Digitaliser.dk

Skrevet af Jochen Lienhard — Gammelt datoformat: 2008 september 25 11:16

Hi,

I try to use oiosaml.java as SP and a Shibboleth 2.0 IdP.

The IdP works fine. When I'm calling the protected side, I'm called to give

my login/password and than back to the SP, I get a SSL error (see at the end).

It seems to me, that the oiosaml can not make a handshake with the IdP.

The certificate in the IdP-medatada.xml is correct. I have no idea, what is missing

or which configuration may be wrong.

Greetings Jochen

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:832)      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)      at dk.itst.oiosaml.sp.service.util.HttpSOAPClient.wsCall(HttpSOAPClient.java:105)      at dk.itst.oiosaml.sp.service.util.HttpSOAPClient.wsCall(HttpSOAPClient.java:67)      at dk.itst.oiosaml.sp.service.util.ArtifactExtractor.extract(ArtifactExtractor.java:95)      at dk.itst.oiosaml.sp.service.SAMLAssertionConsumerHandler.handleGet(SAMLAssertionConsumerHandler.java:102)      at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:129)      at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)      at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)      at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)      at java.lang.Thread.run(Thread.java:619)  

Re: certificate problem
Skrevet af Joakim Recht — Gammelt datoformat: 2008 oktober 03 11:03

You need to add the server's ssl certificate to your appserver's truststore. You can override the truststore placement with -Djavax.net.ssl.trustStore=/path/to/keystore