Hi Pushpalanka, Is Using tenant keystore the deprecated way or the recommended way? According to the doc, it seems the older approach, but I was under the impression it is the recommended way.
On Fri, Jan 23, 2015 at 3:19 PM, Pushpalanka Jayawardhana <la...@wso2.com> wrote: > Hi Ruchira, > > There is property introduced in IS 5.0.0 called " > UseAuthenticatedUserDomainCrypto" to make it backward compatible. > Below link has a description of it's usage. > > [1] - https://docs.wso2.com/display/IS500/Configuring+identity.xml > > Thanks, > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: > lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka > > > On Fri, Jan 23, 2015 at 3:02 PM, Ruchira Wageesha <ruch...@wso2.com> > wrote: > >> Hi Kasun, >> >> I worked with Senduran and it seemed like a certificate mismatch. AFAICR, >> due to the latest changes in IS code base, the tenant key store is used >> during SSO. Hence, ES, which is based on newer IS code expects tenants >> certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, >> I think, this should be the issue here. >> >> Hence, can somebody from IS team verify my doubt please? >> >> @Kasun/Senduran, >> >> If it is my doubt, then you will have to use it with an IS pack which has >> that change. >> >> On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri <ka...@wso2.com> wrote: >> >>> Hi ES team, >>> >>> We have spent quite a lot of time on this issue but haven't found a >>> resolution yet. This will be a blocker for ES as well as iPaaS milestones. >>> Can we get somebody from ES team to look in to this ASAP please? >>> >>> On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam < >>> sendu...@wso2.com> wrote: >>> >>>> Hi Sameera, >>>> >>>> Unfortunately the exception is still there, I tried as you instructed. >>>> What I guess is if a tenant is logged in ES is trying to verify the >>>> signature against the tenant's specific keystore, while IS consider the >>>> wso2carbon keystore >>>> Is there any configuration in ES to check with the wso2carbon keystore >>>> even for the tenant ? >>>> >>>> Thank you >>>> Senduran >>>> >>>> On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara < >>>> samee...@wso2.com> wrote: >>>> >>>>> Hi Senduran, >>>>> >>>>> Can we try the following: >>>>> >>>>> Export the primary key of the IS: >>>>> >>>>> keytool -export -keystore wso2carbon.jks -alias wso2carbon -file >>>>> wso2.cert >>>>> >>>>> Then import the certificate to the tenant's key store >>>>> >>>>> (Home > Configure > KeyStores > Import Certificates To) >>>>> >>>>> >>>>> Thank You, >>>>> Sameera >>>>> >>>>> >>>>> On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam < >>>>> sendu...@wso2.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I debugged the org.wso2.store.sso.common.util.Util >>>>>> (product-es/modules/components/sso-common). Also I attached >>>>>> xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the >>>>>> complete executing code. >>>>>> >>>>>> I compared the signingCert variable (in the >>>>>> org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a >>>>>> tenant >>>>>> If I log in to ES's management console the subject of the certificate >>>>>> is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* >>>>>> but when I log in to the publisher as the same tenant the subject of >>>>>> the certificate is *C=None, O="None L=None", OU=None, >>>>>> CN=istenant.com <http://istenant.com>* >>>>>> >>>>>> Please note that in the above both scenarios I am logging as a Tenant >>>>>> and when I try to log in to publisher the signature is trying to validate >>>>>> against the tenant specific certificate, >>>>>> Is this causing the "org.opensaml.xml.validation.ValidationException: >>>>>> Signature did not validate against the credential's key" exception ? >>>>>> >>>>>> Thanks >>>>>> Senduran >>>>>> >>>>>> On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < >>>>>> sendu...@wso2.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Thanks Malithi for the response. >>>>>>> I tried, un-checking the Enable Response Signing , but even when I >>>>>>> login as admin I got the following exception >>>>>>> java.lang.NullPointerException >>>>>>> at >>>>>>> org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) >>>>>>> at >>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) >>>>>>> at >>>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> ..... >>>>>>> What I am missing here ? >>>>>>> >>>>>>> >>>>>>> @ES Team, could you please help me on how to import the public >>>>>>> certificate of a tenant to the publisher's key store. Where can I find >>>>>>> the >>>>>>> tenant's public certificate >>>>>>> >>>>>>> Thank you >>>>>>> Senduran >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe < >>>>>>> malit...@wso2.com> wrote: >>>>>>> >>>>>>>> Hii Senduran, >>>>>>>> >>>>>>>> There's a separate primary keystore generated for the tenant. Since >>>>>>>> you have enabled response signing also, the service provider that you >>>>>>>> have >>>>>>>> registered should know the public key of the IdP in order to validate. >>>>>>>> Hence, the service provider should have the public key of the IdP >>>>>>>> in it's keystore and validate the signature acquiring the respective >>>>>>>> alias. >>>>>>>> So in this case I think that you should import the public cert of the >>>>>>>> respective tenant to your publisher's keystore. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Malithi. >>>>>>>> >>>>>>>> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >>>>>>>> sendu...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I am experiencing $subject, with ES 2.0.0 M5. Following are the >>>>>>>>> changes I made to configure SSO. >>>>>>>>> >>>>>>>>> - Shared registry and user database between ES and IS >>>>>>>>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>>>>>>>> embedded LDAP >>>>>>>>> - Modified as following in publisher, store json >>>>>>>>> >>>>>>>>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>>>>>>>> >>>>>>>>> >>>>>>>>> - Created a Service provider for publisher and store in IS as >>>>>>>>> follows >>>>>>>>> >>>>>>>>> SP for publisher >>>>>>>>> >>>>>>>>> Issuer: publisher >>>>>>>>> >>>>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>>>>>>>> >>>>>>>>> Use fully qualified username in the NameID >>>>>>>>> >>>>>>>>> Enable Response Signing >>>>>>>>> >>>>>>>>> Enable Assertion Signing >>>>>>>>> >>>>>>>>> Enable Single Logout >>>>>>>>> >>>>>>>>> >>>>>>>>> SP for store >>>>>>>>> >>>>>>>>> Issuer: store >>>>>>>>> >>>>>>>>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>>>>>>>> >>>>>>>>> Use fully qualified username in the NameID >>>>>>>>> >>>>>>>>> Enable Response Signing >>>>>>>>> >>>>>>>>> Enable Assertion Signing >>>>>>>>> >>>>>>>>> Enable Single Logout >>>>>>>>> >>>>>>>>> >>>>>>>>> When admin login the publisher behaviors as expected. (i.e page is >>>>>>>>> redirected to IS login and redirected to publisher, if already a sso >>>>>>>>> session is available directly goes to publisher)\ >>>>>>>>> But when I log in as a tenant, the browser is redirected to >>>>>>>>> https://localhost:9443/publisher/acs and following exception is >>>>>>>>> shown in the console >>>>>>>>> >>>>>>>>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>>>>>>>> https://localhost:9447/samlsso >>>>>>>>> org.opensaml.xml.validation.ValidationException: Signature did not >>>>>>>>> validate against the credential's key >>>>>>>>> at >>>>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>>>>>>>> at >>>>>>>>> org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>> at >>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>>> at >>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>>>>> at >>>>>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>>>>>>>> at >>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>> at >>>>>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>>> at >>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>>>>>> at >>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>>> at >>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>>>>>>> at >>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>>>>> at >>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>>> at >>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>>>>>>> at >>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>>>>>>> at >>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>>>>>>> at >>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>>>>>>>> at >>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>>>>>>>> at >>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>>> at >>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>> >>>>>>>>> (My ES runs on default port and IS runs on port offset 4) >>>>>>>>> >>>>>>>>> Could you please help me to resolve this issue >>>>>>>>> >>>>>>>>> Thank you >>>>>>>>> Senduran >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Senduran * >>>>>>>>> Software Engineer, >>>>>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>>>>> Mobile: +94 77 952 6548 >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Malithi Edirisinghe* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc. >>>>>>>> >>>>>>>> Mobile : +94 (0) 718176807 >>>>>>>> malit...@wso2.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Senduran * >>>>>>> Software Engineer, >>>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>>> Mobile: +94 77 952 6548 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Senduran * >>>>>> Software Engineer, >>>>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>>>> Mobile: +94 77 952 6548 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Sameera Medagammaddegedara >>>>> Software Engineer >>>>> >>>>> Contact: >>>>> Email: samee...@wso2.com >>>>> Mobile: + 94 077 255 3005 >>>>> >>>> >>>> >>>> >>>> -- >>>> *Senduran * >>>> Software Engineer, >>>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>>> Mobile: +94 77 952 6548 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Kasun Indrasiri >>> Software Architect >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> cell: +94 77 556 5206 >>> Blog : http://kasunpanorama.blogspot.com/ >>> >> >> >> >> -- >> >> *Ruchira Wageesha**Associate Technical Lead* >> *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>* >> >> *email: ruch...@wso2.com <ruch...@wso2.com>, blog: >> ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>, >> mobile: +94 77 5493444 <%2B94%2077%205493444>* >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com <http://wso2.com>* *email: ruch...@wso2.com <ruch...@wso2.com>, blog: ruchirawageesha.blogspot.com <http://ruchirawageesha.blogspot.com>, mobile: +94 77 5493444*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev