sec:keyStore supports either JKS or PKCS12 keystores. There is also a sec:certStore that works with PEM files, but only for TrustStores I think. As a workaround you can just use the Java keytool command to import your PEM key/cert into a JKS keystore.
> this document http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/sample keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no idp-ssl-key.jks. SVN is not used any more by CXF or Fediz, that page is old. The correct version is on github: https://github.com/apache/cxf-fediz/blob/master/examples/samplekeys/HowToGenerateKeysREADME.html Colm. On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < [email protected]> wrote: > Hi Colm, > > is there any way for sec:keyStore to be pointed at a pem certificate > instead of a java keystore? where is the doumentation for sec:keyStore? > > Matt > > On 23/10/2017 17:11, Colm O hEigeartaigh wrote: > >> I haven't used the APR connector. The following works for me in the tests, >> perhaps you could duplicate this config and get it working first before >> switching over to the APR connector: >> >> <Connector port="9443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" >> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass" >> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >> truststorePass="ispass" /> >> >> Yes you will need to specify the truststore and keystore in cxf-tls.xml to >> communicate with the STS from the IdP. The truststore should contain the >> issuing cert of the Tomcat instance hosting your STS + then keystore the >> private key of your IdP. >> >> Colm. >> >> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >> [email protected]> wrote: >> >> i am using my own certificate with APR in the tomcat server.xml. I added >>> clientVerification="required" to SSLHostConfig but I still have the same >>> problem >>> <Connector port="9443" protocol="org.apache.coyote.ht >>> tp11.Http11AprProtocol" >>> maxThreads="150" SSLEnabled="true"> >>> <UpgradeProtocol className="org.apache.coyote.h >>> ttp2.Http2Protocol" >>> /> >>> <SSLHostConfig clientVerification="required"> >>> <Certificate certificateKeyFile="/etc/letse >>> ncrypt/live/domain.tld/privkey.pem" >>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem" >>> type="RSA" /> >>> </SSLHostConfig> >>> </Connector> >>> >>> I commented the trustManagers and keyManagers in >>> services/idp/src/main/resources/cxf-tls.xml. Could this be the problem? >>> How would I use production certificates? >>> <http:conduit name="*.http-conduit"> >>> <http:tlsClientParameters >>> disableCNCheck="true"> >>> <!-- <sec:trustManagers> >>> <sec:keyStore type="jks" password="ispass" >>> resource="idp-ssl-trust.jks" /> >>> </sec:trustManagers> >>> <sec:keyManagers keyPassword="tompass"> >>> <sec:keyStore type="jks" password="tompass" >>> resource="idp-ssl-key.jks"/> >>> </sec:keyManagers> --> >>> </http:tlsClientParameters> >>> </http:conduit> >>> >>> >>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>> >>> ok...i fixed the last error by dropping the schema and restarting. >>>> but now i have this >>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue >>>> has >>>> thrown exception, unwinding now >>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>> stream: RequireClientCertificate is set, but no local certificates were >>>> negotiated. Is the server set to ask for client authorization? >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase >>>> InterceptorChain.java:308) >>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java: >>>> 518) >>>> ... >>>> Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate >>>> is >>>> set, but no local certificates were negotiated. Is the server set to >>>> ask >>>> for client authorization? >>>> at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java >>>> :255) >>>> at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE >>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>> ... 154 more >>>> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOExcept >>>> ion: >>>> RequireClientCertificate is set, but no local certificates were >>>> negotiated. Is the server set to ask for client authorization? >>>> at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt >>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>> ttpsTokenInterceptorProvider.java:143) >>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea >>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>> ... >>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>> retrieving a token >>>> >>>> >>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>> >>>> ok i now have a different error and it doesn't load the login screen >>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - No >>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'CLAIM_LIST' not found >>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'IDP_READ' not found >>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'IDP_LIST' not found >>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'CLAIM_READ' not found >>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'APPLICATION_LIST' not found >>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'APPLICATION_READ' not found >>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Role 'TRUSTEDIDP_READ' not found >>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>> horityEntitlements >>>>> - Enriched AuthenticationToken added >>>>> >>>>> the previous one was caused by >>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>> /idp-sts/REALMMYREALM" /> >>>>> should have been >>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>> p-sts/REALMMYREALM" >>>>> /> >>>>> according to original file >>>>> >>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>> >>>>> Hi Colm, >>>>>> >>>>>> Yes I have: >>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>> ... >>>>>> <property name="applications"> >>>>>> <util:list> >>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>> </util:list> >>>>>> </property> >>>>>> ... >>>>>> </bean> >>>>>> >>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se >>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>> <property name="realm" value="urn:org:apache:cxf:fedi >>>>>> z:fedizhelloworld" >>>>>> /> >>>>>> <property name="protocol" value="http://docs.oasis-open. >>>>>> org/wsfed/federation/200706" /> >>>>>> <property name="serviceDisplayName" value="Fedizhelloworld" >>>>>> /> >>>>>> <property name="serviceDescription" value="Web Application to >>>>>> illustrate WS-Federation" /> >>>>>> <property name="role" value="ApplicationServiceType" /> >>>>>> <property name="tokenType" value="http://docs.oasis-open. >>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>> <property name="lifeTime" value="3600" /> >>>>>> <property name="passiveRequestorEndpointConstraint" >>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>> <property name="logoutEndpointConstraint" >>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>> </bean> >>>>>> >>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat >>>>>> ionClaimEntity"> >>>>>> <property name="application" ref="srv-fedizhelloworld" /> >>>>>> <property name="claim" ref="claim_role" /> >>>>>> <property name="optional" value="false" /> >>>>>> </bean> >>>>>> >>>>>> etc. >>>>>> >>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>> >>>>>> Do you have an >>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>> instance in >>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with >>>>>>> realm >>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>>>> trying to >>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it >>>>>>>> correctly redirects to the login page and seems to authenticate ok >>>>>>>> >>>>>>>> but then i get the following error >>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - Token >>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully cached. >>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - >>>>>>>> No >>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>>> >>>>>>>> Matthew >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
