The problem is that your Tomcat container hosting the STS is not asking for client authentication. You can check this by using a web browser or curl to view the WSDL of the STS - if you can get it to work then the configuration is incorrect, as it should error on the browser not supplying a client cert.
Colm. On Tue, Oct 24, 2017 at 12:57 PM, Matthew Broadhead < [email protected]> wrote: > i spoke too soon. > > i am completely stuck with the same stack trace and no amount of reloading > the certificates is helping. is there any way to debug what the actual > problem is? > > 2017-10-24 12:55:58,155 [https-openssl-apr-9443-exec-2] WARN > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT > okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has > thrown exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to > stream: RequireClientCertificate is set, but no local certificates were > negotiated. Is the server set to ask for client authorization? > at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE > ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) > at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE > ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(Phase > InterceptorChain.java:308) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:518) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:427) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:328) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:281) > at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(Abs > tractSTSClient.java:861) > at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit > yTokenResponse(IdpSTSClient.java:47) > at org.apache.cxf.fediz.service.idp.IdpSTSClient.requestSecurit > yTokenResponse(IdpSTSClient.java:42) > at org.apache.cxf.fediz.service.idp.beans.STSClientAction.submi > t(STSClientAction.java:296) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce > ssorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe > thodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.springframework.expression.spel.support.ReflectiveMethod > Executor.execute(ReflectiveMethodExecutor.java:113) > at org.springframework.expression.spel.ast.MethodReference.getV > alueInternal(MethodReference.java:129) > at org.springframework.expression.spel.ast.MethodReference. > access$000(MethodReference.java:49) > at org.springframework.expression.spel.ast.MethodReference$Meth > odValueRef.getValue(MethodReference.java:347) > at org.springframework.expression.spel.ast.CompoundExpression.g > etValueInternal(CompoundExpression.java:88) > at org.springframework.expression.spel.ast.SpelNodeImpl. > getTypedValue(SpelNodeImpl.java:131) > at org.springframework.expression.spel.standard.SpelExpression. > getValue(SpelExpression.java:297) > at org.springframework.binding.expression.spel.SpringELExpressi > on.getValue(SpringELExpression.java:84) > at org.springframework.webflow.action.EvaluateAction.doExecute( > EvaluateAction.java:75) > at org.springframework.webflow.action.AbstractAction.execute(Ab > stractAction.java:188) > at org.springframework.webflow.execution.AnnotatedAction.execut > e(AnnotatedAction.java:145) > at org.springframework.webflow.execution.ActionExecutor.execute > (ActionExecutor.java:51) > at org.springframework.webflow.engine.ActionList.execute(Action > List.java:154) > at org.springframework.webflow.engine.State.enter(State.java:193) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex > ecute(FlowExecutionImpl.java:395) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.execute(RequestControlContextImpl.java:214) > at org.springframework.webflow.engine.TransitionableState.handl > eEvent(TransitionableState.java:116) > at org.springframework.webflow.engine.SubflowState.handleEvent( > SubflowState.java:116) > at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha > ndleEvent(FlowExecutionImpl.java:390) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.handleEvent(RequestControlContextImpl.java:210) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.en > dActiveFlowSession(FlowExecutionImpl.java:414) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.endActiveFlowSession(RequestControlContextImpl.java:238) > at org.springframework.webflow.engine.EndState.doEnter(EndState > .java:107) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex > ecute(FlowExecutionImpl.java:395) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.execute(RequestControlContextImpl.java:214) > at org.springframework.webflow.engine.TransitionableState.handl > eEvent(TransitionableState.java:116) > at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha > ndleEvent(FlowExecutionImpl.java:390) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.handleEvent(RequestControlContextImpl.java:210) > at org.springframework.webflow.engine.ActionState.doEnter(Actio > nState.java:105) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex > ecute(FlowExecutionImpl.java:395) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.execute(RequestControlContextImpl.java:214) > at org.springframework.webflow.engine.TransitionableState.handl > eEvent(TransitionableState.java:116) > at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.ha > ndleEvent(FlowExecutionImpl.java:390) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.handleEvent(RequestControlContextImpl.java:210) > at org.springframework.webflow.engine.ActionState.doEnter(Actio > nState.java:105) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Flow.start(Flow.java:527) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.st > art(FlowExecutionImpl.java:368) > at org.springframework.webflow.engine.impl.RequestControlContex > tImpl.start(RequestControlContextImpl.java:234) > at org.springframework.webflow.engine.SubflowState.doEnter(Subf > lowState.java:101) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Transition.execute(Transi > tion.java:228) > at org.springframework.webflow.engine.DecisionState.doEnter(Dec > isionState.java:51) > at org.springframework.webflow.engine.State.enter(State.java:194) > at org.springframework.webflow.engine.Flow.start(Flow.java:527) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.st > art(FlowExecutionImpl.java:368) > at org.springframework.webflow.engine.impl.FlowExecutionImpl.st > art(FlowExecutionImpl.java:223) > at org.springframework.webflow.executor.FlowExecutorImpl.launch > Execution(FlowExecutorImpl.java:140) > at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter. > handle(FlowHandlerAdapter.java:263) > at org.springframework.web.servlet.DispatcherServlet.doDispatch > (DispatcherServlet.java:967) > at org.springframework.web.servlet.DispatcherServlet.doService( > DispatcherServlet.java:901) > at org.springframework.web.servlet.FrameworkServlet.processRequ > est(FrameworkServlet.java:970) > at org.springframework.web.servlet.FrameworkServlet.doGet( > FrameworkServlet.java:861) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) > at org.springframework.web.servlet.FrameworkServlet.service( > FrameworkServlet.java:846) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFi > lter(ApplicationFilterChain.java:231) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(App > licationFilterChain.java:166) > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte > r.java:52) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFi > lter(ApplicationFilterChain.java:193) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(App > licationFilterChain.java:166) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:330) > at org.springframework.security.web.access.intercept.FilterSecu > rityInterceptor.invoke(FilterSecurityInterceptor.java:118) > at org.springframework.security.web.access.intercept.FilterSecu > rityInterceptor.doFilter(FilterSecurityInterceptor.java:84) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.access.ExceptionTranslation > Filter.doFilter(ExceptionTranslationFilter.java:113) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.session.SessionManagementFi > lter.doFilter(SessionManagementFilter.java:103) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.AnonymousAut > henticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.apache.cxf.fediz.service.idp.service.security.GrantedAut > horityEntitlements.doFilter(GrantedAuthorityEntitlements.java:97) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.servletapi.SecurityContextH > olderAwareRequestFilter.doFilter(SecurityContextHolder > AwareRequestFilter.java:154) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.savedrequest.RequestCacheAw > areFilter.doFilter(RequestCacheAwareFilter.java:45) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.www.BasicAut > henticationFilter.doFilter(BasicAuthenticationFilter.java:150) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.AbstractAuth > enticationProcessingFilter.doFilter(AbstractAuthenticatio > nProcessingFilter.java:199) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.logout.Logou > tFilter.doFilter(LogoutFilter.java:110) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.context.request.async.WebAs > yncManagerIntegrationFilter.doFilterInternal(WebAsyncManag > erIntegrationFilter.java:50) > at org.springframework.web.filter.OncePerRequestFilter.doFilter > (OncePerRequestFilter.java:107) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.context.SecurityContextPers > istenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSP > ortFilter.java:74) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.access.channel.ChannelProce > ssingFilter.doFilter(ChannelProcessingFilter.java:144) > at org.springframework.security.web.FilterChainProxy$VirtualFil > terChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.FilterChainProxy.doFilterIn > ternal(FilterChainProxy.java:192) > at org.springframework.security.web.FilterChainProxy.doFilter(F > ilterChainProxy.java:160) > at org.springframework.web.filter.DelegatingFilterProxy.invokeD > elegate(DelegatingFilterProxy.java:346) > at org.springframework.web.filter.DelegatingFilterProxy.doFilte > r(DelegatingFilterProxy.java:262) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFi > lter(ApplicationFilterChain.java:193) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(App > licationFilterChain.java:166) > at org.springframework.web.filter.CharacterEncodingFilter.doFil > terInternal(CharacterEncodingFilter.java:197) > at org.springframework.web.filter.OncePerRequestFilter.doFilter > (OncePerRequestFilter.java:107) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFi > lter(ApplicationFilterChain.java:193) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(App > licationFilterChain.java:166) > at org.apache.catalina.core.StandardWrapperValve.invoke(Standar > dWrapperValve.java:198) > at org.apache.catalina.core.StandardContextValve.invoke(Standar > dContextValve.java:96) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHo > stValve.java:140) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo > rtValve.java:80) > at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs > tractAccessLogValve.java:650) > at org.apache.catalina.core.StandardEngineValve.invoke(Standard > EngineValve.java:87) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd > apter.java:342) > at org.apache.coyote.http2.StreamProcessor.service(StreamProces > sor.java:245) > at org.apache.coyote.AbstractProcessorLight.process(AbstractPro > cessorLight.java:66) > at org.apache.coyote.http2.StreamProcessor.process(StreamProces > sor.java:65) > at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > Executor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > lExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. > run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > Caused by: com.ctc.wstx.exc.WstxIOException: RequireClientCertificate is > set, but no local certificates were negotiated. Is the server set to ask > for client authorization? > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:255) > at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutE > ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) > ... 154 more > Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: > RequireClientCertificate is set, but no local certificates were > negotiated. Is the server set to ask for client authorization? > at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInt > erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H > ttpsTokenInterceptorProvider.java:143) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > m.makeTrustDecision(HTTPConduit.java:1780) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > m.handleHeadersTrustCaching(HTTPConduit.java:1323) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea > m.onFirstWrite(HTTPConduit.java:1293) > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLCo > nnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTP > Conduit.java:309) > at org.apache.cxf.io.AbstractWrappedOutputStream.write(Abstract > WrappedOutputStream.java:47) > at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(Abs > tractThresholdOutputStream.java:89) > at org.apache.cxf.io.AbstractThresholdOutputStream.write(Abstra > ctThresholdOutputStream.java:63) > at com.ctc.wstx.io.UTF8Writer.flush(UTF8Writer.java:100) > at com.ctc.wstx.sw.BufferingXmlWriter.flush(BufferingXmlWriter. > java:241) > at com.ctc.wstx.sw.BaseStreamWriter.flush(BaseStreamWriter.java:253) > ... 155 more > 2017-10-24 12:55:58,158 [https-openssl-apr-9443-exec-2] ERROR > org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in > retrieving a token > > > On 23/10/2017 19:41, Matthew Broadhead wrote: > >> Thanks for your help Colm. I now have it working using the production >> certificate by following this example https://stackoverflow.com/a/21 >> 41229/3052312 to export the pems into jks files. >> >> but in the end i also had to copy idp-ssl-key.jks and idp-ssl-trust.jks >> into webapps/idp/WEB-INF/classes as well as having them in catalina base. >> this seems impractical in production as the certificates get reissued every >> 6 months. is it possible for sec:keyStore to define the resource as being >> in catalina base? >> >> On 23/10/2017 18:11, Colm O hEigeartaigh wrote: >> >>> sec:keyStore supports either JKS or PKCS12 keystores. There is also a >>> sec:certStore that works with PEM files, but only for TrustStores I >>> think. >>> As a workaround you can just use the Java keytool command to import your >>> PEM key/cert into a JKS keystore. >>> >>> this document http://svn.apache.org/viewvc/c >>>> xf/fediz/trunk/examples/sample >>>> >>> keys/HowToGenerateKeysREADME.html?view=co has idp-ssl-server.jks but no >>> idp-ssl-key.jks. >>> >>> SVN is not used any more by CXF or Fediz, that page is old. The correct >>> version is on github: >>> >>> https://github.com/apache/cxf-fediz/blob/master/examples/sam >>> plekeys/HowToGenerateKeysREADME.html >>> >>> Colm. >>> >>> On Mon, Oct 23, 2017 at 4:40 PM, Matthew Broadhead < >>> [email protected]> wrote: >>> >>> Hi Colm, >>>> >>>> is there any way for sec:keyStore to be pointed at a pem certificate >>>> instead of a java keystore? where is the doumentation for sec:keyStore? >>>> >>>> Matt >>>> >>>> On 23/10/2017 17:11, Colm O hEigeartaigh wrote: >>>> >>>> I haven't used the APR connector. The following works for me in the >>>>> tests, >>>>> perhaps you could duplicate this config and get it working first before >>>>> switching over to the APR connector: >>>>> >>>>> <Connector port="9443" >>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" >>>>> SSLEnabled="true" scheme="https" secure="true" clientAuth="want" >>>>> sslProtocol="TLS" keystoreFile="idp-ssl-key.jks" keystorePass="tompass" >>>>> keyPass="tompass" truststoreFile="idp-ssl-trust.jks" >>>>> truststorePass="ispass" /> >>>>> >>>>> Yes you will need to specify the truststore and keystore in >>>>> cxf-tls.xml to >>>>> communicate with the STS from the IdP. The truststore should contain >>>>> the >>>>> issuing cert of the Tomcat instance hosting your STS + then keystore >>>>> the >>>>> private key of your IdP. >>>>> >>>>> Colm. >>>>> >>>>> On Sun, Oct 22, 2017 at 9:23 AM, Matthew Broadhead < >>>>> [email protected]> wrote: >>>>> >>>>> i am using my own certificate with APR in the tomcat server.xml. I >>>>> added >>>>> >>>>>> clientVerification="required" to SSLHostConfig but I still have the >>>>>> same >>>>>> problem >>>>>> <Connector port="9443" protocol="org.apache.coyote.ht >>>>>> tp11.Http11AprProtocol" >>>>>> maxThreads="150" SSLEnabled="true"> >>>>>> <UpgradeProtocol className="org.apache.coyote.h >>>>>> ttp2.Http2Protocol" >>>>>> /> >>>>>> <SSLHostConfig clientVerification="required"> >>>>>> <Certificate certificateKeyFile="/etc/letse >>>>>> ncrypt/live/domain.tld/privkey.pem" >>>>>> certificateFile="/etc/letsencrypt/live/domain.tld/cert.pem" >>>>>> certificateChainFile="/etc/letsencrypt/live/domain.tld/fullchain.pem" >>>>>> type="RSA" /> >>>>>> </SSLHostConfig> >>>>>> </Connector> >>>>>> >>>>>> I commented the trustManagers and keyManagers in >>>>>> services/idp/src/main/resources/cxf-tls.xml. Could this be the >>>>>> problem? >>>>>> How would I use production certificates? >>>>>> <http:conduit name="*.http-conduit"> >>>>>> <http:tlsClientParameters >>>>>> disableCNCheck="true"> >>>>>> <!-- <sec:trustManagers> >>>>>> <sec:keyStore type="jks" password="ispass" >>>>>> resource="idp-ssl-trust.jks" /> >>>>>> </sec:trustManagers> >>>>>> <sec:keyManagers keyPassword="tompass"> >>>>>> <sec:keyStore type="jks" password="tompass" >>>>>> resource="idp-ssl-key.jks"/> >>>>>> </sec:keyManagers> --> >>>>>> </http:tlsClientParameters> >>>>>> </http:conduit> >>>>>> >>>>>> >>>>>> On 22/10/2017 00:38, Matthew Broadhead wrote: >>>>>> >>>>>> ok...i fixed the last error by dropping the schema and restarting. >>>>>> >>>>>>> but now i have this >>>>>>> 2017-10-21 21:58:19,541 [https-openssl-apr-9443-exec-9] WARN >>>>>>> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { >>>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityT >>>>>>> okenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue >>>>>>> has >>>>>>> thrown exception, unwinding now >>>>>>> org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to >>>>>>> stream: RequireClientCertificate is set, but no local certificates >>>>>>> were >>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) >>>>>>> at org.apache.cxf.phase.PhaseInte >>>>>>> rceptorChain.doIntercept(Phase >>>>>>> InterceptorChain.java:308) >>>>>>> at org.apache.cxf.endpoint.Client >>>>>>> Impl.doInvoke(ClientImpl.java: >>>>>>> 518) >>>>>>> ... >>>>>>> Caused by: com.ctc.wstx.exc.WstxIOException: >>>>>>> RequireClientCertificate >>>>>>> is >>>>>>> set, but no local certificates were negotiated. Is the server set to >>>>>>> ask >>>>>>> for client authorization? >>>>>>> at com.ctc.wstx.sw.BaseStreamWrit >>>>>>> er.flush(BaseStreamWriter.java >>>>>>> :255) >>>>>>> at org.apache.cxf.binding.soap.sa >>>>>>> aj.SAAJOutInterceptor$SAAJOutE >>>>>>> ndingInterceptor.handleMessage(SAAJOutInterceptor.java:215) >>>>>>> ... 154 more >>>>>>> Caused by: org.apache.cxf.transport.http. >>>>>>> UntrustedURLConnectionIOExcept >>>>>>> ion: >>>>>>> RequireClientCertificate is set, but no local certificates were >>>>>>> negotiated. Is the server set to ask for client authorization? >>>>>>> at org.apache.cxf.ws.security.pol >>>>>>> icy.interceptors.HttpsTokenInt >>>>>>> erceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(H >>>>>>> ttpsTokenInterceptorProvider.java:143) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>> m.makeTrustDecision(HTTPConduit.java:1780) >>>>>>> at org.apache.cxf.transport.http. >>>>>>> HTTPConduit$WrappedOutputStrea >>>>>>> m.handleHeadersTrustCaching(HTTPConduit.java:1323) >>>>>>> ... >>>>>>> 2017-10-21 21:58:19,542 [https-openssl-apr-9443-exec-9] ERROR >>>>>>> org.apache.cxf.fediz.service.idp.beans.STSClientAction - Error in >>>>>>> retrieving a token >>>>>>> >>>>>>> >>>>>>> On 20/10/2017 23:05, Matthew Broadhead wrote: >>>>>>> >>>>>>> ok i now have a different error and it doesn't load the login screen >>>>>>> >>>>>>>> 2017-10-20 19:25:39,175 [https-openssl-apr-9443-exec-2] WARN >>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator - >>>>>>>> No >>>>>>>> service config found for urn:org:apache:cxf:fediz:fedizhelloworld >>>>>>>> 2017-10-20 19:26:18,084 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'CLAIM_LIST' not found >>>>>>>> 2017-10-20 19:26:18,085 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'IDP_READ' not found >>>>>>>> 2017-10-20 19:26:18,090 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'IDP_LIST' not found >>>>>>>> 2017-10-20 19:26:18,091 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'TRUSTEDIDP_LIST' not found >>>>>>>> 2017-10-20 19:26:18,092 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'CLAIM_READ' not found >>>>>>>> 2017-10-20 19:26:18,094 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'APPLICATION_LIST' not found >>>>>>>> 2017-10-20 19:26:18,095 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'APPLICATION_READ' not found >>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] ERROR >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Role 'TRUSTEDIDP_READ' not found >>>>>>>> 2017-10-20 19:26:18,096 [https-openssl-apr-9443-exec-5] INFO >>>>>>>> org.apache.cxf.fediz.service.idp.service.security.GrantedAut >>>>>>>> horityEntitlements >>>>>>>> - Enriched AuthenticationToken added >>>>>>>> >>>>>>>> the previous one was caused by >>>>>>>> services/idp/src/main/webapp/WEB-INF/idp-config-realm-myrealm.xml >>>>>>>> <property name="stsUrl" value="https://domain.tld:9443 >>>>>>>> /idp-sts/REALMMYREALM" /> >>>>>>>> should have been >>>>>>>> <property name="stsUrl" value="https://domain.tld:0/id >>>>>>>> p-sts/REALMMYREALM" >>>>>>>> /> >>>>>>>> according to original file >>>>>>>> >>>>>>>> On 20/10/2017 18:27, Matthew Broadhead wrote: >>>>>>>> >>>>>>>> Hi Colm, >>>>>>>> >>>>>>>>> Yes I have: >>>>>>>>> <bean id="idp-realmXYZ" class="org.apache.cxf.fediz.se >>>>>>>>> rvice.idp.service.jpa.IdpEntity"> >>>>>>>>> ... >>>>>>>>> <property name="applications"> >>>>>>>>> <util:list> >>>>>>>>> <ref bean="srv-fedizhelloworld" /> >>>>>>>>> <!-- <ref bean="srv-oidc" /> --> >>>>>>>>> </util:list> >>>>>>>>> </property> >>>>>>>>> ... >>>>>>>>> </bean> >>>>>>>>> >>>>>>>>> <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.se >>>>>>>>> rvice.idp.service.jpa.ApplicationEntity"> >>>>>>>>> <property name="realm" value="urn:org:apache:cxf:fedi >>>>>>>>> z:fedizhelloworld" >>>>>>>>> /> >>>>>>>>> <property name="protocol" value="http://docs.oasis-open. >>>>>>>>> org/wsfed/federation/200706" /> >>>>>>>>> <property name="serviceDisplayName" >>>>>>>>> value="Fedizhelloworld" >>>>>>>>> /> >>>>>>>>> <property name="serviceDescription" value="Web >>>>>>>>> Application to >>>>>>>>> illustrate WS-Federation" /> >>>>>>>>> <property name="role" value="ApplicationServiceType" /> >>>>>>>>> <property name="tokenType" value="http://docs.oasis-open >>>>>>>>> . >>>>>>>>> org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> >>>>>>>>> <property name="lifeTime" value="3600" /> >>>>>>>>> <property name="passiveRequestorEndpointConstraint" >>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>> <property name="logoutEndpointConstraint" >>>>>>>>> value="https://localhost:?(\d)*/.*" /> >>>>>>>>> </bean> >>>>>>>>> >>>>>>>>> <bean class="org.apache.cxf.fediz.service.idp.service.jpa.Applicat >>>>>>>>> ionClaimEntity"> >>>>>>>>> <property name="application" ref="srv-fedizhelloworld" /> >>>>>>>>> <property name="claim" ref="claim_role" /> >>>>>>>>> <property name="optional" value="false" /> >>>>>>>>> </bean> >>>>>>>>> >>>>>>>>> etc. >>>>>>>>> >>>>>>>>> On 20/10/2017 18:08, Colm O hEigeartaigh wrote: >>>>>>>>> >>>>>>>>> Do you have an >>>>>>>>> >>>>>>>>>> org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity >>>>>>>>>> instance in >>>>>>>>>> your webapps/fediz-idp/WEB-INF/classes/entities-realma.xml with >>>>>>>>>> realm >>>>>>>>>> "urn:org:apache:cxf:fediz:fedizhelloworld"? >>>>>>>>>> >>>>>>>>>> Colm. >>>>>>>>>> >>>>>>>>>> On Fri, Oct 20, 2017 at 4:09 PM, Matthew Broadhead < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> i have Fediz working now on (e.g.) domain.tld:9443/idp and i am >>>>>>>>>>> trying to >>>>>>>>>>> use it from localhost:9443/fedizhelloworld/secure/fedservlet. it >>>>>>>>>>> correctly redirects to the login page and seems to authenticate >>>>>>>>>>> ok >>>>>>>>>>> >>>>>>>>>>> but then i get the following error >>>>>>>>>>> 2017-10-20 15:56:17,424 [https-openssl-apr-9443-exec-8] INFO >>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.CacheSecurityToken - >>>>>>>>>>> Token >>>>>>>>>>> [IDP_TOKEN=<something>] for realm [<something>] successfully >>>>>>>>>>> cached. >>>>>>>>>>> 2017-10-20 15:56:17,433 [https-openssl-apr-9443-exec-8] WARN >>>>>>>>>>> org.apache.cxf.fediz.service.idp.beans.EndpointAddressValidator >>>>>>>>>>> - >>>>>>>>>>> No >>>>>>>>>>> service config found for urn:org:apache:cxf:fediz:fediz >>>>>>>>>>> helloworld >>>>>>>>>>> >>>>>>>>>>> Matthew >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
