You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Matthew Broadhead <ma...@nbmlaw.co.uk> on 2017/10/19 09:31:05 UTC
fediz in production
Hi,
I am following this article by Jan
https://janbernhardt.blogspot.com.es/2016/02/apache-fediz-installation-in-productive.html
and I think I am close to getting it working but I have hit this error
that I cannot work out. Can anyone help?
org.apache.cxf.sts.token.provider.SAMLTokenProvider -
org.apache.cxf.ws.security.sts.provider.STSException: Configuration
error: cannot load signature properties
at
org.apache.cxf.sts.token.realm.RealmProperties.getSignatureCrypto(RealmProperties.java:156)
at
org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.signToken(AbstractSAMLTokenProvider.java:59)
at
org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSamlToken(SAMLTokenProvider.java:319)
at
org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:117)
at
org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:171)
Re: fediz in production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
the problem was that my certificate password contained an exclamation
mark. i changed the password to mixed case letters and numbers and then
it worked
On 19/10/2017 17:02, Matthew Broadhead wrote:
> i am using 1.4.2.
>
> my stsKeystore.properties is as follows, but i have had to modify
> values for security
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.password=mypassword (jks
> password NOT certificate password)
> org.apache.ws.security.crypto.merlin.keystore.alias=realmmyrealm (same
> as the alias of the cert in the jks)
> org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_myrealm.jks
> (name of the jks located in the same directory as this file)
>
> Matthew
>
> On 19/10/2017 16:48, Colm O hEigeartaigh wrote:
>> What Fediz version are you using? Are you specifying a
>> "org.apache.ws.security.crypto.merlin.keystore.alias"
>> in your keystore properties and does it match "
>> realmmyrealm"?
>>
>> Colm.
>>
>> On Thu, Oct 19, 2017 at 12:52 PM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>>> Thanks Colm, yes that was caused by a typo in stsKeystore.properties.
>>>
>>> but now I get this:
>>> org.apache.wss4j.common.ext.WSSecurityException: The private key for
>>> the
>>> supplied alias does not exist in the keystore
>>> Original Exception was org.apache.wss4j.common.ext.WSSecurityException:
>>> The private key for the supplied alias does not exist in the keystore
>>> Original Exception was java.security.UnrecoverableKeyException: Cannot
>>> recover key
>>> at org.apache.wss4j.common.saml.SamlAssertionWrapper.signAssert
>>> ion(SamlAssertionWrapper.java:542)
>>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>>> signToken(AbstractSAMLTokenProvider.java:121)
>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>>> mlToken(SAMLTokenProvider.java:319)
>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>>> ken(SAMLTokenProvider.java:117)
>>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>>> (TokenIssueOperation.java:171)
>>>
>>> but if i do keytool -list -v -keystore stsrealm_myrealm.jks i get
>>> Keystore type: JKS
>>> Keystore provider: SUN
>>>
>>> Your keystore contains 1 entry
>>>
>>> Alias name: realmmyrealm
>>> Creation date: 17-Oct-2017
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 1
>>> Certificate[1]:
>>>
>>>
>>> On 19/10/2017 13:27, Colm O hEigeartaigh wrote:
>>>
>>>> The error is that the STS can't load the signature properties file.
>>>> For
>>>> example, in the default STS the RealmProperties references the
>>>> signaturePropertiesFile for the realm here:
>>>>
>>>> https://github.com/apache/cxf-fediz/blob/aee07e167458e468f12
>>>> 3954f177c79f17df2c083/services/sts/src/main/webapp/
>>>> WEB-INF/data/realms.xml#L62
>>>>
>>>> which in turn is here:
>>>>
>>>> https://github.com/apache/cxf-fediz/blob/master/services/sts
>>>> /src/main/resources/stsKeystoreA.properties
>>>>
>>>> On Thu, Oct 19, 2017 at 10:31 AM, Matthew Broadhead <
>>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>>
>>>> Hi,
>>>>> I am following this article by Jan https://janbernhardt.blogspot.
>>>>> com.es/2016/02/apache-fediz-installation-in-productive.html and I
>>>>> think
>>>>> I
>>>>> am close to getting it working but I have hit this error that I
>>>>> cannot
>>>>> work
>>>>> out. Can anyone help?
>>>>>
>>>>> org.apache.cxf.sts.token.provider.SAMLTokenProvider -
>>>>> org.apache.cxf.ws.security.sts.provider.STSException: Configuration
>>>>> error: cannot load signature properties
>>>>> at org.apache.cxf.sts.token.realm.RealmProperties.getSignatureC
>>>>> rypto(RealmProperties.java:156)
>>>>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>>>>> signToken(AbstractSAMLTokenProvider.java:59)
>>>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>>>>> mlToken(SAMLTokenProvider.java:319)
>>>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>>>>> ken(SAMLTokenProvider.java:117)
>>>>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>>>>> (TokenIssueOperation.java:171)
>>>>>
>>>>>
>>>>>
>>
>
Re: fediz in production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
i am using 1.4.2.
my stsKeystore.properties is as follows, but i have had to modify values
for security
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=mypassword (jks
password NOT certificate password)
org.apache.ws.security.crypto.merlin.keystore.alias=realmmyrealm (same
as the alias of the cert in the jks)
org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_myrealm.jks
(name of the jks located in the same directory as this file)
Matthew
On 19/10/2017 16:48, Colm O hEigeartaigh wrote:
> What Fediz version are you using? Are you specifying a
> "org.apache.ws.security.crypto.merlin.keystore.alias"
> in your keystore properties and does it match "
> realmmyrealm"?
>
> Colm.
>
> On Thu, Oct 19, 2017 at 12:52 PM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Thanks Colm, yes that was caused by a typo in stsKeystore.properties.
>>
>> but now I get this:
>> org.apache.wss4j.common.ext.WSSecurityException: The private key for the
>> supplied alias does not exist in the keystore
>> Original Exception was org.apache.wss4j.common.ext.WSSecurityException:
>> The private key for the supplied alias does not exist in the keystore
>> Original Exception was java.security.UnrecoverableKeyException: Cannot
>> recover key
>> at org.apache.wss4j.common.saml.SamlAssertionWrapper.signAssert
>> ion(SamlAssertionWrapper.java:542)
>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>> signToken(AbstractSAMLTokenProvider.java:121)
>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>> mlToken(SAMLTokenProvider.java:319)
>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>> ken(SAMLTokenProvider.java:117)
>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>> (TokenIssueOperation.java:171)
>>
>> but if i do keytool -list -v -keystore stsrealm_myrealm.jks i get
>> Keystore type: JKS
>> Keystore provider: SUN
>>
>> Your keystore contains 1 entry
>>
>> Alias name: realmmyrealm
>> Creation date: 17-Oct-2017
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>>
>>
>> On 19/10/2017 13:27, Colm O hEigeartaigh wrote:
>>
>>> The error is that the STS can't load the signature properties file. For
>>> example, in the default STS the RealmProperties references the
>>> signaturePropertiesFile for the realm here:
>>>
>>> https://github.com/apache/cxf-fediz/blob/aee07e167458e468f12
>>> 3954f177c79f17df2c083/services/sts/src/main/webapp/
>>> WEB-INF/data/realms.xml#L62
>>>
>>> which in turn is here:
>>>
>>> https://github.com/apache/cxf-fediz/blob/master/services/sts
>>> /src/main/resources/stsKeystoreA.properties
>>>
>>> On Thu, Oct 19, 2017 at 10:31 AM, Matthew Broadhead <
>>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>>
>>> Hi,
>>>> I am following this article by Jan https://janbernhardt.blogspot.
>>>> com.es/2016/02/apache-fediz-installation-in-productive.html and I think
>>>> I
>>>> am close to getting it working but I have hit this error that I cannot
>>>> work
>>>> out. Can anyone help?
>>>>
>>>> org.apache.cxf.sts.token.provider.SAMLTokenProvider -
>>>> org.apache.cxf.ws.security.sts.provider.STSException: Configuration
>>>> error: cannot load signature properties
>>>> at org.apache.cxf.sts.token.realm.RealmProperties.getSignatureC
>>>> rypto(RealmProperties.java:156)
>>>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>>>> signToken(AbstractSAMLTokenProvider.java:59)
>>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>>>> mlToken(SAMLTokenProvider.java:319)
>>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>>>> ken(SAMLTokenProvider.java:117)
>>>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>>>> (TokenIssueOperation.java:171)
>>>>
>>>>
>>>>
>
Re: fediz in production
Posted by Colm O hEigeartaigh <co...@apache.org>.
What Fediz version are you using? Are you specifying a
"org.apache.ws.security.crypto.merlin.keystore.alias"
in your keystore properties and does it match "
realmmyrealm"?
Colm.
On Thu, Oct 19, 2017 at 12:52 PM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Thanks Colm, yes that was caused by a typo in stsKeystore.properties.
>
> but now I get this:
> org.apache.wss4j.common.ext.WSSecurityException: The private key for the
> supplied alias does not exist in the keystore
> Original Exception was org.apache.wss4j.common.ext.WSSecurityException:
> The private key for the supplied alias does not exist in the keystore
> Original Exception was java.security.UnrecoverableKeyException: Cannot
> recover key
> at org.apache.wss4j.common.saml.SamlAssertionWrapper.signAssert
> ion(SamlAssertionWrapper.java:542)
> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
> signToken(AbstractSAMLTokenProvider.java:121)
> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
> mlToken(SAMLTokenProvider.java:319)
> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
> ken(SAMLTokenProvider.java:117)
> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
> (TokenIssueOperation.java:171)
>
> but if i do keytool -list -v -keystore stsrealm_myrealm.jks i get
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: realmmyrealm
> Creation date: 17-Oct-2017
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
>
>
> On 19/10/2017 13:27, Colm O hEigeartaigh wrote:
>
>> The error is that the STS can't load the signature properties file. For
>> example, in the default STS the RealmProperties references the
>> signaturePropertiesFile for the realm here:
>>
>> https://github.com/apache/cxf-fediz/blob/aee07e167458e468f12
>> 3954f177c79f17df2c083/services/sts/src/main/webapp/
>> WEB-INF/data/realms.xml#L62
>>
>> which in turn is here:
>>
>> https://github.com/apache/cxf-fediz/blob/master/services/sts
>> /src/main/resources/stsKeystoreA.properties
>>
>> On Thu, Oct 19, 2017 at 10:31 AM, Matthew Broadhead <
>> matthew.broadhead@nbmlaw.co.uk> wrote:
>>
>> Hi,
>>>
>>> I am following this article by Jan https://janbernhardt.blogspot.
>>> com.es/2016/02/apache-fediz-installation-in-productive.html and I think
>>> I
>>> am close to getting it working but I have hit this error that I cannot
>>> work
>>> out. Can anyone help?
>>>
>>> org.apache.cxf.sts.token.provider.SAMLTokenProvider -
>>> org.apache.cxf.ws.security.sts.provider.STSException: Configuration
>>> error: cannot load signature properties
>>> at org.apache.cxf.sts.token.realm.RealmProperties.getSignatureC
>>> rypto(RealmProperties.java:156)
>>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>>> signToken(AbstractSAMLTokenProvider.java:59)
>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>>> mlToken(SAMLTokenProvider.java:319)
>>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>>> ken(SAMLTokenProvider.java:117)
>>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>>> (TokenIssueOperation.java:171)
>>>
>>>
>>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: fediz in production
Posted by Matthew Broadhead <ma...@nbmlaw.co.uk>.
Thanks Colm, yes that was caused by a typo in stsKeystore.properties.
but now I get this:
org.apache.wss4j.common.ext.WSSecurityException: The private key for the
supplied alias does not exist in the keystore
Original Exception was org.apache.wss4j.common.ext.WSSecurityException:
The private key for the supplied alias does not exist in the keystore
Original Exception was java.security.UnrecoverableKeyException: Cannot
recover key
at
org.apache.wss4j.common.saml.SamlAssertionWrapper.signAssertion(SamlAssertionWrapper.java:542)
at
org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.signToken(AbstractSAMLTokenProvider.java:121)
at
org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSamlToken(SAMLTokenProvider.java:319)
at
org.apache.cxf.sts.token.provider.SAMLTokenProvider.createToken(SAMLTokenProvider.java:117)
at
org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle(TokenIssueOperation.java:171)
but if i do keytool -list -v -keystore stsrealm_myrealm.jks i get
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: realmmyrealm
Creation date: 17-Oct-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
On 19/10/2017 13:27, Colm O hEigeartaigh wrote:
> The error is that the STS can't load the signature properties file. For
> example, in the default STS the RealmProperties references the
> signaturePropertiesFile for the realm here:
>
> https://github.com/apache/cxf-fediz/blob/aee07e167458e468f123954f177c79f17df2c083/services/sts/src/main/webapp/WEB-INF/data/realms.xml#L62
>
> which in turn is here:
>
> https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/resources/stsKeystoreA.properties
>
> On Thu, Oct 19, 2017 at 10:31 AM, Matthew Broadhead <
> matthew.broadhead@nbmlaw.co.uk> wrote:
>
>> Hi,
>>
>> I am following this article by Jan https://janbernhardt.blogspot.
>> com.es/2016/02/apache-fediz-installation-in-productive.html and I think I
>> am close to getting it working but I have hit this error that I cannot work
>> out. Can anyone help?
>>
>> org.apache.cxf.sts.token.provider.SAMLTokenProvider -
>> org.apache.cxf.ws.security.sts.provider.STSException: Configuration
>> error: cannot load signature properties
>> at org.apache.cxf.sts.token.realm.RealmProperties.getSignatureC
>> rypto(RealmProperties.java:156)
>> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
>> signToken(AbstractSAMLTokenProvider.java:59)
>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
>> mlToken(SAMLTokenProvider.java:319)
>> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
>> ken(SAMLTokenProvider.java:117)
>> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
>> (TokenIssueOperation.java:171)
>>
>>
>
Re: fediz in production
Posted by Colm O hEigeartaigh <co...@apache.org>.
The error is that the STS can't load the signature properties file. For
example, in the default STS the RealmProperties references the
signaturePropertiesFile for the realm here:
https://github.com/apache/cxf-fediz/blob/aee07e167458e468f123954f177c79f17df2c083/services/sts/src/main/webapp/WEB-INF/data/realms.xml#L62
which in turn is here:
https://github.com/apache/cxf-fediz/blob/master/services/sts/src/main/resources/stsKeystoreA.properties
On Thu, Oct 19, 2017 at 10:31 AM, Matthew Broadhead <
matthew.broadhead@nbmlaw.co.uk> wrote:
> Hi,
>
> I am following this article by Jan https://janbernhardt.blogspot.
> com.es/2016/02/apache-fediz-installation-in-productive.html and I think I
> am close to getting it working but I have hit this error that I cannot work
> out. Can anyone help?
>
> org.apache.cxf.sts.token.provider.SAMLTokenProvider -
> org.apache.cxf.ws.security.sts.provider.STSException: Configuration
> error: cannot load signature properties
> at org.apache.cxf.sts.token.realm.RealmProperties.getSignatureC
> rypto(RealmProperties.java:156)
> at org.apache.cxf.sts.token.provider.AbstractSAMLTokenProvider.
> signToken(AbstractSAMLTokenProvider.java:59)
> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createSa
> mlToken(SAMLTokenProvider.java:319)
> at org.apache.cxf.sts.token.provider.SAMLTokenProvider.createTo
> ken(SAMLTokenProvider.java:117)
> at org.apache.cxf.sts.operation.TokenIssueOperation.issueSingle
> (TokenIssueOperation.java:171)
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com