Hi everyone, I'm testing Fediz, and i have, as suggested in the docs, two separated tomcat instances: tomcat 1: IDP + STS tomcat 2: Relying Party That works ok so far.
Now, to keep things better separated/organized, i had the idea of separating the IDP and the STS, each in its own tomcat instances. That would be: tomcat 1: IDP tomcat 2: STS tomcat 2: Relying Party As far as i understand, that should be possible, since the IDP has a configuration to specify the URL of the STS web service (web.xml, sts.wsdl.url servlet parameter). I had no trouble having the STS in its own tomcat (i can access the webservice wsdl from the browser over https), but then i can't make the IDP call the STS correctly. First, i had a "java.security.cert.CertificateException: No subject alternative names present", which i solved adding "-ext SubjectAlternativeName=IP:the.ip.address.here". But then i keep getting this error: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://the.ip.address.here:port /fediz-idp-sts/STSService?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I've read that this means that the STS server has some certificate that the IDP side can't trust much. I've tried fixing it, importing the certificates of the STS and the STS' new tomcat to the IDP and IDP's tomcat keystores, but the error remains. But, more concretely, my question is if the IDP and STS MUST run in the same tomcat (as described in the doc), or if my idea of splitting them should be possible, and it's just a matter of trying more with the configuration. Thanks in advance, best regards, German
