Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please?
On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam < [email protected]> wrote: > Hi Sameera, > > Unfortunately the exception is still there, I tried as you instructed. > What I guess is if a tenant is logged in ES is trying to verify the > signature against the tenant's specific keystore, while IS consider the > wso2carbon keystore > Is there any configuration in ES to check with the wso2carbon keystore > even for the tenant ? > > Thank you > Senduran > > On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara < > [email protected]> wrote: > >> Hi Senduran, >> >> Can we try the following: >> >> Export the primary key of the IS: >> >> keytool -export -keystore wso2carbon.jks -alias wso2carbon -file >> wso2.cert >> >> Then import the certificate to the tenant's key store >> >> (Home > Configure > KeyStores > Import Certificates To) >> >> >> Thank You, >> Sameera >> >> >> On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam < >> [email protected]> wrote: >> >>> Hi, >>> >>> I debugged the org.wso2.store.sso.common.util.Util >>> (product-es/modules/components/sso-common). Also I attached >>> xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the >>> complete executing code. >>> >>> I compared the signingCert variable (in the >>> org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a >>> tenant >>> If I log in to ES's management console the subject of the certificate is >>> *CN=localhost, >>> O=WSO2, L=Mountain View, ST=CA, C=US* >>> but when I log in to the publisher as the same tenant the subject of the >>> certificate is *C=None, O="None L=None", OU=None, CN=istenant.com >>> <http://istenant.com>* >>> >>> Please note that in the above both scenarios I am logging as a Tenant >>> and when I try to log in to publisher the signature is trying to validate >>> against the tenant specific certificate, >>> Is this causing the "org.opensaml.xml.validation.ValidationException: >>> Signature did not validate against the credential's key" exception ? >>> >>> Thanks >>> Senduran >>> >>> On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> Thanks Malithi for the response. >>>> I tried, un-checking the Enable Response Signing , but even when I >>>> login as admin I got the following exception >>>> java.lang.NullPointerException >>>> at >>>> org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) >>>> at >>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) >>>> at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> ..... >>>> What I am missing here ? >>>> >>>> >>>> @ES Team, could you please help me on how to import the public >>>> certificate of a tenant to the publisher's key store. Where can I find the >>>> tenant's public certificate >>>> >>>> Thank you >>>> Senduran >>>> >>>> >>>> >>>> On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe <[email protected] >>>> > wrote: >>>> >>>>> Hii Senduran, >>>>> >>>>> There's a separate primary keystore generated for the tenant. Since >>>>> you have enabled response signing also, the service provider that you have >>>>> registered should know the public key of the IdP in order to validate. >>>>> Hence, the service provider should have the public key of the IdP in >>>>> it's keystore and validate the signature acquiring the respective alias. >>>>> So >>>>> in this case I think that you should import the public cert of the >>>>> respective tenant to your publisher's keystore. >>>>> >>>>> Thanks, >>>>> Malithi. >>>>> >>>>> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I am experiencing $subject, with ES 2.0.0 M5. Following are the >>>>>> changes I made to configure SSO. >>>>>> >>>>>> - Shared registry and user database between ES and IS >>>>>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>>>>> embedded LDAP >>>>>> - Modified as following in publisher, store json >>>>>> >>>>>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>>>>> >>>>>> >>>>>> - Created a Service provider for publisher and store in IS as >>>>>> follows >>>>>> >>>>>> SP for publisher >>>>>> >>>>>> Issuer: publisher >>>>>> >>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>>>>> >>>>>> Use fully qualified username in the NameID >>>>>> >>>>>> Enable Response Signing >>>>>> >>>>>> Enable Assertion Signing >>>>>> >>>>>> Enable Single Logout >>>>>> >>>>>> >>>>>> SP for store >>>>>> >>>>>> Issuer: store >>>>>> >>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>>>>> >>>>>> Use fully qualified username in the NameID >>>>>> >>>>>> Enable Response Signing >>>>>> >>>>>> Enable Assertion Signing >>>>>> >>>>>> Enable Single Logout >>>>>> >>>>>> >>>>>> When admin login the publisher behaviors as expected. (i.e page is >>>>>> redirected to IS login and redirected to publisher, if already a sso >>>>>> session is available directly goes to publisher)\ >>>>>> But when I log in as a tenant, the browser is redirected to >>>>>> https://localhost:9443/publisher/acs and following exception is >>>>>> shown in the console >>>>>> >>>>>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>>>>> https://localhost:9447/samlsso >>>>>> org.opensaml.xml.validation.ValidationException: Signature did not >>>>>> validate against the credential's key >>>>>> at >>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>>>>> at >>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> at >>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>> at >>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>> at >>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>> at >>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>> at >>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>>>>> at >>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>> at >>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>> at >>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>> at >>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>> at >>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>> at >>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>>>>> at >>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>> at >>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>> at >>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>>>>> at >>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>>>>> at >>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>> at >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>> at >>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>> at >>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>> at >>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>>>> at >>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>> at >>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>> at >>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>> at >>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>>>> at >>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>> at >>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>> at >>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>>>> at >>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>>>> at >>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>>>> at >>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>>>>> at >>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>> at >>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> >>>>>> (My ES runs on default port and IS runs on port offset 4) >>>>>> >>>>>> Could you please help me to resolve this issue >>>>>> >>>>>> Thank you >>>>>> Senduran >>>>>> >>>>>> -- >>>>>> *Senduran * >>>>>> Software Engineer, >>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>> Mobile: +94 77 952 6548 >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Malithi Edirisinghe* >>>>> Senior Software Engineer >>>>> WSO2 Inc. >>>>> >>>>> Mobile : +94 (0) 718176807 >>>>> [email protected] >>>>> >>>> >>>> >>>> >>>> -- >>>> *Senduran * >>>> Software Engineer, >>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>> Mobile: +94 77 952 6548 >>>> >>> >>> >>> >>> -- >>> *Senduran * >>> Software Engineer, >>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>> Mobile: +94 77 952 6548 >>> >> >> >> >> -- >> Sameera Medagammaddegedara >> Software Engineer >> >> Contact: >> Email: [email protected] >> Mobile: + 94 077 255 3005 >> > > > > -- > *Senduran * > Software Engineer, > WSO2, Inc.; http://wso2.com/ <http://wso2.com/> > Mobile: +94 77 952 6548 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Kasun Indrasiri Software Architect WSO2, Inc.; http://wso2.com lean.enterprise.middleware cell: +94 77 556 5206 Blog : http://kasunpanorama.blogspot.com/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
