Discussion:
Some problems about the certificate
杨如鹏
2012-04-24 09:15:43 UTC
Permalink
Hello, everyone. I am really new to shibboleth, and now I am trying to
configure a simple test system for shibboleth idp and sp. But there are
some problems when the sp tries to get attribute from the idp. The related
logs are here. The key in metadata to sp is the same as the content of
idp.crt in idp. I do not how it comes. Can you help me? I will really
appreciate of your help.
Best wishes

2012-04-24 16:35:26 INFO Shibboleth.Application : building AttributeFilter
of type XML...
2012-04-24 16:35:26 INFO Shibboleth.AttributeFilter : reload thread
started...running when signaled
2012-04-24 16:35:26 INFO Shibboleth.AttributeFilter : loaded XML resource
(/home/orbbyrp/shibboleth-sp/etc/shibboleth/attribute-policy.xml)
2012-04-24 16:35:26 INFO Shibboleth.Application : building
AttributeResolver of type Query...
2012-04-24 16:35:26 INFO Shibboleth.Application : building
CredentialResolver of type File...
2012-04-24 16:35:26 INFO XMLTooling.SecurityHelper : loading private key
from file (/home/orbbyrp/shibboleth-sp/etc/shibboleth/idp-key.pem)
2012-04-24 16:35:26 INFO XMLTooling.SecurityHelper : loading certificate(s)
from file (/home/orbbyrp/shibboleth-sp/etc/shibboleth/idp-cert.pem)
2012-04-24 16:35:26 INFO Shibboleth.Listener : registered remoted message
endpoint (default::getHeaders::Application)
2012-04-24 16:35:26 INFO Shibboleth.Listener : listener service starting
2012-04-24 16:35:38 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name
was not acceptable
2012-04-24 16:35:38 ERROR XMLTooling.SOAPTransport.CURL [2]: supplied
TrustEngine failed to validate SSL/TLS server certificate
2012-04-24 16:35:38 ERROR Shibboleth.AttributeResolver.Query [2]: exception
during SAML query to
https://example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery:
CURLSOAPTransport failed while contacting SOAP endpoint (
https://example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery): SSL
certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
2012-04-24 16:35:38 ERROR Shibboleth.AttributeResolver.Query [2]: unable to
obtain a SAML response from attribute authority
2012-04-24 16:35:38 INFO Shibboleth.SessionCache [2]: new session created:
ID (_2ae8bd4d424d19525b5edb52c78d2da5) IdP (
https://example.com:8080/idp/shibboleth)
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (127.0.0.1)
2012-04-24 16:50:26 INFO XMLTooling.StorageService : purged 2 expired
record(s) from storage
--
Rupeng Yang
Email: orbbyrp-***@public.gmane.org
site: orbbyrp.com
School of Computer Science and Technology, Shandong University
No.1500, Middle of Shunhua Road
Jinan 250101, Shandong, P.R.China
Hao Liu
2012-04-24 10:26:26 UTC
Permalink
One possible problem is that you are using http while sp is expecting https.
Hello, everyone. I am really new to shibboleth, and now I am trying to configure a simple test system for shibboleth idp and sp. But there are some problems when the sp tries to get attribute from the idp. The related logs are here. The key in metadata to sp is the same as the content of idp.crt in idp. I do not how it comes. Can you help me? I will really appreciate of your help.
Best wishes
2012-04-24 16:35:26 INFO Shibboleth.Application : building AttributeFilter of type XML...
2012-04-24 16:35:26 INFO Shibboleth.AttributeFilter : reload thread started...running when signaled
2012-04-24 16:35:26 INFO Shibboleth.AttributeFilter : loaded XML resource (/home/orbbyrp/shibboleth-sp/etc/shibboleth/attribute-policy.xml)
2012-04-24 16:35:26 INFO Shibboleth.Application : building AttributeResolver of type Query...
2012-04-24 16:35:26 INFO Shibboleth.Application : building CredentialResolver of type File...
2012-04-24 16:35:26 INFO XMLTooling.SecurityHelper : loading private key from file (/home/orbbyrp/shibboleth-sp/etc/shibboleth/idp-key.pem)
2012-04-24 16:35:26 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/home/orbbyrp/shibboleth-sp/etc/shibboleth/idp-cert.pem)
2012-04-24 16:35:26 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2012-04-24 16:35:26 INFO Shibboleth.Listener : listener service starting
2012-04-24 16:35:38 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2012-04-24 16:35:38 ERROR XMLTooling.SOAPTransport.CURL [2]: supplied TrustEngine failed to validate SSL/TLS server certificate
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-04-24 16:35:38 ERROR Shibboleth.AttributeResolver.Query [2]: unable to obtain a SAML response from attribute authority
2012-04-24 16:35:38 INFO Shibboleth.SessionCache [2]: new session created: ID (_2ae8bd4d424d19525b5edb52c78d2da5) IdP (https://example.com:8080/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (127.0.0.1)
2012-04-24 16:50:26 INFO XMLTooling.StorageService : purged 2 expired record(s) from storage
--
Rupeng Yang
site: orbbyrp.com
School of Computer Science and Technology, Shandong University
No.1500, Middle of Shunhua Road
Jinan 250101, Shandong, P.R.China
--
Peter Schober
2012-04-24 11:54:18 UTC
Permalink
Post by 杨如鹏
Hello, everyone. I am really new to shibboleth, and now I am trying to
configure a simple test system for shibboleth idp and sp. But there are
some problems when the sp tries to get attribute from the idp. The related
logs are here. The key in metadata to sp is the same as the content of
idp.crt in idp. I do not how it comes.
[...]
Post by 杨如鹏
2012-04-24 16:35:38 ERROR XMLTooling.SOAPTransport.CURL [2]: supplied
TrustEngine failed to validate SSL/TLS server certificate
2012-04-24 16:35:38 ERROR Shibboleth.AttributeResolver.Query [2]: exception
during SAML query to
CURLSOAPTransport failed while contacting SOAP endpoint (
https://example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery): SSL
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Well, then whatever the IdP serves up on port 8443 is not that same
public key. How is the IdP deployed? Tomcat solo? Tomcat (or some
other Java servelt container) behind httpd? Did you follow the
Shibboleth documentation for setting up the IdP with the extra port
8443?

The other question is why your SP would need to perform an attribute
query in the first place, when the IdP could have pushed any
attributes over the browser.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe
Cantor, Scott
2012-04-24 17:58:51 UTC
Permalink
Post by 杨如鹏
Hello, everyone. I am really new to shibboleth, and now I am trying to
configure a simple test system for shibboleth idp and sp. But there are
some problems when the sp tries to get attribute from the idp. The
related logs are here. The key in metadata to
sp is the same as the content of idp.crt in idp.
The IdP's credentials are not used for TLS on the IdP server unless/until
you configure them to be used for that in your web server.

And your IdP is not releasing any attributes to the SP anyway, or it
wouldn't be querying for them. SAML 2.0 flows do not involve queries,
generally.

-- Scott

--
To unsubscribe from this list send an email to users-un
杨如鹏
2012-04-25 05:22:32 UTC
Permalink
Thanks for the reply. I put the sp and idp in the same PC. And the sp was
based on Apache while the idp was deployed on Tomcat. I generated a new
keystore for tomcat's https port 8443, and the password is just "123456". I
have specified the crt and key identical to the one in the metadata given
to the sp just as below.

<security:Credential id="IdPCredential"
xsi:type="security:X509Filesystem">

<security:PrivateKey>/home/orbbyrp/shibboleth-idp/install/credentials/idp.key</security:PrivateKey>

<security:Certificate>/home/orbbyrp/shibboleth-idp/install/credentials/idp.crt</security:Certificate>
</security:Credential>
--
Rupeng Yang
Email: orbbyrp-***@public.gmane.org
site: orbbyrp.com
School of Computer Science and Technology, Shandong University
No.1500, Middle of Shunhua Road
Jinan 250101, Shandong, P.R.China
Cantor, Scott
2012-04-25 12:39:05 UTC
Permalink
Post by 杨如鹏
Thanks for the reply. I put the sp and idp in the same PC. And the sp was
based on Apache while the idp was deployed on Tomcat. I generated a new
keystore for tomcat's https port 8443, and the password is just "123456".
I have specified the crt and key identical
to the one in the metadata given to the sp just as below.
If you generated a new keystore for Tomcat, then that is a certificate
that has to be in the metadata (along with the IdP's). Or you need to stop
using a custom cert for TLS and use the IdP generated keypair for it.

Which is what both Peter and I said.

-- Scott

--
To unsubscribe from this list send an email to users-***@shibbo
杨如鹏
2012-04-26 03:02:46 UTC
Permalink
OK. I recompiled the idp and got the crt, key and jks file. And that's
work. So, I am really appreciate to all your help. And I hope that will do
good to other beginners.
--
Rupeng Yang
Email: orbbyrp-***@public.gmane.org
site: orbbyrp.com
School of Computer Science and Technology, Shandong University
No.1500, Middle of Shunhua Road
Jinan 250101, Shandong, P.R.China
Continue reading on narkive:
Loading...