Hi Ruchira, There is property introduced in IS 5.0.0 called " UseAuthenticatedUserDomainCrypto" to make it backward compatible. Below link has a description of it's usage.
[1] - https://docs.wso2.com/display/IS500/Configuring+identity.xml Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Fri, Jan 23, 2015 at 3:02 PM, Ruchira Wageesha <[email protected]> wrote: > Hi Kasun, > > I worked with Senduran and it seemed like a certificate mismatch. AFAICR, > due to the latest changes in IS code base, the tenant key store is used > during SSO. Hence, ES, which is based on newer IS code expects tenants > certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, > I think, this should be the issue here. > > Hence, can somebody from IS team verify my doubt please? > > @Kasun/Senduran, > > If it is my doubt, then you will have to use it with an IS pack which has > that change. > > On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri <[email protected]> wrote: > >> Hi ES team, >> >> We have spent quite a lot of time on this issue but haven't found a >> resolution yet. This will be a blocker for ES as well as iPaaS milestones. >> Can we get somebody from ES team to look in to this ASAP please? >> >> On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam < >> [email protected]> wrote: >> >>> Hi Sameera, >>> >>> Unfortunately the exception is still there, I tried as you instructed. >>> What I guess is if a tenant is logged in ES is trying to verify the >>> signature against the tenant's specific keystore, while IS consider the >>> wso2carbon keystore >>> Is there any configuration in ES to check with the wso2carbon keystore >>> even for the tenant ? >>> >>> Thank you >>> Senduran >>> >>> On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara < >>> [email protected]> wrote: >>> >>>> Hi Senduran, >>>> >>>> Can we try the following: >>>> >>>> Export the primary key of the IS: >>>> >>>> keytool -export -keystore wso2carbon.jks -alias wso2carbon -file >>>> wso2.cert >>>> >>>> Then import the certificate to the tenant's key store >>>> >>>> (Home > Configure > KeyStores > Import Certificates To) >>>> >>>> >>>> Thank You, >>>> Sameera >>>> >>>> >>>> On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I debugged the org.wso2.store.sso.common.util.Util >>>>> (product-es/modules/components/sso-common). Also I attached >>>>> xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the >>>>> complete executing code. >>>>> >>>>> I compared the signingCert variable (in the >>>>> org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a >>>>> tenant >>>>> If I log in to ES's management console the subject of the certificate >>>>> is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* >>>>> but when I log in to the publisher as the same tenant the subject of >>>>> the certificate is *C=None, O="None L=None", OU=None, CN=istenant.com >>>>> <http://istenant.com>* >>>>> >>>>> Please note that in the above both scenarios I am logging as a Tenant >>>>> and when I try to log in to publisher the signature is trying to validate >>>>> against the tenant specific certificate, >>>>> Is this causing the "org.opensaml.xml.validation.ValidationException: >>>>> Signature did not validate against the credential's key" exception ? >>>>> >>>>> Thanks >>>>> Senduran >>>>> >>>>> On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks Malithi for the response. >>>>>> I tried, un-checking the Enable Response Signing , but even when I >>>>>> login as admin I got the following exception >>>>>> java.lang.NullPointerException >>>>>> at >>>>>> org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) >>>>>> at >>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) >>>>>> at >>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> ..... >>>>>> What I am missing here ? >>>>>> >>>>>> >>>>>> @ES Team, could you please help me on how to import the public >>>>>> certificate of a tenant to the publisher's key store. Where can I find >>>>>> the >>>>>> tenant's public certificate >>>>>> >>>>>> Thank you >>>>>> Senduran >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hii Senduran, >>>>>>> >>>>>>> There's a separate primary keystore generated for the tenant. Since >>>>>>> you have enabled response signing also, the service provider that you >>>>>>> have >>>>>>> registered should know the public key of the IdP in order to validate. >>>>>>> Hence, the service provider should have the public key of the IdP in >>>>>>> it's keystore and validate the signature acquiring the respective >>>>>>> alias. So >>>>>>> in this case I think that you should import the public cert of the >>>>>>> respective tenant to your publisher's keystore. >>>>>>> >>>>>>> Thanks, >>>>>>> Malithi. >>>>>>> >>>>>>> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I am experiencing $subject, with ES 2.0.0 M5. Following are the >>>>>>>> changes I made to configure SSO. >>>>>>>> >>>>>>>> - Shared registry and user database between ES and IS >>>>>>>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>>>>>>> embedded LDAP >>>>>>>> - Modified as following in publisher, store json >>>>>>>> >>>>>>>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>>>>>>> >>>>>>>> >>>>>>>> - Created a Service provider for publisher and store in IS as >>>>>>>> follows >>>>>>>> >>>>>>>> SP for publisher >>>>>>>> >>>>>>>> Issuer: publisher >>>>>>>> >>>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>>>>>>> >>>>>>>> Use fully qualified username in the NameID >>>>>>>> >>>>>>>> Enable Response Signing >>>>>>>> >>>>>>>> Enable Assertion Signing >>>>>>>> >>>>>>>> Enable Single Logout >>>>>>>> >>>>>>>> >>>>>>>> SP for store >>>>>>>> >>>>>>>> Issuer: store >>>>>>>> >>>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>>>>>>> >>>>>>>> Use fully qualified username in the NameID >>>>>>>> >>>>>>>> Enable Response Signing >>>>>>>> >>>>>>>> Enable Assertion Signing >>>>>>>> >>>>>>>> Enable Single Logout >>>>>>>> >>>>>>>> >>>>>>>> When admin login the publisher behaviors as expected. (i.e page is >>>>>>>> redirected to IS login and redirected to publisher, if already a sso >>>>>>>> session is available directly goes to publisher)\ >>>>>>>> But when I log in as a tenant, the browser is redirected to >>>>>>>> https://localhost:9443/publisher/acs and following exception is >>>>>>>> shown in the console >>>>>>>> >>>>>>>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>>>>>>> https://localhost:9447/samlsso >>>>>>>> org.opensaml.xml.validation.ValidationException: Signature did not >>>>>>>> validate against the credential's key >>>>>>>> at >>>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>>>>>>> at >>>>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>> at >>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>> at >>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>> at >>>>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>>>> at >>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>>>> at >>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>> at >>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>> at >>>>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>>>> at >>>>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>> at >>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>>>>>>> at >>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>>>> at >>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>>>> at >>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>>>>>>> at >>>>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>>>>>>> at >>>>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>> at >>>>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>> at >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>>> at >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>>>> at >>>>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>> at >>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>>>>>> at >>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>> at >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>>>>>> at >>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>>>>>> at >>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>>>>>> at >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>>>>>>> at >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>> >>>>>>>> (My ES runs on default port and IS runs on port offset 4) >>>>>>>> >>>>>>>> Could you please help me to resolve this issue >>>>>>>> >>>>>>>> Thank you >>>>>>>> Senduran >>>>>>>> >>>>>>>> -- >>>>>>>> *Senduran * >>>>>>>> Software Engineer, >>>>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>>>> Mobile: +94 77 952 6548 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Malithi Edirisinghe* >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc. >>>>>>> >>>>>>> Mobile : +94 (0) 718176807 >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Senduran * >>>>>> Software Engineer, >>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>> Mobile: +94 77 952 6548 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Senduran * >>>>> Software Engineer, >>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>> Mobile: +94 77 952 6548 >>>>> >>>> >>>> >>>> >>>> -- >>>> Sameera Medagammaddegedara >>>> Software Engineer >>>> >>>> Contact: >>>> Email: [email protected] >>>> Mobile: + 94 077 255 3005 >>>> >>> >>> >>> >>> -- >>> *Senduran * >>> Software Engineer, >>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>> Mobile: +94 77 952 6548 >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Kasun Indrasiri >> Software Architect >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> cell: +94 77 556 5206 >> Blog : http://kasunpanorama.blogspot.com/ >> > > > > -- > > *Ruchira Wageesha**Associate Technical Lead* > *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>* > > *email: [email protected] <[email protected]>, blog: > ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>, > mobile: +94 77 5493444 <%2B94%2077%205493444>* > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
