> But, more concretely, my question is if the IDP and STS MUST run in the > same tomcat (as described in the doc), or if my idea of splitting them > should be possible, and it's just a matter of trying more with the > configuration.
No, it should be possible to run the IDP + the STS in different containers. Are you sure that the certificate of the STS is in the keystore referenced in the "applicationContext.xml" of the IDP? Are you sure that the port number referenced in this file matches the port number of the STS's container? Colm. On Wed, Dec 12, 2012 at 1:56 PM, German Morales <[email protected]>wrote: > Hi everyone, > > I'm testing Fediz, and i have, as suggested in the docs, two separated > tomcat instances: > tomcat 1: IDP + STS > tomcat 2: Relying Party > That works ok so far. > > Now, to keep things better separated/organized, i had the idea of > separating the IDP and the STS, each in its own tomcat instances. That > would be: > tomcat 1: IDP > tomcat 2: STS > tomcat 2: Relying Party > > As far as i understand, that should be possible, since the IDP has a > configuration to specify the URL of the STS web service (web.xml, > sts.wsdl.url servlet parameter). > I had no trouble having the STS in its own tomcat (i can access the > webservice wsdl from the browser over https), but then i can't make the IDP > call the STS correctly. > > First, i had a "java.security.cert.CertificateException: No subject > alternative names present", which i solved adding "-ext > SubjectAlternativeName=IP:the.ip.address.here". > > But then i keep getting this error: > javax.wsdl.WSDLException: > WSDLException: > faultCode=PARSER_ERROR: > Problem parsing 'https://the.ip.address.here:port > /fediz-idp-sts/STSService?wsdl'.: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: > PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > > I've read that this means that the STS server has some certificate that the > IDP side can't trust much. > I've tried fixing it, importing the certificates of the STS and the STS' > new tomcat to the IDP and IDP's tomcat keystores, but the error remains. > > But, more concretely, my question is if the IDP and STS MUST run in the > same tomcat (as described in the doc), or if my idea of splitting them > should be possible, and it's just a matter of trying more with the > configuration. > > Thanks in advance, best regards, > > German > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
