
> Regards,
> Glen
>
>>
>> Any ideas would be appreciated.
>>
>> Cheers,
>>
>> Frank
>>
>> On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <gm...@talend.com> wrote:
>>
>>> Hi, are you using Fediz 1.0.1?  It was released a couple of days ago,
>>> featuring new sample keystores and several other changes. More comments
>>> below:
>>>
>>>
>>> On 08/31/2012 12:04 PM, frank wrote:
>>>
>>>> Hi,
>>>>
>>>> After having configured the IDP/STS and the RP sample, I run into the
>>>> issue
>>>> that after the redirect to the IDP, a page with "*Access to the 
>>>> specified
>>>> resource (Requesting security token failed) has been forbidden.*" 
>>>> appears.
>>>>
>>>> Tomcat's error trace suggests that there is something wrong with the
>>>> certificates.
>>>>
>>>> Caused by: sun.security.validator.**ValidatorException: PKIX path
>>>> building
>>>> failed: 
>>>> sun.security.provider.**certpath.**SunCertPathBuilderException:
>>>> unable
>>>> to find valid certification path to requested target
>>>>
>>> ... normally indicating a key was missing from a truststore
>>>
>>>
>>>> Possibly this is caused by the rather unclear path to creating the
>>>> keystores. It would seem that creating tomcat-idp.jks and 
>>>> tomcat-rp.jks is
>>>> sufficient to get the web application up and running, but in this 
>>>> process
>>>> stsstore.jks also needs to be created for MyIDP.cer.
>>>>
>>> Are you following this chart: http://svn.apache.org/viewvc/**
>>> cxf/fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?**
>>> revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>(and 
>>> using the sample Tomcat keys already provided in this folder?)
>>>
>>> Further, stsstore.jks does not need to be "created" (it does for
>>> production, but not for running the sample), it should already be in 
>>> the
>>> STS war.
>>>
>>>
>>>
>>>   Strangely enough,
>>>> fediz-config.xml points to stsstore.jks in the conf directory 
>>>> whereas the
>>>> table for the keystores states that fediz-config.xml point tot
>>>> tomcat-rp.jks, which according to the same table should be in the base
>>>> directory of the RP samples.
>>>>
>>> It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to
>>> tomcat-rp.jks:
>>>
>>> http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**
>>> simpleWebapp/src/main/config/**fediz_config.xml?revision=**
>>> 1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup> 
>>>
>>>
>>> I don't know why your version has it pointing to stsstore.jks. Fediz 
>>> 1.0.0
>>> had it that way, but that was updated in 1.0.1.
>>>
>>> HTH,
>>> Glen
>>>
>>>
>>>
>>>> What is the way out of this situation? How can I get things up and
>>>> running?
>>>> Any help would be appreciated.
>>>>
>>>> I tried generating my own keystores as well as using the keystores
>>>> provided
>>>> in the source code samples. Neither of these work.
>>>>
>>>> Cheers,
>>>>
>>>> Frank
>>>>
>>>>
>>> -- 
>>> Glen Mazza
>>> Talend Community Coders - coders.talend.com
>>> blog: www.jroller.com/gmazza
>>>
>>>
>
>


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Re: Fwd: Issues with getting Fediz up and running

[Glen Mazza <gm...@talend.com>]

On 08/31/2012 01:19 PM, frank wrote:
> Hi Glen,
>
> I have managed to get a but further in the process. As it turns out, the
> self-signed certificate for the IDP/STS needs to be added to the cacerts
> keystore of the JRE!!!

Again, what version of Fediz are you using?  Setup/Key-wise, 1.0.0 and 
1.0.1 are as different as night and day--stick with 1.0.1.  I've tested 
Fediz 1.0.1 several times and never needed to add anything to the JRE's 
cacerts, neither have others.  I don't think its good to deviate from 
the instructions; rather, follow them to the letter and complain on this 
list when it doesn't work--if the bug is on our side we'll either fix 
the documentation or try to figure out why it's not working on your end.

Adding the self-signed cert to the IDP/STS to the JRE's cacerts forms a 
security hole because now *everything* using that JRE will trust the 
STS, normally not something you want.  Further it makes it harder to see 
the necessary (i.e., minimal) trust relationships within the system, 
making it difficult for you to reproduce and deploy Fediz in different 
environments.


> Possible this is caused by the fact the the keystore
> is created using the -trustcacerts parameter. I.e. omitting it will
> probably obviate the need to add the certificate to JRE's keystore.

No, the -trustcacerts setting just means import the public cert and not 
the private key.  You *don't* want to be putting any external private 
key in any truststore.  In a keystore/truststore combo, you'll just have 
the single private key of the server or app and the public keys 
(-trustcacerts) of whatever it's supposed to trust.



>
> However, further down the line (after a message exchange between IDP and
> STS), the same type of problem reappears. In an attempt to solve this, I
> have also added the RP certificate to the cacerts keystore, but this
> doesn't make the problem go away,

Until you follow a formal process, namely, here: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co 
, you're just going to be slapping public certs in truststores left and 
right until things seem to work, but it will be undocumentable and 
unmaintainable, especially as you try to deploy on different 
environments.  Getting the trust relationships right is just as 
important as getting the samples to run.

Regards,
Glen

>
> Any ideas would be appreciated.
>
> Cheers,
>
> Frank
>
> On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <gm...@talend.com> wrote:
>
>> Hi, are you using Fediz 1.0.1?  It was released a couple of days ago,
>> featuring new sample keystores and several other changes.  More comments
>> below:
>>
>>
>> On 08/31/2012 12:04 PM, frank wrote:
>>
>>> Hi,
>>>
>>> After having configured the IDP/STS and the RP sample, I run into the
>>> issue
>>> that after the redirect to the IDP, a page with "*Access to the specified
>>> resource (Requesting security token failed) has been forbidden.*" appears.
>>>
>>> Tomcat's error trace suggests that there is something wrong with the
>>> certificates.
>>>
>>> Caused by: sun.security.validator.**ValidatorException: PKIX path
>>> building
>>> failed: sun.security.provider.**certpath.**SunCertPathBuilderException:
>>> unable
>>> to find valid certification path to requested target
>>>
>> ... normally indicating a key was missing from a truststore
>>
>>
>>> Possibly this is caused by the rather unclear path to creating the
>>> keystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is
>>> sufficient to get the web application up and running, but in this process
>>> stsstore.jks also needs to be created for MyIDP.cer.
>>>
>> Are you following this chart: http://svn.apache.org/viewvc/**
>> cxf/fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?**
>> revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>(and using the sample Tomcat keys already provided in this folder?)
>>
>> Further, stsstore.jks does not need to be "created" (it does for
>> production, but not for running the sample), it should already be in the
>> STS war.
>>
>>
>>
>>   Strangely enough,
>>> fediz-config.xml points to stsstore.jks in the conf directory whereas the
>>> table for the keystores states that fediz-config.xml point tot
>>> tomcat-rp.jks, which according to the same table should be in the base
>>> directory of the RP samples.
>>>
>> It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to
>> tomcat-rp.jks:
>>
>> http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**
>> simpleWebapp/src/main/config/**fediz_config.xml?revision=**
>> 1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup>
>>
>> I don't know why your version has it pointing to stsstore.jks. Fediz 1.0.0
>> had it that way, but that was updated in 1.0.1.
>>
>> HTH,
>> Glen
>>
>>
>>
>>> What is the way out of this situation? How can I get things up and
>>> running?
>>> Any help would be appreciated.
>>>
>>> I tried generating my own keystores as well as using the keystores
>>> provided
>>> in the source code samples. Neither of these work.
>>>
>>> Cheers,
>>>
>>> Frank
>>>
>>>
>> --
>> Glen Mazza
>> Talend Community Coders - coders.talend.com
>> blog: www.jroller.com/gmazza
>>
>>


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Re: Fwd: Issues with getting Fediz up and running

[frank <fr...@gmail.com>]

Hi Glen,

I have managed to get a but further in the process. As it turns out, the
self-signed certificate for the IDP/STS needs to be added to the cacerts
keystore of the JRE!!! Possible this is caused by the fact the the keystore
is created using the -trustcacerts parameter. I.e. omitting it will
probably obviate the need to add the certificate to JRE's keystore.

However, further down the line (after a message exchange between IDP and
STS), the same type of problem reappears. In an attempt to solve this, I
have also added the RP certificate to the cacerts keystore, but this
doesn't make the problem go away,

Any ideas would be appreciated.

Cheers,

Frank

On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <gm...@talend.com> wrote:

> Hi, are you using Fediz 1.0.1?  It was released a couple of days ago,
> featuring new sample keystores and several other changes.  More comments
> below:
>
>
> On 08/31/2012 12:04 PM, frank wrote:
>
>> Hi,
>>
>> After having configured the IDP/STS and the RP sample, I run into the
>> issue
>> that after the redirect to the IDP, a page with "*Access to the specified
>> resource (Requesting security token failed) has been forbidden.*" appears.
>>
>> Tomcat's error trace suggests that there is something wrong with the
>> certificates.
>>
>> Caused by: sun.security.validator.**ValidatorException: PKIX path
>> building
>> failed: sun.security.provider.**certpath.**SunCertPathBuilderException:
>> unable
>> to find valid certification path to requested target
>>
>
> ... normally indicating a key was missing from a truststore
>
>
>> Possibly this is caused by the rather unclear path to creating the
>> keystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is
>> sufficient to get the web application up and running, but in this process
>> stsstore.jks also needs to be created for MyIDP.cer.
>>
>
> Are you following this chart: http://svn.apache.org/viewvc/**
> cxf/fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?**
> revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>(and using the sample Tomcat keys already provided in this folder?)
>
> Further, stsstore.jks does not need to be "created" (it does for
> production, but not for running the sample), it should already be in the
> STS war.
>
>
>
>  Strangely enough,
>> fediz-config.xml points to stsstore.jks in the conf directory whereas the
>> table for the keystores states that fediz-config.xml point tot
>> tomcat-rp.jks, which according to the same table should be in the base
>> directory of the RP samples.
>>
>
> It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to
> tomcat-rp.jks:
>
> http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/**
> simpleWebapp/src/main/config/**fediz_config.xml?revision=**
> 1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup>
>
> I don't know why your version has it pointing to stsstore.jks. Fediz 1.0.0
> had it that way, but that was updated in 1.0.1.
>
> HTH,
> Glen
>
>
>
>> What is the way out of this situation? How can I get things up and
>> running?
>> Any help would be appreciated.
>>
>> I tried generating my own keystores as well as using the keystores
>> provided
>> in the source code samples. Neither of these work.
>>
>> Cheers,
>>
>> Frank
>>
>>
>
> --
> Glen Mazza
> Talend Community Coders - coders.talend.com
> blog: www.jroller.com/gmazza
>
>

Re: Fwd: Issues with getting Fediz up and running

[Glen Mazza <gm...@talend.com>]

Hi, are you using Fediz 1.0.1?  It was released a couple of days ago, 
featuring new sample keystores and several other changes.  More comments 
below:

On 08/31/2012 12:04 PM, frank wrote:
> Hi,
>
> After having configured the IDP/STS and the RP sample, I run into the issue
> that after the redirect to the IDP, a page with "*Access to the specified
> resource (Requesting security token failed) has been forbidden.*" appears.
> Tomcat's error trace suggests that there is something wrong with the
> certificates.
>
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target

... normally indicating a key was missing from a truststore
>
> Possibly this is caused by the rather unclear path to creating the
> keystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is
> sufficient to get the web application up and running, but in this process
> stsstore.jks also needs to be created for MyIDP.cer.

Are you following this chart: 
http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co 
(and using the sample Tomcat keys already provided in this folder?)

Further, stsstore.jks does not need to be "created" (it does for 
production, but not for running the sample), it should already be in the 
STS war.


> Strangely enough,
> fediz-config.xml points to stsstore.jks in the conf directory whereas the
> table for the keystores states that fediz-config.xml point tot
> tomcat-rp.jks, which according to the same table should be in the base
> directory of the RP samples.

It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to 
tomcat-rp.jks:

http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup

I don't know why your version has it pointing to stsstore.jks. Fediz 
1.0.0 had it that way, but that was updated in 1.0.1.

HTH,
Glen

>
> What is the way out of this situation? How can I get things up and running?
> Any help would be appreciated.
>
> I tried generating my own keystores as well as using the keystores provided
> in the source code samples. Neither of these work.
>
> Cheers,
>
> Frank
>


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza