Install woes - idp.war won't load, and idp.jks cert errors

167 views
Skip to first unread message

Brendan Murray

unread,
Dec 18, 2011, 8:17:56 PM12/18/11
to us...@shibboleth.net
I've been working on this for months, and clearly have some basic
misunderstanding. So finally I've come to this list for help.

I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
I have downloaded and installed with install.sh from
shibboleth-identityprovider-2.3.5-bin.zip

I have installed from source both apache-tomcat-6.0.33.tar.gz and
apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
yum install


I have two problems (so far)

1. I can't get the idp to run. The error is familiar to this list:

Dec 19, 2011 1:41:41 PM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener
instance of class org.spr
ingframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 's
hibboleth.MessageDecoders': Cannot create inner bean
'shibboleth.UnsolicitedSSODecoder' o
f type [edu.internet2.middleware.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder]
whil
e setting bean property 'sourceMap' with key [TypedStringValue: value
[urn:mace:shibbolet
h:2.0:profiles:AuthnRequest], target type [null]]; nested exception is
org.springframewor
k.beans.factory.CannotLoadBeanClassException: Cannot find class
[edu.internet2.middleware
.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder] for bean with
name 'shibboleth.Unsol
icitedSSODecoder' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]; nested exc
eption is java.lang.ClassNotFoundException:
edu.internet2.middleware.shibboleth.idp.profi
le.saml2.UnsolicitedSSODecoder

I believe I have correctly added the ${cataline_home}/endorsed/*.jar
to conf/catalina.properties
I'm using the http connector in server.xml on port 8080 routing to 8443
I'm using a commercial cerfificate for SSL (though that all works)

Can someone suggest where I need to look for this?


2. A bit later on, just trying to make sure that I can connect to
https://idp:8443, using this definition in server.xml

<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="200"
scheme="https"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="obfuscatory"/>

I get

"idp.otago.ac.nz:8443 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

(Error code: sec_error_ca_cert_invalid)"

Now self signed ought to be OK? SO I accept it and get

"An error occurred during a connection to idp.xxxx.edu:8443.

SSL peer cannot verify your certificate.

(Error code: ssl_error_bad_cert_alert)"


Again - any ideas?


thanks anyone for anything that gets me moving a bit more forward.
--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Rod Widdowson

unread,
Dec 19, 2011, 4:39:39 AM12/19/11
to Shib Users
Don't even try to use tomcat7, it isn't supported.

> I have two problems (so far)
>
> 1. I can't get the idp to run. The error is familiar to this list:

Is there nothing further up the Tomcat logs (or perhaps anything in the Shib logs)?

> I believe I have correctly added the ${cataline_home}/endorsed/*.jar to
> conf/catalina.properties

Note that RHEL 6 is known to do crazy things with the endorsed directory.

http://groups.google.com/group/shibboleth-users/browse_thread/thread/cd0b4dbf723d2bfe/f3670bfb65fed690?lnk=gst&q=tomcat+endorsed#f36
70bfb65fed690

You state that you are using 5.6, but craziness is infectious

> "An error occurred during a connection to idp.xxxx.edu:8443.
>
> SSL peer cannot verify your certificate.
>
> (Error code: ssl_error_bad_cert_alert)"
>
>
> Again - any ideas?

This means you have configured the port correctly - that port isn't meant for browsers. For now I'd assume that this is OK and go
back to it when you test the SAML1 flows.

Peter Schober

unread,
Dec 19, 2011, 3:11:47 PM12/19/11
to us...@shibboleth.net
* Brendan Murray <xaspe...@gmail.com> [2011-12-19 02:18]:

> I've been working on this for months, and clearly have some basic
> misunderstanding. So finally I've come to this list for help.

You really could have asked after, say, days, not months! ;)

> I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
> I have downloaded and installed with install.sh from
> shibboleth-identityprovider-2.3.5-bin.zip
>
> I have installed from source both apache-tomcat-6.0.33.tar.gz and
> apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
> yum install

Jfyi, I've long switched to Jason Brittain's excellent Tomcat packages on RHEL:
http://code.google.com/p/webdroid-tomcat-package/
-peter

Brendan Murray

unread,
Dec 19, 2011, 4:28:10 PM12/19/11
to us...@shibboleth.net
Peter Schober wrote:
> * Brendan Murray <xaspe...@gmail.com> [2011-12-19 02:18]:
>> I've been working on this for months, and clearly have some basic
>> misunderstanding. So finally I've come to this list for help.
>
> You really could have asked after, say, days, not months! ;)

I hate asking, and I absolutely dread being told to RTFM, so sometimes
torture myself for far too long before asking.

>
>> I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
>> I have downloaded and installed with install.sh from
>> shibboleth-identityprovider-2.3.5-bin.zip
>>
>> I have installed from source both apache-tomcat-6.0.33.tar.gz and
>> apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
>> yum install
>
> Jfyi, I've long switched to Jason Brittain's excellent Tomcat packages on RHEL:
> http://code.google.com/p/webdroid-tomcat-package/

All built for a later version of rpm than the box I have to do the
install on. Unfortunately.

Brendan Murray

unread,
Dec 19, 2011, 4:42:42 PM12/19/11
to Shib Users
>
>> "An error occurred during a connection to idp.xxxx.edu:8443.
>>
>> SSL peer cannot verify your certificate.
>>
>> (Error code: ssl_error_bad_cert_alert)"
>>
>>
>> Again - any ideas?
>
> This means you have configured the port correctly - that port isn't meant for browsers.  For now I'd assume that this is OK and go
> back to it when you test the SAML1 flows.
>

Thanks. I'll ignore that for now. Casting about for reasons I guess.

Brendan Murray

unread,
Dec 19, 2011, 5:05:46 PM12/19/11
to Shib Users
Based on the two good hints I got today from the list, I've at least
got a new error message.

There is nothing in /opt/shibboleth-idp/logs. The idp never gets that far.

I'm using Tomcat 6.0.33. I downloaded 6.0.35 today and tried that, No change.

I believe I'm closer to getting it to see the right endorsed files.
The error in catalina.out, surrounded by a few INFO mesages is

Dec 20, 2011 10:14:32 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Dec 20, 2011 10:14:32 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.33
Dec 20, 2011 10:14:32 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Dec 20, 2011 10:14:32 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor idp.xml
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
Dec 20, 2011 10:14:33 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Dec 20, 2011 10:14:33 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples

So that tells me catalina sees the idp.xml, which looks like the one
on every shibboleth example I seem to have found on the web.

localhost.2011-12-20.log, from the top...

Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'org.springframework.web.context.Context
LoaderListener'
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Error configuring application listener of class org.springframework.web.
context.ContextLoaderListener
java.lang.NoClassDefFoundError: javax/servlet/ServletContextListener
at java.lang.ClassLoader.findBootstrapClass(Native Method)
at java.lang.ClassLoader.findBootstrapClass0(ClassLoader.java:900)
at java.lang.ClassLoader.loadClass(ClassLoader.java:316)
at java.lang.ClassLoader.loadClass(ClassLoader.java:314)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1595)
.....
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Skipped installing application listeners due to previous error(s)
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext filterStop
FINE: Stopping filters
Dec 20, 2011 10:14:34 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'listeners.ContextListener'
Dec 20, 2011 10:14:34 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'listeners.SessionListener'


Maybe a class path thing, but it's not an exception so I'm unsure.

Thanks

Brendan

Chad La Joie

unread,
Dec 19, 2011, 5:35:34 PM12/19/11
to Shib Users

On 12/19/11 5:05 PM, Brendan Murray wrote:
> I believe I'm closer to getting it to see the right endorsed files.
> The error in catalina.out, surrounded by a few INFO mesages is

Nothing you've posted so far has anything to do with endorsed files.
When you get to the point where such a thing would matter, if you don't
have them endorsed properly you'll get an error that leaves no doubt
that that is the problem.

> Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
> SEVERE: Error configuring application listener of class org.springframework.web.
> context.ContextLoaderListener
> java.lang.NoClassDefFoundError: javax/servlet/ServletContextListener
> at java.lang.ClassLoader.findBootstrapClass(Native Method)
> at java.lang.ClassLoader.findBootstrapClass0(ClassLoader.java:900)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:316)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:314)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
> at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1595)
> .....
> at java.lang.reflect.Method.invoke(Method.java:616)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Well, that class is required to provided by the Servlet container, so
not being able to find that class would suggest something amiss with the
container (Tomcat) itself. From your previous notes it looks like
you've tried Tomcat 6.0.33, 6.0.35, and 7.0.16. I wonder if some
libraries have been corrupted. When you say you "downloaded" 6.0.35, do
you mean you grabbed the tarball or that you installed it via some
package manager?

brendan

unread,
Dec 19, 2011, 6:29:47 PM12/19/11
to Shib Users
Chad La Joie wrote:

> Well, that class is required to provided by the Servlet container, so
> not being able to find that class would suggest something amiss with the
> container (Tomcat) itself. From your previous notes it looks like
> you've tried Tomcat 6.0.33, 6.0.35, and 7.0.16. I wonder if some
> libraries have been corrupted. When you say you "downloaded" 6.0.35, do
> you mean you grabbed the tarball or that you installed it via some
> package manager?


# wget -c
http://mirrors.kahuki.com/apache/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz
#
# cd /opt
# tar xzvf apache-tomcat-6.0.35.tar.gz
# cd apache-tomcat-6.0.35
and then modify conf/web.xml, conf/server.xml,
conf/catalina.properties, create conf/Catalina/localhost/idp.xml, create
a bin/setenv.sh to set JAVA_ENDORSED_DIRS (just in case)
# rm logs/*
# bin/startup.sh


and then I get the NoClassDefFoundError

And I agree, it sounds like a corruption.

Also got a new java from java.com, just in case.

Chad La Joie

unread,
Dec 19, 2011, 6:36:31 PM12/19/11
to Shib Users
Why are you modifying conf/web.xml or conf/catalina.properties?

brendan

unread,
Dec 19, 2011, 6:46:23 PM12/19/11
to Shib Users
Chad La Joie wrote:
> Why are you modifying conf/web.xml or conf/catalina.properties?

Good point. Not modifying web.xml. Thinking of a different file.

catalina.properties, cos of the endorsed dirs thing

#common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/
*.jar
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*
.jar,/opt/apache-tomcat-6.0.35/endorsed/*.jar


which may have been unnecessary. Now that you asked I restored the
original line for common.loader and my error doesn't change. All about
chasing red herrings I guess. Also made sure that web.xml was the one
from the installation tar archive.

Thanks.

Chad La Joie

unread,
Dec 19, 2011, 6:57:56 PM12/19/11
to Shib Users
Can you do a jar -tf idp.war and provide the output?

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

brendan

unread,
Dec 19, 2011, 9:46:40 PM12/19/11
to Shib Users
Chad La Joie wrote:
> Can you do a jar -tf idp.war and provide the output?

Here you go

META-INF/
META-INF/MANIFEST.MF
WEB-INF/
WEB-INF/web.xml
WEB-INF/lib/
WEB-INF/lib/activation-1.1.jar
WEB-INF/lib/antlr-2.7.7.jar
WEB-INF/lib/antlr-runtime-3.1.3.jar
WEB-INF/lib/bcprov-jdk15-1.45.jar
WEB-INF/lib/beanshell-engine-20080611.jar
WEB-INF/lib/c3p0-0.9.1.2.jar
WEB-INF/lib/commons-cli-1.2.jar
WEB-INF/lib/commons-codec-1.4.jar
WEB-INF/lib/commons-collections-3.2.1.jar
WEB-INF/lib/commons-httpclient-3.1.jar
WEB-INF/lib/commons-lang-2.6.jar
WEB-INF/lib/dom4j-1.6.1.jar
WEB-INF/lib/ehcache-core-1.7.2.jar
WEB-INF/lib/esapi-2.0.1.jar
WEB-INF/lib/groovy-engine-20080611.jar
WEB-INF/lib/janino-2.5.10.jar
WEB-INF/lib/jargs-1.0.jar
WEB-INF/lib/jcip-annotations-1.0.jar
WEB-INF/lib/jcl-over-slf4j-1.6.2.jar
WEB-INF/lib/jgrapht-jdk1.5-0.7.3.jar
WEB-INF/lib/jna-3.2.3.jar
WEB-INF/lib/joda-time-1.6.2.jar
WEB-INF/lib/jruby-engine-20080611.jar
WEB-INF/lib/js-engine-20080611.jar
WEB-INF/lib/jul-to-slf4j-1.6.2.jar
WEB-INF/lib/jython-engine-20080611.jar
WEB-INF/lib/log4j-over-slf4j-1.6.2.jar
WEB-INF/lib/logback-classic-0.9.29.jar
WEB-INF/lib/logback-core-0.9.29.jar
WEB-INF/lib/mail-1.4.1.jar
WEB-INF/lib/not-yet-commons-ssl-0.3.9.jar
WEB-INF/lib/opensaml-2.5.2.jar
WEB-INF/lib/openws-1.4.3.jar
WEB-INF/lib/rhino-1.7R1.jar
WEB-INF/lib/scripting-api-1.0.jar
WEB-INF/lib/shibboleth-common-1.3.4.jar
WEB-INF/lib/shibboleth-identityprovider-2.3.5.jar
WEB-INF/lib/slf4j-api-1.6.2.jar
WEB-INF/lib/spring-beans-2.5.6.SEC02.jar
WEB-INF/lib/spring-context-2.5.6.SEC02.jar
WEB-INF/lib/spring-context-support-2.5.6.SEC02.jar
WEB-INF/lib/spring-core-2.5.6.SEC02.jar
WEB-INF/lib/spring-web-2.5.6.SEC02.jar
WEB-INF/lib/sqljet-1.0.4.jar
WEB-INF/lib/stringtemplate-3.2.jar
WEB-INF/lib/svnkit-1.3.5.jar
WEB-INF/lib/trilead-ssh2-build213-svnkit-1.3-patch.jar
WEB-INF/lib/velocity-1.5.jar
WEB-INF/lib/vt-ldap-3.3.4.jar
WEB-INF/lib/xmlsec-1.4.5.jar
WEB-INF/lib/xmltooling-1.3.3.jar
WEB-INF/idpui.tld
images/
error-404.jsp
error.jsp
images/internet2.gif
images/logo.jpg
login-error.jsp
login.css
login.jsp
shibboleth.jsp

Peter Schober

unread,
Dec 20, 2011, 2:09:16 AM12/20/11
to us...@shibboleth.net
* Brendan Murray <xaspe...@gmail.com> [2011-12-19 22:28]:

> >> I have installed from source both apache-tomcat-6.0.33.tar.gz and
> >> apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
> >> yum install
> >
> > Jfyi, I've long switched to Jason Brittain's excellent Tomcat packages on RHEL:
> > http://code.google.com/p/webdroid-tomcat-package/
>
> All built for a later version of rpm than the box I have to do the
> install on. Unfortunately.

I never had any problems using any of those releases on RHEL5.x boxen
(and still use them on RHEL6 over the provided tomcat packages because
of the latter's crazy dependencies) which is what you said you were
using. Also there are the SRPMs available as well, so not sure what
problems with rpm you're referring to. Anyway,
-peter

Chad La Joie

unread,
Dec 20, 2011, 6:25:29 AM12/20/11
to Shib Users
Okay, I'm not sure what the issue is then. There was a packaging issue
with previous version of the IdP where an old Servlet API jar was
included in the war. That caused an error similar, though not the same,
to what you're seeing. However, that JAR is not in your war.

So, everything you've provided so far points to an issue with Tomcat
itself and there isn't anything I can really do about that other than to
suggest you go over to their mailing list and ask why that error might
occur.

brendan

unread,
Dec 20, 2011, 6:46:23 PM12/20/11
to us...@shibboleth.net
Peter Schober wrote:
> I never had any problems using any of those releases on RHEL5.x boxen
> (and still use them on RHEL6 over the provided tomcat packages because
> of the latter's crazy dependencies) which is what you said you were
> using. Also there are the SRPMs available as well, so not sure what
> problems with rpm you're referring to. Anyway,

<usual install stuff elided>
Total size: 9.5 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
ERROR with rpm_check_debug vs depsolve:
rpmlib(FileDigests) is needed by tomcat-6.0.33-0.noarch
rpmlib(PayloadIsXz) is needed by tomcat-6.0.33-0.noarch
Complete!
(1, [u'Please report this error in
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%205&component=yum'])

The two rpmlib errors say the rpm package I'm trying to install is
created by a more recent version of rpm. I've seen it before a few years
ago, the fix process as I recall is extremely painful.

Probably somethign wrong with the install I'm working with.

brendan

unread,
Dec 20, 2011, 6:47:24 PM12/20/11
to Shib Users
Thanks for all the help so far. At least it narrows it down to tomcat,
which I rather suspected.

Chad La Joie wrote:
> Okay, I'm not sure what the issue is then. There was a packaging issue
> with previous version of the IdP where an old Servlet API jar was
> included in the war. That caused an error similar, though not the same,
> to what you're seeing. However, that JAR is not in your war.
>
> So, everything you've provided so far points to an issue with Tomcat
> itself and there isn't anything I can really do about that other than to
> suggest you go over to their mailing list and ask why that error might
> occur.
>

brendan

unread,
Dec 21, 2011, 5:39:16 PM12/21/11
to Shib Users
FYI I reinstalled tomcat from source. Just in case there was some odd
dependency that the binary packages weren't telling me about. Build was
clean. Problem remains.

I'll go look at the tomcat lists and see what they have to say.

Chad La Joie

unread,
Dec 21, 2011, 6:57:51 PM12/21/11
to Shib Users
It seems like the webapps that Tomcat ships with should fail to load,
as well, if it were missing these APIs. But I can't explain that
error any other way.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

Cantor, Scott

unread,
Dec 21, 2011, 7:32:10 PM12/21/11
to us...@shibboleth.net
On 12/21/11 6:57 PM, "Chad La Joie" <laj...@itumi.biz> wrote:

>It seems like the webapps that Tomcat ships with should fail to load,
>as well, if it were missing these APIs. But I can't explain that
>error any other way.

On the occasional case that I've had a weird class missing error, I've
sometimes gone searching into jars to find the matching class. Sometimes
that reveals versioning issues or some such.

-- Scott

Reply all
Reply to author
Forward
0 new messages