Hi Colm, Thanks for the answer. Yes, you were right. In applicationContext.xml, i had the http:conduit element pointing to the IDP port, instead of the STS port. Now it works finally.
Just as comment, since the Fediz distribution comes with the 2 war files, IDP and STS, ready to use on the same container, it's difficult to realize which of the many configurations refers to which of them. Thanks again! German 2012/12/12 Colm O hEigeartaigh <[email protected]> > > But, more concretely, my question is if the IDP and STS MUST run in the > > same tomcat (as described in the doc), or if my idea of splitting them > > should be possible, and it's just a matter of trying more with the > > configuration. > > No, it should be possible to run the IDP + the STS in different containers. > > Are you sure that the certificate of the STS is in the keystore referenced > in the "applicationContext.xml" of the IDP? Are you sure that the port > number referenced in this file matches the port number of the STS's > container? > > Colm. > > > On Wed, Dec 12, 2012 at 1:56 PM, German Morales <[email protected] > >wrote: > > > Hi everyone, > > > > I'm testing Fediz, and i have, as suggested in the docs, two separated > > tomcat instances: > > tomcat 1: IDP + STS > > tomcat 2: Relying Party > > That works ok so far. > > > > Now, to keep things better separated/organized, i had the idea of > > separating the IDP and the STS, each in its own tomcat instances. That > > would be: > > tomcat 1: IDP > > tomcat 2: STS > > tomcat 2: Relying Party > > > > As far as i understand, that should be possible, since the IDP has a > > configuration to specify the URL of the STS web service (web.xml, > > sts.wsdl.url servlet parameter). > > I had no trouble having the STS in its own tomcat (i can access the > > webservice wsdl from the browser over https), but then i can't make the > IDP > > call the STS correctly. > > > > First, i had a "java.security.cert.CertificateException: No subject > > alternative names present", which i solved adding "-ext > > SubjectAlternativeName=IP:the.ip.address.here". > > > > But then i keep getting this error: > > javax.wsdl.WSDLException: > > WSDLException: > > faultCode=PARSER_ERROR: > > Problem parsing 'https://the.ip.address.here:port > > /fediz-idp-sts/STSService?wsdl'.: > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: > > PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > > > I've read that this means that the STS server has some certificate that > the > > IDP side can't trust much. > > I've tried fixing it, importing the certificates of the STS and the STS' > > new tomcat to the IDP and IDP's tomcat keystores, but the error remains. > > > > But, more concretely, my question is if the IDP and STS MUST run in the > > same tomcat (as described in the doc), or if my idea of splitting them > > should be possible, and it's just a matter of trying more with the > > configuration. > > > > Thanks in advance, best regards, > > > > German > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
