It's only when you're moving to production do you need to create your own keystores, with different passwords, etc.
Glen On 08/31/2012 01:42 PM, Glen Mazza wrote:
On 08/31/2012 01:19 PM, frank wrote:Hi Glen, I have managed to get a but further in the process. As it turns out, the self-signed certificate for the IDP/STS needs to be added to the cacerts keystore of the JRE!!!Again, what version of Fediz are you using? Setup/Key-wise, 1.0.0 and 1.0.1 are as different as night and day--stick with 1.0.1. I've tested Fediz 1.0.1 several times and never needed to add anything to the JRE's cacerts, neither have others. I don't think its good to deviate from the instructions; rather, follow them to the letter and complain on this list when it doesn't work--if the bug is on our side we'll either fix the documentation or try to figure out why it's not working on your end.Adding the self-signed cert to the IDP/STS to the JRE's cacerts forms a security hole because now *everything* using that JRE will trust the STS, normally not something you want. Further it makes it harder to see the necessary (i.e., minimal) trust relationships within the system, making it difficult for you to reproduce and deploy Fediz in different environments.Possible this is caused by the fact the the keystore is created using the -trustcacerts parameter. I.e. omitting it will probably obviate the need to add the certificate to JRE's keystore.No, the -trustcacerts setting just means import the public cert and not the private key. You *don't* want to be putting any external private key in any truststore. In a keystore/truststore combo, you'll just have the single private key of the server or app and the public keys (-trustcacerts) of whatever it's supposed to trust.However, further down the line (after a message exchange between IDP and STS), the same type of problem reappears. In an attempt to solve this, I have also added the RP certificate to the cacerts keystore, but this doesn't make the problem go away,Until you follow a formal process, namely, here: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co , you're just going to be slapping public certs in truststores left and right until things seem to work, but it will be undocumentable and unmaintainable, especially as you try to deploy on different environments. Getting the trust relationships right is just as important as getting the samples to run.Regards, GlenAny ideas would be appreciated. Cheers, Frank On Fri, Aug 31, 2012 at 6:22 PM, Glen Mazza <gma...@talend.com> wrote:Hi, are you using Fediz 1.0.1? It was released a couple of days ago, featuring new sample keystores and several other changes. More comments below: On 08/31/2012 12:04 PM, frank wrote:Hi, After having configured the IDP/STS and the RP sample, I run into the issuethat after the redirect to the IDP, a page with "*Access to the specified resource (Requesting security token failed) has been forbidden.*" appears.Tomcat's error trace suggests that there is something wrong with the certificates. Caused by: sun.security.validator.**ValidatorException: PKIX path buildingfailed: sun.security.provider.**certpath.**SunCertPathBuilderException:unable to find valid certification path to requested target... normally indicating a key was missing from a truststorePossibly this is caused by the rather unclear path to creating thekeystores. It would seem that creating tomcat-idp.jks and tomcat-rp.jks is sufficient to get the web application up and running, but in this processstsstore.jks also needs to be created for MyIDP.cer.Are you following this chart: http://svn.apache.org/viewvc/** cxf/fediz/trunk/examples/**samplekeys/**HowToGenerateKeysREADME.html?**revision=1364769&view=co<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co>(and using the sample Tomcat keys already provided in this folder?)Further, stsstore.jks does not need to be "created" (it does forproduction, but not for running the sample), it should already be in theSTS war. Strangely enough,fediz-config.xml points to stsstore.jks in the conf directory whereas thetable for the keystores states that fediz-config.xml point tot tomcat-rp.jks, which according to the same table should be in the base directory of the RP samples.It shouldn't be doing that, in Fediz 1.0.1 is should be pointing to tomcat-rp.jks: http://svn.apache.org/viewvc/**cxf/fediz/trunk/examples/** simpleWebapp/src/main/config/**fediz_config.xml?revision=**1364755&view=markup<http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/simpleWebapp/src/main/config/fediz_config.xml?revision=1364755&view=markup>I don't know why your version has it pointing to stsstore.jks. Fediz 1.0.0had it that way, but that was updated in 1.0.1. HTH, GlenWhat is the way out of this situation? How can I get things up and running? Any help would be appreciated. I tried generating my own keystores as well as using the keystores provided in the source code samples. Neither of these work. Cheers, Frank-- Glen Mazza Talend Community Coders - coders.talend.com blog: www.jroller.com/gmazza
-- Glen Mazza Talend Community Coders - coders.talend.com blog: www.jroller.com/gmazza
