Issues reading eID using ASP.NET / WIF / eid idp

586 views
Skip to first unread message

Gon

unread,
Feb 7, 2012, 3:28:51 PM2/7/12
to eID Applet
Hi,

I have been trying to read from the eID card.
After several tests, I managed to set up the development environment
to use the STS

The webpage redirects to the identification process, which then
prompts to enter the eID card, reads from it and then asks to remove
the card.

This part is all ok, however, after removing the card I get the
following "Generic Error", which mentions something about an "invalid
certificate":

***************************************************************************************************************************

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.5.Beta1
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://www.e-contract.be/eid-idp/identification
Current time: Tue Feb 07 20:21:50 GMT 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: IdentificationRequestMessage
current protocol state: INIT
protocol state transition: IDENTIFY
include address: true
include photo: true
include integrity data: true
include certificates: true
remove card: true
identity data usage: null
Detecting eID card...
Scanning card terminal: OMNIKEY CardMan 3x21 0
Please insert your eID card...
Scanning card terminal: OMNIKEY CardMan 3x21 0
eID card detected in card terminal : OMNIKEY CardMan 3x21 0
Reading out identity...
Reading identity file...
selecting file
read binary
Size identity file: 179
Read address file...
selecting file
read binary
Size address file: 121
Read photo file...
selecting file
read binary
Read identity signature file...
selecting file
read binary
Read address signature file...
selecting file
read binary
Read national registry certificate file...
selecting file
read binary
size RRN cert file: 840
reading root certificate file...
selecting file
read binary
size Root CA cert file: 929
reading authn certificate file...
selecting file
read binary
size authn cert file: 1061
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
reading citizen CA certificate file...
selecting file
read binary
size Cit CA cert file: 1042
Please remove your eID card.
Transmitting identity data...
sending message: IdentityDataMessage
current protocol state: IDENTIFY
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</
title><style><!--H1 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-
family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-
family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;} P {font-family:Tahoma,Arial,sans-
serif;background:white;color:black;font-size:12px;}A {color : black;}
A.name {color : black;}HR {color : #525D76;}--></style> </
head><body><h1>HTTP Status 500 - </h1><HR size="1"
noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b>
<u></u></p><p><b>description</b> <u>The server encountered an internal
error () that prevented it from fulfilling this request.</u></
p><p><b>exception</b> <pre>javax.servlet.ServletException:
javax.ejb.EJBException: java.lang.SecurityException: invalid
certificate

org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:
126)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>javax.ejb.EJBException:
java.lang.SecurityException: invalid certificate

org.jboss.ejb3.tx2.impl.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:
183)

org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:
251)

org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
349)
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
209)

org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:
52)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:
76)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:
182)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:
41)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:
67)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:
47)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:
67)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:
86)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
323)

org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
380)
sun.reflect.GeneratedMethodAccessor7510.invoke(Unknown Source)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
java.lang.reflect.Method.invoke(Method.java:597)

org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:
184)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)

org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:
143)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:
159)
$Proxy496.invoke(Unknown Source)

org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:
185)
$Proxy654.checkNationalRegistrationCertificate(Unknown Source)

be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
221)

be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
64)

be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:
310)

be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:
59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:
60)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:83)
org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException:
invalid certificate

be.fedict.eid.idp.model.applet.IdentityIntegrityServiceBean.checkNationalRegistrationCertificate(IdentityIntegrityServiceBean.java:
109)
sun.reflect.GeneratedMethodAccessor1459.invoke(Unknown Source)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
java.lang.reflect.Method.invoke(Method.java:597)

org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:
122)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)

org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:
72)

org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:
76)

org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:
62)
sun.reflect.GeneratedMethodAccessor598.invoke(Unknown Source)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
java.lang.reflect.Method.invoke(Method.java:597)

org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:
174)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:
74)

org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_15564049.invoke(InvocationContextInterceptor_z_fillMethod_15564049.java)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:
90)

org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_15564049.invoke(InvocationContextInterceptor_z_setup_15564049.java)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:
128)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:
62)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:
56)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:
47)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:
68)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:
95)

org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:
247)

org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
349)
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
209)

org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:
52)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:
76)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:
182)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:
41)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:
67)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:
47)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:
67)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:
86)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
323)

org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
380)
sun.reflect.GeneratedMethodAccessor7510.invoke(Unknown Source)

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
java.lang.reflect.Method.invoke(Method.java:597)

org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:
184)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)

org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:
143)

org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)

org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:
159)
$Proxy496.invoke(Unknown Source)

org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:
185)
$Proxy654.checkNationalRegistrationCertificate(Unknown Source)

be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
221)

be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
64)

be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:
310)

be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:
59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:
60)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:83)
org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is
available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1"
noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:191
at be.fedict.eid.applet.Controller.sendMessage:143
at be.fedict.eid.applet.Controller.performEidIdentificationOperation:
1398
at be.fedict.eid.applet.Controller.run:352
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Generic Error.

***************************************************************************************************************************

Any help will be appreciated.

Regards,
Gonzalo

Frank Cornelis

unread,
Feb 8, 2012, 7:58:33 AM2/8/12
to eid-a...@googlegroups.com
Hi Gonzalo,


Are you using a real eID card? Or a test card?


Kind Regards,
Frank.

> --
> You received this message because you are subscribed to the Google Groups "eID Applet" group.
> To post to this group, send email to eid-a...@googlegroups.com.
> To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.
>

Gon

unread,
Feb 8, 2012, 10:34:46 AM2/8/12
to eID Applet
Frank,

To add to the above, for some strange reason, the instructions for
inserting card, etc are now appearing in Flemish as opposed to English
like yesterday. Is there any particular reason why this would be
happening?

Regards,
Gonzalo
> >          org.jboss.seam.servlet.SeamFilter...
>
> read more »

Gon

unread,
Feb 8, 2012, 10:10:55 AM2/8/12
to eID Applet
Hi Frank,

I'm using a Test Card.
It works fine when I access here: https://www.e-contract.be/eid-applet-beta/identification.seam

Any ideas? Do I need to register anything additional on my card?

Regards,
Gonzalo

On Feb 8, 12:58 pm, Frank Cornelis <frank.corne...@fedict.be> wrote:
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterc eptor.java:
> > 183)
>
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.jav a:
> > 251)
>
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
> > 349)
> >          org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
> > 209)
>
> > org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapp er.java:
> > 52)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
>
> > org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationIntercept or.java:
> > 76)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
> >          org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
>
> > 59)
> >          javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> >          javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> > be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter .java:
> > 60)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:83)
> >          org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:69)
> >          org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:69)
> >          org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
> >          org.jboss.seam.servlet.SeamFilter...
>
> read more »

Gon

unread,
Feb 8, 2012, 1:18:19 PM2/8/12
to eID Applet
Frank,

Sorry to bother you again, but while I wait for a reply to the other
queries I have another doubt.

I am using the code below to try to display the data retrieved on the
screen (once I get the previous issue working)

IClaimsPrincipal principal = Thread.CurrentPrincipal as
IClaimsPrincipal;
txtName.Text = principal.Identity.Name;

This compiles ok, however I don't seem to be able to find any data
other than the "Name".

In other words, when I type "txtName.Text = principal.Identity", the
only options available are: "AuthenticationType", "IsAuthenticated"
and "Name".

How could I extract other data such as Address, Date of Birth,
Surname, etc?

Thanks in advance for your help.

Regards,
Gonzalo

On Feb 8, 12:58 pm, Frank Cornelis <frank.corne...@fedict.be> wrote:
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterc eptor.java:
> > 183)
>
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.jav a:
> > 251)
>
> > org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
> > 349)
> >          org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
> > 209)
>
> > org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapp er.java:
> > 52)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
>
> > org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationIntercept or.java:
> > 76)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
> >          org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
>
> > org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
> > 102)
>
> > 59)
> >          javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> >          javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>
> > be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter .java:
> > 60)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:83)
> >          org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:69)
> >          org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
> >          org.jboss.seam.servlet.SeamFilter
> > $FilterChainImpl.doFilter(SeamFilter.java:69)
> >          org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
> >          org.jboss.seam.servlet.SeamFilter...
>
> read more »

Frank Cornelis

unread,
Feb 8, 2012, 3:19:34 PM2/8/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID Applet Beta site works with test eID cards because this site is
only testing the eID Applet, not the status of the eID certificates
(hence the name).

The eID IdP is doing a full PKI validation using the eID Trust Service.

The eID IdP instance and corresponding eID Trust Service instance
running at e-contract.be are configured for production usage and will
thus only accept real eID cards, not test cards.


Kind Regards,
Frank.

>> read more �

Frank Cornelis

unread,
Feb 8, 2012, 3:26:01 PM2/8/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP support internationalization. The eID IdP configures the
language of the UI as provided by the used authentication protocol (in
your case this is WS-Federation). If the authentication protocol does
not provide a preferred language, the eID IdP will use the web browser
language preferences. So your web browser probably changed its default
language setting. If the web browser language is not supported, the eID
IdP will default to English. The supported languages are available at:
http://code.google.com/p/eid-idp/source/browse/#svn%2Ftrunk%2Feid-idp-webapp%2Fsrc%2Fmain%2Fresources

If your language isn't in the list, be my guest to translate.


Kind Regards,
Frank.

>> read more �

Frank Cornelis

unread,
Feb 8, 2012, 3:33:59 PM2/8/12
to eid-a...@googlegroups.com
Hi Gonzalo,


Normally you can query the IClaimsIdentity for all available claims.
Might be that you need to configure something in your web.config.

Check out the video at:
http://www.youtube.com/watch?v=ZxDrbZdTRLk&hd=1
At 2:13-2:18 you'll see what you're looking for.


Kind Regards,
Frank.

>> read more �

Gonzalo Faura

unread,
Feb 9, 2012, 8:25:50 AM2/9/12
to eid-a...@googlegroups.com
Frank,

Thanks for all your replies.
First of all, thanks for the video. It's great and very helpful (I had watched the other one but not this one).

I did as per the explanation but, surprise surprise... I cannot test it with my Test Card :(

Also, since I am not from Belgium I don't have any real eID card. Have you any idea of how I can test this using the test cards? Otherwise I don't see any real point in having these cards if I cannot use them for this purpose and I will have to ask someone in Belgium to actually run this test for me, which his will make it quite awkward to test and develop this functionality as well as to debug any issues encountered.

Please let me know if I can work around this limitation for the purpose of my internal tests.

Regarding the language of the messages, I will try to find some time to translate it into Spanish for you in return for all your help. I will also do my best to convince a Swedish colleague to do the Swedish translation :)

Thanks again and have a nice day.

Regards,
Gonzalo Faura
SWAPPSI




read more »

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+unsubscribe@googlegroups.com.

Frank Cornelis

unread,
Feb 9, 2012, 7:20:00 PM2/9/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP instance at e-contract.be is configured to only allow real eID cards.

So, run your own eID IdP instance and configure the corresponding eID Trust Service to also allow test eID cards.

Looking forward to your translations.


Kind Regards,
Frank.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.

Gonzalo Faura

unread,
Feb 13, 2012, 7:29:32 AM2/13/12
to eid-a...@googlegroups.com
Frank,

Sorry to bother you again.
Could you point me to the right place in order to know step-by-step on how to run my own eID IdP instance and configure the eID Trust Service?

I will be using .NET to access it and will be installing it on a Windows Server.

In addition to that, my knowledge of Java is very limited (haven't touched it in 10+ years), so I will need to know the basic requirements from this point of view as well.

Also, is the service available on e-contract reliable for a production environment or would you recommend to run our own one?

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Feb 13, 2012, 8:38:51 AM2/13/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP distribution comes with admin manuals explaining how to setup the eID IdP on a machine. I strongly recommend you to install the eID IdP product on a Linux machine as we've never tested it out on a Windows platform.

The eID services offered via e-contract.be are freely available for anyone to use. There are already several clients connecting to the e-contract.be services from their production systems. Whether to run your own eID IdP instance is completely up to you. However, using the e-contract.be services does offer you some benefits: you don't have to bother about keeping the services up-and-running and up-to-date, and you benefit more directly from security patches to the eID services, i.e. even before the GA releases of the corresponding eID products.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 13, 2012, 8:59:06 AM2/13/12
to eid-a...@googlegroups.com
Frank,

Unfortunately I don't have any Linux Servers where I can install this at present time, so I'll have to give it a go using Windows.
Where do I find the instructions and sourcecode for both eID idp and eID Trust Services?

Alternatively, if you have any eID Trust Service configured to also allow test eID cards and accessible, please provide me with the STS address.

Thanks once again for your speedy reply.

Regards,
Gonzalo Faura
SWAPPSI

Frank Cornelis

unread,
Feb 13, 2012, 9:17:00 AM2/13/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP distribution is available for download from:
    http://code.google.com/p/eid-idp/downloads/list
Download a distribution for your preferred DBMS (MySQL, PostgreSQL, or Oracle for the moment). The admin manuals are part of the distribution ZIP and are located under the 'manual' directory. The source code is also available at Google Code.

I don't know about any eID Trust Service instance out there that has been configured for test eID cards. At FedICT we have one, but it's unfortunately not publicly accessible.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 15, 2012, 1:19:40 PM2/15/12
to eid-a...@googlegroups.com
Frank,

In addition to the issue below (and "hopefully" related) is the fact that I cannot access the STS by going to the address https://myServerIP:myPort/eid-idp/endpoints/ws-federation/metadata/ident-metadata.xml.

When using the "Test Location" from Visual Studio I get a prompt with the ""UntrustedRoot" status and information of cert and when asked to continue, after clicking "Yes" I get an error that says "Could not access the server hosting WS-Federation metadata document..." and with the returned error "404 Not Found". Does this mean that I need to install something else?

Regards,
Gonzalo Faura
SWAPPSI




On Wed, Feb 15, 2012 at 6:10 PM, Gonzalo Faura <gfa...@swappsi.com> wrote:
Frank,

It looks like I'm almost there... Finally!

I seem so have it up and running correctly on the server. However, I am now getting the following errors after the card is being read:

eID Certificates Validity Results

Authentication certificate
ERRORINVALID_TRUST : self-signed certificate not in repository: CN=eID test Root CA, C=BE
Signing certificate
ERROR INVALID_TRUST : self-signed certificate not in repository: CN=eID test Root CA, C=BE

I presume this is either linked to the SSL (which I can access correctly through https) or to a configuration setting that needs to be turned on in order to enable reading from test cards.

How can I resolve this? If it's a configuration issue, please let me know how I can amend the settings.

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com




On Mon, Feb 13, 2012 at 2:17 PM, Frank Cornelis <frank.c...@fedict.be> wrote:
Hi Gonzalo,


The eID IdP distribution is available for download from:
    http://code.google.com/p/eid-idp/downloads/list
Download a distribution for your preferred DBMS (MySQL, PostgreSQL, or Oracle for the moment). The admin manuals are part of the distribution ZIP and are located under the 'manual' directory. The source code is also available at Google Code.

I don't know about any eID Trust Service instance out there that has been configured for test eID cards. At FedICT we have one, but it's unfortunately not publicly accessible.


Kind Regards,
Frank.


On 02/13/2012 02:59 PM, Gonzalo Faura wrote:
Frank,

Unfortunately I don't have any Linux Servers where I can install this at present time, so I'll have to give it a go using Windows.
Where do I find the instructions and sourcecode for both eID idp and eID Trust Services?

Alternatively, if you have any eID Trust Service configured to also allow test eID cards and accessible, please provide me with the STS address.

Thanks once again for your speedy reply.

Regards,
Gonzalo Faura
SWAPPSI

Gonzalo Faura

unread,
Feb 15, 2012, 1:10:35 PM2/15/12
to eid-a...@googlegroups.com
Frank,

It looks like I'm almost there... Finally!

I seem so have it up and running correctly on the server. However, I am now getting the following errors after the card is being read:

eID Certificates Validity Results

Authentication certificate
ERRORINVALID_TRUST : self-signed certificate not in repository: CN=eID test Root CA, C=BE
Signing certificate
ERROR INVALID_TRUST : self-signed certificate not in repository: CN=eID test Root CA, C=BE

I presume this is either linked to the SSL (which I can access correctly through https) or to a configuration setting that needs to be turned on in order to enable reading from test cards.

How can I resolve this? If it's a configuration issue, please let me know how I can amend the settings.

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com




On Mon, Feb 13, 2012 at 2:17 PM, Frank Cornelis <frank.c...@fedict.be> wrote:
Hi Gonzalo,


The eID IdP distribution is available for download from:
    http://code.google.com/p/eid-idp/downloads/list
Download a distribution for your preferred DBMS (MySQL, PostgreSQL, or Oracle for the moment). The admin manuals are part of the distribution ZIP and are located under the 'manual' directory. The source code is also available at Google Code.

I don't know about any eID Trust Service instance out there that has been configured for test eID cards. At FedICT we have one, but it's unfortunately not publicly accessible.


Kind Regards,
Frank.


On 02/13/2012 02:59 PM, Gonzalo Faura wrote:
Frank,

Unfortunately I don't have any Linux Servers where I can install this at present time, so I'll have to give it a go using Windows.
Where do I find the instructions and sourcecode for both eID idp and eID Trust Services?

Alternatively, if you have any eID Trust Service configured to also allow test eID cards and accessible, please provide me with the STS address.

Thanks once again for your speedy reply.

Regards,
Gonzalo Faura
SWAPPSI

Koen De Causmaecker

unread,
Feb 16, 2012, 9:16:28 AM2/16/12
to eid-a...@googlegroups.com
Hi Gonzalo,

On Trust Service, you should add the eID test Root CA to the trust domains you are using. 
  • Log on to the admin console of eID Trust Service, 
  • Add the eID test Root CA to the list of Trust Points: at Trust Points > Add Trust Point > 
    • Upload Root cert
    • Set CRL refresh cron schedule to the default value 0 0 0/3 * * *
  • Edit the trust domains.  (Defaults: BE-AUTH for idp and BE for dss.). At Trust Domains > Modify (BE or BE-AUTH) 
    • Add eID test Root CA to the Trust Points 
    • Add the Policy ID of your test certificate.  I think it will be 2.16.56.1.40.40.40.1 . You can find the Policy ID in the certificate details of your end entity certificate.
 
Kind regards,

Koen
Koen De Causmaecker
koe...@gmail.com

Gonzalo Faura

unread,
Feb 16, 2012, 1:10:00 PM2/16/12
to eid-a...@googlegroups.com
Frank/Koen,

If it's of any help, I could give you the public address for the admin portal (privately).

Also forgot to mention that when trying to access through VS2008 and Adding the STS I get this:
ID1013: Could not access the server hosting the WS-Federation Metadata document
ID6018: digest verification failed for reference 'saml-metadata-d...' 

Regards,
Gonzalo Faura
SWAPPSI




On Thu, Feb 16, 2012 at 6:04 PM, Gonzalo Faura <gfa...@swappsi.com> wrote:
Hi Koen/Frank,

Thanks for your reply.
I seem to be moving forward little steps at a time.

The error for INVALID_TRUST continues after applying the changes you mentioned.
I'll give you a broader summary in case you can spot where I'm going wrong:

--------------------------------------------------------------------------------
CHANGES TO EID-IDP ADMIN PORTAL:

CONFIG > PKI VALIDATION
eID Trust Service XKMS2 URL: http://MY_PUBLIC_IP:MY_PORT/eid-trust-service-ws/xkms2 (I've also tried using https)
eID Trust Service Authentication Trust Domain: BE-AUTH
eID Trust Service Identification (National Registry) Trust Domain: BE-NAT-REG

IDENTITY (tested and saved correctly
Name (*): Test
Keystore Type (*): JKS
Keystore Path (*): C:\eid-idp\eid-idp-mysql-distribution\jboss\server\default\conf\server.keystore
Keystore Password (*): swappsi
Key Entry Password (*): changeit
Key Entry Alias: jbosskey

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
CHANGES TO EID-TRUST ADMIN PORTAL:

TRUST POINTS > ADD TRUST POINT
CRL refresh cron schedule: 0 0 0/3 * * *
Certificate: (ADDED)

TRUST POINTS
BE: Set Default
BE-NAT-REG: Set Default
BE-TEST: Set Default
BE-TSA: Set Default
BE-AUTH: Default ticked > modify > Trust Points > Edit > move added trust point to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
RESULTS

https://MY_PUBLIC_IP:MY_PORT/eid-idp/main > LOADS OK (links for WS-Federation download xml file and identity thumbprint shown)
https://MY_PUBLIC_IP:MY_PORT/eid-trust-service-portal/validation-results > Error INVALID_TRUST
https://MY_PUBLIC_IP:MY_PORT/eid-idp/authentication > error BELOW

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Current time: Thu Feb 16 17:43:41 GMT 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false
no PKCS11: true
Detecteren van eID kaart...
Detecteren van eID kaart...
Scanning card terminal: OMNIKEY CardMan 3x21 0
eID card detected in card terminal : OMNIKEY CardMan 3x21 0
Authentiseren...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
CCID GET_FEATURE IOCTL...
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
VERIFY_PIN error
SW: 63c2
retries left: 2
verifying PIN...
computing digital signature...
selecting file
read binary
selecting file
read binary
selecting file
read binary
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
Identiteitsgegevens aan het uitlezen...
selecting file
read binary
selecting file
read binary
selecting file
read binary
logoff...
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: java.lang.SecurityException: secure channel binding identity mismatch
org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:126)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException: secure channel binding identity mismatch
be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:256)
be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:79)
be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:310)
be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:227
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1473
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1205
at be.fedict.eid.applet.Controller.run:382
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Algemene fout.

Gonzalo Faura

unread,
Feb 16, 2012, 1:04:34 PM2/16/12
to eid-a...@googlegroups.com
eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Current time: Thu Feb 16 17:43:41 GMT 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false
no PKCS11: true
Detecteren van eID kaart...
Detecteren van eID kaart...
Scanning card terminal: OMNIKEY CardMan 3x21 0
eID card detected in card terminal : OMNIKEY CardMan 3x21 0
Authentiseren...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
CCID GET_FEATURE IOCTL...
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
VERIFY_PIN error
SW: 63c2
retries left: 2
verifying PIN...
computing digital signature...
selecting file
read binary
selecting file
read binary
selecting file
read binary
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
Identiteitsgegevens aan het uitlezen...
selecting file
read binary
selecting file
read binary
selecting file
read binary
logoff...
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: java.lang.SecurityException: secure channel binding identity mismatch
org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:126)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException: secure channel binding identity mismatch
be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:256)
be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:79)
be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:310)
be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:227
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1473
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1205
at be.fedict.eid.applet.Controller.run:382
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Algemene fout.



Regards,
Gonzalo Faura
SWAPPSI




On Thu, Feb 16, 2012 at 2:16 PM, Koen De Causmaecker <koe...@gmail.com> wrote:

Frank Cornelis

unread,
Feb 17, 2012, 6:30:22 AM2/17/12
to eid-a...@googlegroups.com
Hi Gonzalo,


This error means that the service identity configured in the eID Applet security binding within the eID IdP admin portal does not match with your SSL certificate.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 17, 2012, 7:38:33 AM2/17/12
to eid-a...@googlegroups.com
Frank,

Are you referring to the values in "idP Identity" screen on the eid idP? How can I know which the right values should be?
They should all be correct other than the "Name", which I just set to "Test". Could this be the reason?

Regards,
Gonzalo Faura
SWAPPSI




Gonzalo Faura

unread,
Feb 20, 2012, 6:51:43 AM2/20/12
to eid-a...@googlegroups.com
Frank,

Is there an update on my last query?

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Feb 21, 2012, 7:36:46 AM2/21/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP uses cryptomaterial on 3 different places:
- SSL termination
- signing of the SAML assertions (eID IdP Identity)
- eID Applet secure channel binding (to make sure that no man in the middle is possible)

The eID IdP identity is determined via:
- the eID IdP identity used to sign SAML assertions
- the eID IdP Issuer Name which is also part of the signed SAML assertions


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 21, 2012, 2:32:50 PM2/21/12
to eid-a...@googlegroups.com
Frank,

The page: https://MY_PUBLIC_IP:MY_PORT//eid-trust-service-portal/validation-results is now validating authentication and signing certificates successfully.

I have noticed that in "Config > eID Applet" on the eid-idP admin portal, I don't have the SSL cert for "CN=eID test Root CA, C=BE", which was one of the previous errors given. Do I need to ad it? Was this certificate included with the distribution files? 

The problem now is that when I go to "https://MY_PUBLIC_IP:MY_PORT//eid-idp/authentication" I get the following "General Error":

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Current time: Tue Feb 21 19:28:14 GMT 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false
no PKCS11: true
Détection de la carte eID.
Détection de la carte eID.
Scanning card terminal: OMNIKEY CardMan 3x21 0
could not connect to card: connect() failed
Veuillez introduire votre carte eID...
Scanning card terminal: OMNIKEY CardMan 3x21 0
eID card detected in card terminal : OMNIKEY CardMan 3x21 0
Autorisez...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
CCID GET_FEATURE IOCTL...
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
computing digital signature...
selecting file
read binary
selecting file
read binary
selecting file
read binary
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
Lecture des données d'identification.
Erreur générale.



Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Feb 22, 2012, 6:46:53 AM2/22/12
to eid-a...@googlegroups.com
Hi Gonzalo,


When you receive the error "secure channel binding identity mismatch", this is because the secure channel binding identity mismatches.

The secure channel binding identity should be the SSL identity that you're using, else you will receive a mismatch error.

The secure channel binding identity can be configured in the eID IdP admin portal under Config -> eID Applet.

If you really don't know what to put there, leave it open. In this case keep in mind that a MITM attack is possible.



Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 22, 2012, 7:08:51 AM2/22/12
to eid-a...@googlegroups.com
Frank,

Thanks for that. I removed the SSL cert as per your comment and the test card is being read properly following the WS-Federation link in "https://MY_PUBLIC_IP:MY_PORT/eid-idp-sp/".

I guess the last thing I need to sort out before I stop annoying you is the access from Visual Studio.

When trying to access through VS2008 and Adding the STS I get this:
ID1013: Could not access the server hosting the WS-Federation Metadata document
ID6018: digest verification failed for reference 'saml-metadata-d...' 

The address I am using to read the metadata is "https://MY_PUBLIC_IP:MY_PORT/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml"

What could be causing this?

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Feb 22, 2012, 8:14:48 AM2/22/12
to eid-a...@googlegroups.com
Hi Gonzalo,


For somehow reason, the metadata document does not work when using an SSL port different from the default 443.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 22, 2012, 9:50:53 AM2/22/12
to eid-a...@googlegroups.com
Frank,

I don't see any mention to that on the manuals/documentation!
Why is it set to default to 8443 (on the distributable) for SSL then if the port required is 443?

At the moment I'm using port 8543, however I can try to change it to 443 if that's what is required. Please confirm so that I don't change it unless it is necessary.

Regards,
Gonzalo Faura
SWAPPSI

Gonzalo Faura

unread,
Feb 22, 2012, 11:29:55 AM2/22/12
to eid-a...@googlegroups.com
Frank,

I went ahead and changed the port to 443 but the same errors (below) persist when connecting using STS: 

ID1013: Could not access the server hosting the WS-Federation Metadata document
ID6018: digest verification failed for reference 'saml-metadata-d...' 
Regards,
Gonzalo Faura
SWAPPSI




On Wed, Feb 22, 2012 at 2:50 PM, Gonzalo Faura <gfa...@swappsi.com> wrote:
Frank,

I don't see any mention to that on the manuals/documentation!
Why is it set to default to 8443 (on the distributable) for SSL then if the port required is 443?

At the moment I'm using port 8543, however I can try to change it to 443 if that's what is required. Please confirm so that I don't change it unless it is necessary.

Regards,
Gonzalo Faura
SWAPPSI

Frank Cornelis

unread,
Feb 22, 2012, 2:36:45 PM2/22/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The manual mentions the installation of Apache HTTPD which runs per default on port 80 and 443 (with mod_ssl).
Port 8443 in the JBoss distribution is the default JBoss SSL port. The reason why it's not 443 is to avoid conflicts with front-ends like Apache.


Kind Regards,
Frank.

Frank Cornelis

unread,
Feb 22, 2012, 2:45:39 PM2/22/12
to eid-a...@googlegroups.com
Hi Gonzalo,


That's weird. And it works when using the eID IdP instance from e-contract.be?


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 23, 2012, 5:14:30 AM2/23/12
to eid-a...@googlegroups.com
Frank,

The instance in e-contract.be works fine, or at least I can connect using STS, however I have no real eID cards for testing on my development environment.

I've been trying to set up my own instance in order to be able to use the test cards, but I keep getting that error when connecting.

I'm now running jBoss on port 443 (it was unused) and the error persists. I'm running out of ideas and a proof of concept should be ready by tomorrow (I've been at it for about 3 weeks now).

Everything seems to be working fine except from the STS. 

When googling the error "digest verification failed for reference", I found the following: 

Does this mean anything regarding what the eid-idP is doing?
The same issue seems to have been raised in the group but has no resolution: http://groups.google.com/group/eid-applet/browse_thread/thread/a56f1755cdbf5f59?pli=1

Please advise

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Feb 23, 2012, 6:22:27 AM2/23/12
to eid-a...@googlegroups.com
Hi Gonzalo,


mmm... you're running the eID IdP on Windows right?

Something is changing the SAML assertion content and breaks the signature. Could be an UTF-8/... encoding issue.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Feb 23, 2012, 6:35:50 AM2/23/12
to eid-a...@googlegroups.com
Frank,

Yes, the installation is on a Windows Server.
If it's an encoding issue, how can I resolve it? Did you get any further on the other similar support issue reported?

Regards,
Gonzalo Faura
SWAPPSI




Gonzalo Faura

unread,
Feb 29, 2012, 4:30:17 AM2/29/12
to eid-a...@googlegroups.com
Frank,

Is there an update on this?

Regards,
Gonzalo Faura
SWAPPSI




Cornelis Frank

unread,
Feb 29, 2012, 10:51:57 AM2/29/12
to eid-a...@googlegroups.com
Hi Gonzalo,


Supporting platforms other than Linux for the hosting of the eID services is not my primary focus.


Kind Regards,
Frank.
________________________________________
Van: eid-a...@googlegroups.com [eid-a...@googlegroups.com] namens Gonzalo Faura [gfa...@swappsi.com]
Verzonden: woensdag 29 februari 2012 10:30
Aan: eid-a...@googlegroups.com
Onderwerp: Re: [eid-applet] Re: Issues reading eID using ASP.NET / WIF / eid idp

Frank,

Is there an update on this?

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>
[http://www.swappsi.com/images/mainlogo.png]

On Thu, Feb 23, 2012 at 11:35 AM, Gonzalo Faura <gfa...@swappsi.com<mailto:gfa...@swappsi.com>> wrote:
Frank,

Yes, the installation is on a Windows Server.
If it's an encoding issue, how can I resolve it? Did you get any further on the other similar support issue reported?

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>
[http://www.swappsi.com/images/mainlogo.png]

On Thu, Feb 23, 2012 at 11:22 AM, Frank Cornelis <frank.c...@fedict.be<mailto:frank.c...@fedict.be>> wrote:
Hi Gonzalo,


mmm... you're running the eID IdP on Windows right?

Something is changing the SAML assertion content and breaks the signature. Could be an UTF-8/... encoding issue.


Kind Regards,
Frank.

On 02/23/2012 11:14 AM, Gonzalo Faura wrote:
Frank,

The instance in e-contract.be<http://e-contract.be> works fine, or at least I can connect using STS, however I have no real eID cards for testing on my development environment.

I've been trying to set up my own instance in order to be able to use the test cards, but I keep getting that error when connecting.

I'm now running jBoss on port 443 (it was unused) and the error persists. I'm running out of ideas and a proof of concept should be ready by tomorrow (I've been at it for about 3 weeks now).

Everything seems to be working fine except from the STS.

When googling the error "digest verification failed for reference", I found the following:

1. http://social.technet.microsoft.com/wiki/contents/articles/windows-identity-foundation-wif-throws-exception-quot-id6018-digest-verification-failed-for-reference-quot.aspx
2. http://connect.microsoft.com/site1168/feedback/details/675166/id6018-digest-verification-failed-for-reference-when-adding-condition-element-to-a-saml2-assertion-conditions

Does this mean anything regarding what the eid-idP is doing?
The same issue seems to have been raised in the group but has no resolution: http://groups.google.com/group/eid-applet/browse_thread/thread/a56f1755cdbf5f59?pli=1

Please advise

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>
[http://www.swappsi.com/images/mainlogo.png]

On Wed, Feb 22, 2012 at 7:45 PM, Frank Cornelis <frank.c...@gmail.com<mailto:frank.c...@gmail.com>> wrote:
Hi Gonzalo,


That's weird. And it works when using the eID IdP instance from e-contract.be<http://e-contract.be>?


Kind Regards,
Frank.


On 02/22/2012 05:29 PM, Gonzalo Faura wrote:
Frank,

I went ahead and changed the port to 443 but the same errors (below) persist when connecting using STS:

ID1013: Could not access the server hosting the WS-Federation Metadata document
ID6018: digest verification failed for reference 'saml-metadata-d...'

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Wed, Feb 22, 2012 at 2:50 PM, Gonzalo Faura <gfa...@swappsi.com<mailto:gfa...@swappsi.com>> wrote:
Frank,

I don't see any mention to that on the manuals/documentation!
Why is it set to default to 8443 (on the distributable) for SSL then if the port required is 443?

At the moment I'm using port 8543, however I can try to change it to 443 if that's what is required. Please confirm so that I don't change it unless it is necessary.

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Wed, Feb 22, 2012 at 1:14 PM, Frank Cornelis <frank.c...@fedict.be<mailto:frank.c...@fedict.be>> wrote:
Hi Gonzalo,


For somehow reason, the metadata document does not work when using an SSL port different from the default 443.


Kind Regards,
Frank.

On 02/22/2012 01:08 PM, Gonzalo Faura wrote:
Frank,

Thanks for that. I removed the SSL cert as per your comment and the test card is being read properly following the WS-Federation link in "https://MY_PUBLIC_IP:MY_PORT/eid-idp-sp/".

I guess the last thing I need to sort out before I stop annoying you is the access from Visual Studio.

When trying to access through VS2008 and Adding the STS I get this:
ID1013: Could not access the server hosting the WS-Federation Metadata document
ID6018: digest verification failed for reference 'saml-metadata-d...'

The address I am using to read the metadata is "https://MY_PUBLIC_IP:MY_PORT/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml"

What could be causing this?

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Wed, Feb 22, 2012 at 11:46 AM, Frank Cornelis <frank.c...@fedict.be<mailto:frank.c...@fedict.be>> wrote:
Hi Gonzalo,


When you receive the error "secure channel binding identity mismatch", this is because the secure channel binding identity mismatches.

The secure channel binding identity should be the SSL identity that you're using, else you will receive a mismatch error.

The secure channel binding identity can be configured in the eID IdP admin portal under Config -> eID Applet.

If you really don't know what to put there, leave it open. In this case keep in mind that a MITM attack is possible.

Kind Regards,
Frank.


On 02/21/2012 08:32 PM, Gonzalo Faura wrote:
Frank,

The page: https://MY_PUBLIC_IP:MY_PORT//eid-trust-service-portal/validation-results is now validating authentication and signing certificates successfully.

I have noticed that in "Config > eID Applet" on the eid-idP admin portal, I don't have the SSL cert for "CN=eID test Root CA, C=BE", which was one of the previous errors given. Do I need to ad it? Was this certificate included with the distribution files?

The problem now is that when I go to "https://MY_PUBLIC_IP:MY_PORT//eid-idp/authentication" I get the following "General Error":

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...

eID browser applet version: 1.0.4.GA<http://1.0.4.GA>

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Tue, Feb 21, 2012 at 12:36 PM, Frank Cornelis <frank.c...@fedict.be<mailto:frank.c...@fedict.be>> wrote:
Hi Gonzalo,


The eID IdP uses cryptomaterial on 3 different places:
- SSL termination
- signing of the SAML assertions (eID IdP Identity)
- eID Applet secure channel binding (to make sure that no man in the middle is possible)

The eID IdP identity is determined via:
- the eID IdP identity used to sign SAML assertions
- the eID IdP Issuer Name which is also part of the signed SAML assertions


Kind Regards,
Frank.


On 02/20/2012 12:51 PM, Gonzalo Faura wrote:
Frank,

Is there an update on my last query?

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Fri, Feb 17, 2012 at 12:38 PM, Gonzalo Faura <gfa...@swappsi.com<mailto:gfa...@swappsi.com>> wrote:
Frank,

Are you referring to the values in "idP Identity" screen on the eid idP? How can I know which the right values should be?
They should all be correct other than the "Name", which I just set to "Test". Could this be the reason?

Regards,
Gonzalo Faura
SWAPPSI
Website: www.swappsi.com<http://www.swappsi.com>


On Fri, Feb 17, 2012 at 11:30 AM, Frank Cornelis <frank.c...@fedict.be<mailto:frank.c...@fedict.be>> wrote:
Hi Gonzalo,


This error means that the service identity configured in the eID Applet security binding within the eID IdP admin portal does not match with your SSL certificate.


Kind Regards,
Frank.


On 02/16/2012 07:04 PM, Gonzalo Faura wrote:
secure channel binding identity mismatch

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.


--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet+...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet+...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet+...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.


--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet+...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet+...@googlegroups.com>.


For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.


--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.

Gonzalo Faura

unread,
Mar 2, 2012, 11:04:30 AM3/2/12
to eid-a...@googlegroups.com
Frank,

Thanks for your answers and I appreciate that non-Linux hosting is not your primary focus, but what I basically need to know with certainty the following:
  1. Is this solution meant to work in a Windows Server Hosting?
  2. Can you or any of your colleagues tell me if there is a reason why this is not working in a Windows environment?
  3. Has anyone else approach you with this issue in the past that you could approach to see how they have overcome this obstacle?
  4. Is there any possibility at all for you to accept test eID cards on the STS publicly accessible on e-contract.be? If not on a full time basis, could this be done at least for a limited time (e.g.: a week) so that we could implement and test the desired code within that period of time?
Thanks in advance for your response.

Regards,
Gonzalo Faura
SWAPPSI

Frank Cornelis

unread,
Mar 5, 2012, 6:33:28 AM3/5/12
to eid-a...@googlegroups.com
Hi Gonzalo,


The eID IdP instance running at e-contract.be is a full production system. As such it does not allow eID test cards.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Mar 5, 2012, 6:56:51 AM3/5/12
to eid-a...@googlegroups.com
Frank,

Thanks for your response.
Have you an update regarding my other queries?

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Mar 5, 2012, 10:12:14 AM3/5/12
to eid-a...@googlegroups.com
Hi Gonzalo,


As said before, fixing eID IdP issues for Windows hosting is not on top of my TODO list. My main "server-side client" is FedICT, the governmental organization for which I work. At FedICT we're using Linux for hosting all the eID services. So this is where we're focussing on.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Mar 6, 2012, 6:11:25 AM3/6/12
to eid-a...@googlegroups.com
Frank,

In order to try to move on, I have now installed it on a Linux machine.
I get a general error when trying to authenticate. Find all details below.

The configuration is as follow:
--------------------------------------------------------------------------------
CHANGES TO EID-IDP ADMIN PORTAL:

CONFIG > PKI VALIDATION
eID Trust Service XKMS2 URL: http://MY_PUBLIC_IP:MY_PORT/eid-trust-service-ws/xkms2
eID Trust Service Authentication Trust Domain: BE-AUTH
eID Trust Service Identification (National Registry) Trust Domain: BE-NAT-REG

IDENTITY (tested and saved correctly
Name (*): Test
Keystore Type (*): JKS
Keystore Path (*): /home/ash/eid-idp/eid-idp-mysql-distribution/jboss/server/default/conf/server.keystore
Keystore Password (*): swappsi
Key Entry Password (*): changeit
Key Entry Alias: jbosskey

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
CHANGES TO EID-TRUST ADMIN PORTAL:

TRUST POINTS > ADD TRUST POINT
CRL refresh cron schedule: 0 0 0/3 * * *
Certificate: (ADDED)

TRUST POINTS
BESet Default modify > Trust Points > Edit > move added trust point AND "eID test Root CA" to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1
BE-NAT-REGSet Default modify > Trust Points > Edit > move added trust point AND "eID test Root CA" to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1
BE-TESTSet Default modify > Trust Points > Edit > move added trust point AND "eID test Root CA" to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1
BE-TSASet Default modify > Trust Points > Edit > move added trust point AND "eID test Root CA" to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1
BE-AUTH: Default ticked > modify > Trust Points > Edit > move added trust point AND "eID test Root CA" to right hand side. Added Certificate Policy: 2.16.56.1.40.40.40.1

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
RESULTS

https://MY_PUBLIC_IP:MY_PORT/eid-idp/main > LOADS OK (links for WS-Federation download xml file and identity thumbprint shown)
https://MY_PUBLIC_IP:MY_PORT/eid-trust-service-portal/validation-results > Authentication certificate OKOK Signing certificate OKOK
https://MY_PUBLIC_IP:MY_PORT/eid-idp/authentication > error BELOW
eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Current time: Tue Mar 06 11:00:25 GMT 2012
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: java.lang.SecurityException: authn service error: java.lang.SecurityException: eID Trust Service error
org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:126)
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException: authn service error: java.lang.SecurityException: eID Trust Service error
be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:326)

Gonzalo Faura

unread,
Mar 6, 2012, 8:25:05 AM3/6/12
to eid-a...@googlegroups.com
Frank,

Forget this error, I realised that the xkms-url was incorrect as I am running the http on port 8180.
Now I can see the card information on the screen when authenticating.

When adding the STS from Visual Studio, I get the following error:  "ID1019: the security token service descriptor does not contain any key descriptors".

Do you think there could be an issue with the format of the metadata or what do you think this error means?

Regards,
Gonzalo Faura
SWAPPSI




Frank Cornelis

unread,
Mar 6, 2012, 9:04:01 AM3/6/12
to eid-a...@googlegroups.com
Hi Gonzalo,


Try to run it on the default SSL port 443.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Mar 6, 2012, 9:32:23 AM3/6/12
to eid-a...@googlegroups.com
Frank,

It is running on SSL port 443 already.

The non-SSL is running on port 8180 and therefore this is the one I used as the "eID Trust Service XKMS2 URL" in the PKI Validation. I tried replacing this using the https address but the authentication doesn't work at all if I do so.

After reading this thread http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/64918239-f8ca-4ae7-9b98-5cac179e7877 and looking at the database I have a feeling it might be something to do with the ws-security-setting. Not sure if there is an option to config this in one of the admin portals?

There is an entry in one of the tables relating to this which seems to be expecting some values for a key - not sure if I would need to generate another one or if the that is being used in the eid-idp identity can be used again.

The server itself isn't throwing any error's on this end but it is giving the following warning:

13:35:18,302 WARN  [be.fedict.eid.idp.protocol.ws_federation.AbstractWSFederationMetadataHttpServlet] WS-Federation Metadata NOT signed!


Regards,
Gonzalo Faura
SWAPPSI




On Tue, Mar 6, 2012 at 2:04 PM, Frank Cornelis <frank.c...@fedict.be> wrote:
Hi Gonzalo,


Try to run it on the default SSL port 443.


Kind Regards,
Frank.

On 03/06/2012 02:25 PM, Gonzalo Faura wrote:
Frank,

Forget this error, I realised that the xkms-url was incorrect as I am running the http on port 8180.
Now I can see the card information on the screen when authenticating.

When adding the STS from Visual Studio, I get the following error:  "ID1019: the security token service descriptor does not contain any key descriptors".

Do you think there could be an issue with the format of the metadata or what do you think this error means?

Regards,
Gonzalo Faura
SWAPPSI

Frank Cornelis

unread,
Mar 6, 2012, 9:40:22 AM3/6/12
to eid-a...@googlegroups.com
Hi Gonzalo,


You need to configure the service identity within your eID IdP admin portal. This service identity will be used to sign authentication protocol response messages, and things like authentication protocol metadata files like the WS-Federation SAML2 Metadata document.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Mar 6, 2012, 9:46:30 AM3/6/12
to eid-a...@googlegroups.com
Frank,

I did that also as explained below in the configuration details entered. Find the screenshot attached. 

Regards,
Gonzalo Faura
SWAPPSI




Identity.jpg

Frank Cornelis

unread,
Mar 6, 2012, 9:51:30 AM3/6/12
to eid-a...@googlegroups.com
Hi Gonzalo,


You have to click "Activate". Check if the service identity is really active by navigating to:
    https://localhost/eid-idp/
There you should see some service fingerprint value.


Kind Regards,
Frank.

Gonzalo Faura

unread,
Mar 6, 2012, 10:01:09 AM3/6/12
to eid-a...@googlegroups.com
Frank,

Clicking the "Activate" seems to have done the trick, Thanks!!
I am now able to connect to the STS and can see the info on the card.

Thanks for your help along the way :)

Regards,
Gonzalo Faura
SWAPPSI




frank.c...@gmail.com

unread,
Sep 7, 2012, 6:49:48 AM9/7/12
to eid-a...@googlegroups.com
Hi Jérôme,


The hardware on which the eID products run is not really relevant. As long as the platform is capable of offering a Linux/Java platform it should be OK.


Kind Rehards,
Frank.

On 09/06/2012 02:39 PM, jerome...@gmail.com wrote:
Hi Frank,

Is it possible to run the eid idp server on a virtual machine to test the blank eid card ?
If true, can you share the eid idp server on a virtual machne ?

Thanks in advance,
Jérôme

Le mardi 7 février 2012 21:28:51 UTC+1, Gon a écrit :
Hi,

I have been trying to read from the eID card.
After several tests, I managed to set up the development environment
to use the STS

The webpage redirects to the identification process, which then
prompts to enter the eID card, reads from it and then asks to remove
the card.

This part is all ok, however, after removing the card I get the
following "Generic Error", which mentions something about an "invalid
certificate":

***************************************************************************************************************************

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.5.Beta1
Java version: 1.6.0_29
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://www.e-contract.be/eid-idp/identification
Current time: Tue Feb 07 20:21:50 GMT 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: IdentificationRequestMessage
current protocol state: INIT
protocol state transition: IDENTIFY
include address: true
include photo: true
include integrity data: true
include certificates: true
remove card: true
identity data usage: null
Detecting eID card...
Scanning card terminal: OMNIKEY CardMan 3x21 0
Please insert your eID card...
Scanning card terminal: OMNIKEY CardMan 3x21 0
eID card detected in card terminal : OMNIKEY CardMan 3x21 0
Reading out identity...
Reading identity file...
selecting file
read binary
Size identity file: 179
Read address file...
selecting file
read binary
Size address file: 121
Read photo file...
selecting file
read binary
Read identity signature file...
selecting file
read binary
Read address signature file...
selecting file
read binary
Read national registry certificate file...
selecting file
read binary
size RRN cert file: 840
reading root certificate file...
selecting file
read binary
size Root CA cert file: 929
reading authn certificate file...
selecting file
read binary
size authn cert file: 1061
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
reading citizen CA certificate file...
selecting file
read binary
size Cit CA cert file: 1042
Please remove your eID card.
Transmitting identity data...
sending message: IdentityDataMessage
current protocol state: IDENTIFY
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</
title><style><!--H1 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-
family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-
family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;} P {font-family:Tahoma,Arial,sans-
serif;background:white;color:black;font-size:12px;}A {color : black;}
A.name {color : black;}HR {color : #525D76;}--></style> </
head><body><h1>HTTP Status 500 - </h1><HR size="1"
noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b>
<u></u></p><p><b>description</b> <u>The server encountered an internal
error () that prevented it from fulfilling this request.</u></
p><p><b>exception</b> <pre>javax.servlet.ServletException:
javax.ejb.EJBException: java.lang.SecurityException: invalid
certificate
        
org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:
126)
        org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
        org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
        
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
        org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
        org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>javax.ejb.EJBException:
java.lang.SecurityException: invalid certificate
        
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:
183)
        
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:
251)
        
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
349)
        org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
209)
        
org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:
52)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:
76)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:
182)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:
41)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:
67)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:
47)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:
67)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:
86)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
323)
        
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
380)
        sun.reflect.GeneratedMethodAccessor7510.invoke(Unknown Source)
        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
        java.lang.reflect.Method.invoke(Method.java:597)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:
184)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)
        
org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:
143)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:
159)
        $Proxy496.invoke(Unknown Source)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:
185)
        $Proxy654.checkNationalRegistrationCertificate(Unknown Source)
        
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
221)
        
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
64)
        
be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:
310)
        
be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:
59)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        
be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:
60)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:83)
        org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
        org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
        
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
        org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
        org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException:
invalid certificate
        
be.fedict.eid.idp.model.applet.IdentityIntegrityServiceBean.checkNationalRegistrationCertificate(IdentityIntegrityServiceBean.java:
109)
        sun.reflect.GeneratedMethodAccessor1459.invoke(Unknown Source)
        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
        java.lang.reflect.Method.invoke(Method.java:597)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:
122)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)
        
org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:
72)
        
org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:
76)
        
org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:
62)
        sun.reflect.GeneratedMethodAccessor598.invoke(Unknown Source)
        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
        java.lang.reflect.Method.invoke(Method.java:597)
        
org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:
174)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:
74)
        
org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_15564049.invoke(InvocationContextInterceptor_z_fillMethod_15564049.java)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:
90)
        
org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_15564049.invoke(InvocationContextInterceptor_z_setup_15564049.java)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:
128)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:
62)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:
56)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:
47)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:
68)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:
95)
        
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:
247)
        
org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:
349)
        org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:
209)
        
org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:
52)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:
76)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:
182)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:
41)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:
67)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:
47)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:
67)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:
86)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
323)
        
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:
380)
        sun.reflect.GeneratedMethodAccessor7510.invoke(Unknown Source)
        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
        java.lang.reflect.Method.invoke(Method.java:597)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:
184)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
111)
        
org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:
143)
        
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:
102)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler
$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:
159)
        $Proxy496.invoke(Unknown Source)
        
org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:
185)
        $Proxy654.checkNationalRegistrationCertificate(Unknown Source)
        
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
221)
        
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(IdentityDataMessageHandler.java:
64)
        
be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:
310)
        
be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:
59)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        
be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:
60)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:83)
        org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
        org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
        
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:
388)
        org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
        org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
        org.jboss.seam.servlet.SeamFilter
$FilterChainImpl.doFilter(SeamFilter.java:69)
        org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is
available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1"
noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:191
at be.fedict.eid.applet.Controller.sendMessage:143
at be.fedict.eid.applet.Controller.performEidIdentificationOperation:
1398
at be.fedict.eid.applet.Controller.run:352
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Generic Error.

***************************************************************************************************************************

Any help will be appreciated.

Regards,
Gonzalo
--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/4ch1mzBfpngJ.
Reply all
Reply to author
Forward
0 new messages