You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Rajnish ravi <kr...@gmail.com> on 2015/08/24 07:05:08 UTC
What configuration need to change when I use our own IDP certificate
and relaying party certificate.
Hi Team,
First of all I would like thanks to Jan who helped me to configuring IDP
through REST. Here is my another question. I have my own IDP certificate
(aticloud_atl_x509.cert) and I have RP public certificate and private
key(devcacert.pem, devprivatekey.pem). Now I am generating keystore and
truststore using given link:
http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co
and and I am using different keypass and storepass. Now I make changes in
server.xml, some configuration files of fediz-idp and fedis-idp-sts under
IDP/STS tomcat for my generated keystore and truststore and certificate. I
made conf change in RP side as well for new keystore and truststore and
certificate. And I am running application. It's not running seems it's not
validating certificate. Please suggest where I m doing wrong. My concern is
Is there any other way to configure the above using REST. Can some one
explain the process clearly.
Hope for quick replying :)
-Raj
Re: What configuration need to change when I use our own IDP
certificate and relaying party certificate.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Where is the exception taking place? Is it when the client hits the IdP or
when the IdP is contacting the STS? You should be able to tell from the
Tomcat logs.
Generally speaking, you need to first configure TLS properly for the
endpoints in the conf/server.xml, e.g.:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass" keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />
Then you need to configure TLS for the IdP client to contact the STS - edit
webapps/fediz-idp/WEB-INF/applicationContext.xml + edit the TLS
configuration:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
</sec:trustManagers>
<sec:keyManagers keyPassword="tompass">
<sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
</sec:keyManagers>
</http:tlsClientParameters>
</http:conduit>
Note that idp-ssl-trust + idp-ssl-key are stored in WEB-INF/classes here,
you will need to copy your new files in here.
Colm.
On Tue, Aug 25, 2015 at 5:06 AM, rajj <kr...@gmail.com> wrote:
> Hi Colm,
> I am just trying to use our own certificates(IDP & RP). I have one public
> IDP certificate myIDP_x509.cer and I have my RP public certificate and
> private key(devcacert.pem, devprivatekey.pem). Now generated keystore and
> trust store using link
>
> http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co
> and I placed the keystores and truststore in IDP and RP. and started
> server
> and trying to connect IDP but it's giving SSLHandshake Exception that
> saying
> request not verifying.(seems problem with generated keystoers and
> truststores). My simple question is here that how to generate keystore and
> truststore using my above files and how do I configure it in IDP/STS and
> RP(What files need to be update to use updated keystores and truststores).
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/What-configuration-need-to-change-when-I-use-our-own-IDP-certificate-and-relaying-party-certificate-tp5760372p5760404.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: What configuration need to change when I use our own IDP
certificate and relaying party certificate.
Posted by rajj <kr...@gmail.com>.
Hi Colm,
I am just trying to use our own certificates(IDP & RP). I have one public
IDP certificate myIDP_x509.cer and I have my RP public certificate and
private key(devcacert.pem, devprivatekey.pem). Now generated keystore and
trust store using link
http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co
and I placed the keystores and truststore in IDP and RP. and started server
and trying to connect IDP but it's giving SSLHandshake Exception that saying
request not verifying.(seems problem with generated keystoers and
truststores). My simple question is here that how to generate keystore and
truststore using my above files and how do I configure it in IDP/STS and
RP(What files need to be update to use updated keystores and truststores).
--
View this message in context: http://cxf.547215.n5.nabble.com/What-configuration-need-to-change-when-I-use-our-own-IDP-certificate-and-relaying-party-certificate-tp5760372p5760404.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: What configuration need to change when I use our own IDP
certificate and relaying party certificate.
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's hard to tell what the problem is from the description. Could you
document the exact steps you are following?
Colm.
On Mon, Aug 24, 2015 at 6:05 AM, Rajnish ravi <kr...@gmail.com> wrote:
> Hi Team,
> First of all I would like thanks to Jan who helped me to configuring IDP
> through REST. Here is my another question. I have my own IDP certificate
> (aticloud_atl_x509.cert) and I have RP public certificate and private
> key(devcacert.pem, devprivatekey.pem). Now I am generating keystore and
> truststore using given link:
>
> http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co
> and and I am using different keypass and storepass. Now I make changes in
> server.xml, some configuration files of fediz-idp and fedis-idp-sts under
> IDP/STS tomcat for my generated keystore and truststore and certificate. I
> made conf change in RP side as well for new keystore and truststore and
> certificate. And I am running application. It's not running seems it's not
> validating certificate. Please suggest where I m doing wrong. My concern is
> Is there any other way to configure the above using REST. Can some one
> explain the process clearly.
> Hope for quick replying :)
> -Raj
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com