Re: What configuration need to change when I use our own IDP certificate and relaying party certificate.

Tue, 25 Aug 2015 02:26:59 -0700 

Where is the exception taking place? Is it when the client hits the IdP or
when the IdP is contacting the STS? You should be able to tell from the
Tomcat logs.

Generally speaking, you need to first configure TLS properly for the
endpoints in the conf/server.xml, e.g.:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS" keystoreFile="idp-ssl-key.jks"
keystorePass="tompass" keyPass="tompass" truststoreFile="idp-ssl-trust.jks"
truststorePass="ispass" />

Then you need to configure TLS for the IdP client to contact the STS - edit
webapps/fediz-idp/WEB-INF/applicationContext.xml + edit the TLS
configuration:

<http:conduit name="*.http-conduit">
        <http:tlsClientParameters
            disableCNCheck="true">
            <sec:trustManagers>
                <sec:keyStore type="jks" password="ispass"
resource="idp-ssl-trust.jks" />
            </sec:trustManagers>
            <sec:keyManagers keyPassword="tompass">
                <sec:keyStore type="jks" password="tompass"
resource="idp-ssl-key.jks"/>
            </sec:keyManagers>
        </http:tlsClientParameters>
    </http:conduit>

Note that idp-ssl-trust + idp-ssl-key are stored in WEB-INF/classes here,
you will need to copy your new files in here.

Colm.

On Tue, Aug 25, 2015 at 5:06 AM, rajj <[email protected]> wrote:

> Hi Colm,
> I am just trying to use our own certificates(IDP & RP). I have one public
> IDP certificate myIDP_x509.cer and I have my RP public certificate and
> private key(devcacert.pem, devprivatekey.pem). Now generated keystore and
> trust store using link
>
> http://svn.apache.org/viewvc/cxf/fediz/tags/fediz-1.1.0/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1538770&view=co
>  and I placed the keystores and truststore in IDP and RP. and started
> server
> and trying to connect IDP but it's giving SSLHandshake Exception that
> saying
> request not verifying.(seems problem with generated keystoers and
> truststores). My simple question is here that how to generate keystore and
> truststore using my above files and how do I configure it in IDP/STS and
> RP(What files need to be update to use updated keystores and truststores).
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/What-configuration-need-to-change-when-I-use-our-own-IDP-certificate-and-relaying-party-certificate-tp5760372p5760404.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to