eID IdP - Admin portal configuration

423 views
Skip to first unread message

Berty

unread,
Jan 18, 2012, 8:29:40 AM1/18/12
to eID Applet
Hi Frank,
I still have problems to make the eid-idp workking correctly.
I think that the eid trust service is installed correctly:
i tried the following link ( http://localhost:8080/eid-trust-service-portal/validation-results)
and the 2 cerificats are ok

I don't uinderstand what'se not working in the eid-idp configuration.
I have generated a keystore like this:
keytool -genkey -alias eididp -keystore c:\keystore\eididp.p12 -
storetype PKCS12 -keypass 123456
the it asked me the keysore password: 123456
lastname bjk
OU ict
O uw
City Bruxelles
State Bruxelles
Country Code BE

In the eID IdP Admin portal:
In Config section:
IdP Default Configuration,
===========================
-Don't know what to complete in Default HMAC-SHA1 identifier secret
(hexadecimal) and Default authentication token issuer name:
-Need to be complete?

Network and eID Applet
=======================
-Let it like that. ok?

PKI validation
===============
eID Trust Service XKMS2 URL: https://localhost/eid-trust-service-ws/xkms2
eID Trust Service Authentication Trust Domain: BE-AUTH
eID Trust Service Identification (National Registry) Trust Domain: BE-
NAT-REG

In Identity section:
I create an identity name test
Keystore Type: PKCS12
Keystore Path: C:\keystore\eididp.p12
Keystore Password: 123456
Key Entry Password: 123456
Key Entry alias: eididp

I clicked the test link and it was ok
Now in http://localhost:8080/eid-idp/main
I have an Identity thumbprint :
4a231e9414264bd9c31ac833d440014288cbd5b7
and a identity.pem file

Now in visual studio i have the following when i use the url:
https://localhost/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml

First i have a warning:
ID1025: A certificate chain processed, but terminated in a root
cerificate which is not trust provider
Status: UntrustedRoot
Subject of the Certificate: CN=localhost, OU=eID Test, L= Brussels,
O=FedICT, C=BE
Issuer of the Certificate: CN=localhost, OU=eID Test, L= Brussels,
O=FedICT, C=BE
do you wish to continue?

I clicked yes.
And received the following error:
ID6018: digest verification failed for reference
'saml-metadata-d4c7b306-8f37-4f26-aac3-9484f5fc6f86'

Can you help me?
Thanks,
Bertrand Jonckman

Bertrand Jonckman

unread,
Jan 18, 2012, 8:50:11 AM1/18/12
to eID Applet
Also in Fedict log i have the following:
2012-01-18 14:48:44,315 DEBUG [SessionLoggingFilter] request URI: /eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml
2012-01-18 14:48:44,317 DEBUG [SessionLoggingFilter] session id: FD07D3C2D9387739F05362CD66EC6298; is new: true
2012-01-18 14:48:44,318 DEBUG [SessionLoggingFilter] no client session id received
2012-01-18 14:48:44,318 DEBUG [AbstractWSFederationMetadataHttpServlet] doGet
2012-01-18 14:48:44,318 DEBUG [AbstractWSFederationMetadataHttpServlet] location: https://localhost/eid-idp/protocol/ws-federation/auth-ident
2012-01-18 14:48:44,337 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:address
2012-01-18 14:48:44,338 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:age
2012-01-18 14:48:44,339 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:dob
2012-01-18 14:48:44,340 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:firstname
2012-01-18 14:48:44,341 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:gender
2012-01-18 14:48:44,342 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:identifier
2012-01-18 14:48:44,343 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:lastname
2012-01-18 14:48:44,344 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:locality
2012-01-18 14:48:44,345 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:name
2012-01-18 14:48:44,346 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:nationality
2012-01-18 14:48:44,347 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:photo
2012-01-18 14:48:44,347 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:pob
2012-01-18 14:48:44,348 DEBUG [AttributeServiceBean] get attribute URI: protocol=WS-Federation attribute=be:fedict:eid:idp:postalcode
2012-01-18 14:48:44,351 DEBUG [AbstractWSFederationMetadataHttpServlet] sign WS-Federation Metadata



Frank Cornelis

unread,
Jan 18, 2012, 9:10:33 AM1/18/12
to eid-a...@googlegroups.com
Hi Bertrand,


Normally the eID Applet cannot operate over non-SSL. So the eID Trust
Service portal URL should be:
https://localhost/eid-trust-service-portal/

The HMAC-SHA1 secret is used to compute unique user identifiers for the
connecting relying parties. If you leave this empty the eID IdP will
simply use the national registration number as unique user identifier.

Default authn token issuer name is used as value of saml2:Issuer in the
SAML2 assertions (for both SAML2 protocol, as well as WS-Federation
protocol) if you didn't configure a service identity. Else the service
identity name will be used for saml2:Issuer value.

Normally you can leave Network and Applet as is.

PS: check out the eID Trust Service and eID IdP Admin manuals. Normally
you should find all this info in those manuals. If not, let me know
what's missing so I can add it.


Then you get an ID6018 error that clearly comes from WIF. I'm afraid
that I cannot really help you out on that one. Does it work via:

https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml
?
Does the eID IdP test app work? Available at:
https://localhost/eid-idp-sp/


Kind Regards,
Frank.

Bertrand Jonckman

unread,
Jan 18, 2012, 9:50:51 AM1/18/12
to eid-a...@googlegroups.com

Hi Frank,

With the url https://localhost/eid-trust-service-portal/ it's also working
So if i well understand you i can leave HMAC-SHA1, issuer name empty (this section is not describe in the eid-idp-admin-manual.pdf i think)
But i have completly read the 2 manuals and used them to install and configure the jboss app server and the eid-trust-service and edi-idp

For the ID6018error it's working with https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/auth-ident-metadata.xml
And when i use  https://localhost/eid-idp-sp/ to test https://localhost/eid-idp-sp/openid/auth-ident.jsp it's working and i see my eid card detail

Thanks,
Bertrand Jonckman

Frank Cornelis

unread,
Jan 18, 2012, 10:13:56 AM1/18/12
to eid-a...@googlegroups.com
Hi Bertrand,


Seems like WIF doesn't like local running eID IdP instances. Never
tested eID IdP out directly on a Windows box, always using Linux and
doing remote eID IdP tests over here.


Kind Regards,
Frank.

> --
> You received this message because you are subscribed to the Google
> Groups "eID Applet" group.
> To post to this group, send email to eid-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> eid-applet+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/eid-applet?hl=en.

Bertrand Jonckman

unread,
Jan 25, 2012, 9:09:24 AM1/25/12
to eid-a...@googlegroups.com
Hi Frank,
I don't think it's a problem with windows...because i can connect to the admin with my eid card...
As i could not use the STS like in your demo, i modified my sample demo project with the right thumbprint and urls in the web.config
Now, when i start my project, it ask for my eid card and password...but at the end it's crashing like this:

eID Applet - Copyright (C) 2008-2011 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.4.GA
Java version: 1.7.0_02
Java vendor: Oracle Corporation
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://localhost/eid-idp/authentication
Current time: Wed Jan 25 14:13:32 CET 2012
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: true
include identity: true
include certificates: true
include address: true
include photo: true
include integrity data: false
require secure smart card reader: false
no PKCS11: true
Detecting eID card...
Detecting eID card...
Scanning card terminal: O2 O2Micro CCID SC Reader 0
eID card detected in card terminal : O2 O2Micro CCID SC Reader 0
Authenticating...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
CCID GET_FEATURE IOCTL...
GET_FEATURES IOCTL error: transmitControlCommand() failed
selecting key...
computing digital signature...
PIN verification required...
verifying PIN...
computing digital signature...
selecting file
read binary
selecting file
read binary
selecting file
read binary
reading sign certificate file...
selecting file
read binary
size non-repud cert file: 1082
Reading out identity...
selecting file
read binary
selecting file
read binary
selecting file
read binary
logoff...
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
HTTP response code: 500
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.servlet.ServletException: java.lang.SecurityException: authn service error: java.lang.SecurityException: eID Trust Service error
    org.jboss.seam.web.ExceptionFilter.endWebRequestAfterException(ExceptionFilter.java:126)
    org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:70)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
    org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>root cause</b> <pre>java.lang.SecurityException: authn service error: java.lang.SecurityException: eID Trust Service error
    be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:326)
    be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:79)
    be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:310)
    be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:59)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
    org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
    org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:227
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1473
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1205
at be.fedict.eid.applet.Controller.run:382
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Generic Error.

Do you have an idea of what's wrong?



Bertrand Jonckman

unread,
Jan 25, 2012, 9:10:06 AM1/25/12
to eid-a...@googlegroups.com
Here is also the fedict.log crash detail:

2012-01-25 15:02:36,412 WARN  [AuthenticationServiceBean] eID Trust Service error: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:135)
    at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:163)
    at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:95)
    at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:133)
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:629)
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:588)
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:573)
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:470)
    at com.sun.xml.ws.client.Stub.process(Stub.java:319)
    at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
    at $Proxy434.validate(Unknown Source)
    at be.fedict.trust.client.XKMS2Client.validate(XKMS2Client.java:562)
    at be.fedict.trust.client.XKMS2Client.validate(XKMS2Client.java:349)
    at be.fedict.trust.client.XKMS2Client.validate(XKMS2Client.java:331)
    at be.fedict.eid.idp.model.applet.AuthenticationServiceBean.validateCertificateChain(AuthenticationServiceBean.java:104)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:72)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
    at sun.reflect.GeneratedMethodAccessor534.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:74)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_22033424.invoke(InvocationContextInterceptor_z_fillMethod_22033424.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:90)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_22033424.invoke(InvocationContextInterceptor_z_setup_22033424.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:128)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:95)
    at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247)
    at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:349)
    at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:209)
    at org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:52)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:323)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:380)
    at sun.reflect.GeneratedMethodAccessor781.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:184)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:159)
    at $Proxy335.invoke(Unknown Source)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
    at $Proxy431.validateCertificateChain(Unknown Source)
    at be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:286)
    at be.fedict.eid.applet.service.impl.handler.AuthenticationDataMessageHandler.handleMessage(AuthenticationDataMessageHandler.java:79)
    at be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.java:310)
    at be.fedict.eid.idp.webapp.IdPAppletServiceServlet.doPost(IdPAppletServiceServlet.java:59)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
    at be.fedict.eid.idp.webapp.SessionLoggingFilter.doFilter(SessionLoggingFilter.java:60)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
    at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)
    at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
    at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
    at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
    at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
    at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
    at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181)
    at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285)
    at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
    at java.lang.Thread.run(Thread.java:722)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1337)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:123)
    ... 134 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1319)
    ... 146 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 152 more

Berty

unread,
Jan 25, 2012, 9:50:02 AM1/25/12
to eID Applet
$FilterChainImpl.doFilter(SeamFilter.java:69)
org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is
available in the JBoss Web/3.0.0-CR1 logs.</u></p><HR size="1"
noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:227
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1473
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1205
at be.fedict.eid.applet.Controller.run:382
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Generic Error.

Do you have an idea of what's wrong?

On 18 jan, 16:13, Frank Cornelis <frank.corne...@fedict.be> wrote:
> Hi Bertrand,
>
> Seems like WIF doesn't like local running eID IdP instances. Never
> tested eID IdP out directly on a Windows box, always using Linux and
> doing remote eID IdP tests over here.
>
> Kind Regards,
> Frank.
>
> On 01/18/2012 03:50 PM, Bertrand Jonckman wrote:
>
>
>
>
>
>
>
>
>
> > Hi Frank,
>
> > With the urlhttps://localhost/eid-trust-service-portal/it's also working
> > So if i well understand you i can leave HMAC-SHA1, issuer name empty
> > (this section is not describe in the eid-idp-admin-manual.pdf i think)
> > But i have completly read the 2 manuals and used them to install and
> > configure the jboss app server and the eid-trust-service and edi-idp
>
> > For the ID6018error it's working with
> >https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/au...
> > And when i usehttps://localhost/eid-idp-sp/to test
> >https://localhost/eid-idp-sp/openid/auth-ident.jspit's working and i

Berty

unread,
Jan 25, 2012, 9:50:33 AM1/25/12
to eID Applet
On 18 jan, 16:13, Frank Cornelis <frank.corne...@fedict.be> wrote:
> Hi Bertrand,
>
> Seems like WIF doesn't like local running eID IdP instances. Never
> tested eID IdP out directly on a Windows box, always using Linux and
> doing remote eID IdP tests over here.
>
> Kind Regards,
> Frank.
>
> On 01/18/2012 03:50 PM, Bertrand Jonckman wrote:
>
>
>
>
>
>
>
>
>
> > Hi Frank,
>
> > With the urlhttps://localhost/eid-trust-service-portal/it's also working
> > So if i well understand you i can leave HMAC-SHA1, issuer name empty
> > (this section is not describe in the eid-idp-admin-manual.pdf i think)
> > But i have completly read the 2 manuals and used them to install and
> > configure the jboss app server and the eid-trust-service and edi-idp
>
> > For the ID6018error it's working with
> >https://www.e-contract.be/eid-idp/endpoints/ws-federation/metadata/au...
> > And when i usehttps://localhost/eid-idp-sp/to test
> >https://localhost/eid-idp-sp/openid/auth-ident.jspit's working and i

Frank Cornelis

unread,
Jan 25, 2012, 10:16:32 AM1/25/12
to eid-a...@googlegroups.com
Hi Bertrand,


AFAIK this error occurs because the eID IdP tries to contact the XKMS
service of eID Trust Service over SSL but the Java SSL layer does not
trust the SSL certificate (probably because it's some self-signed
certificate).

Try as eID Trust Service XKMS2 URL within the eID IdP admin portal:
http://localhost:8080/eid-trust-service-ws/xkms2

Thus, avoid using SSL to connect to a local running eID Trust Service.


Kind Regards,
Frank.

Reply all
Reply to author
Forward
0 new messages