I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
I have downloaded and installed with install.sh from
shibboleth-identityprovider-2.3.5-bin.zip
I have installed from source both apache-tomcat-6.0.33.tar.gz and
apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
yum install
I have two problems (so far)
1. I can't get the idp to run. The error is familiar to this list:
Dec 19, 2011 1:41:41 PM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener
instance of class org.spr
ingframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 's
hibboleth.MessageDecoders': Cannot create inner bean
'shibboleth.UnsolicitedSSODecoder' o
f type [edu.internet2.middleware.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder]
whil
e setting bean property 'sourceMap' with key [TypedStringValue: value
[urn:mace:shibbolet
h:2.0:profiles:AuthnRequest], target type [null]]; nested exception is
org.springframewor
k.beans.factory.CannotLoadBeanClassException: Cannot find class
[edu.internet2.middleware
.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder] for bean with
name 'shibboleth.Unsol
icitedSSODecoder' defined in URL
[file:/opt/shibboleth-idp/conf/internal.xml]; nested exc
eption is java.lang.ClassNotFoundException:
edu.internet2.middleware.shibboleth.idp.profi
le.saml2.UnsolicitedSSODecoder
I believe I have correctly added the ${cataline_home}/endorsed/*.jar
to conf/catalina.properties
I'm using the http connector in server.xml on port 8080 routing to 8443
I'm using a commercial cerfificate for SSL (though that all works)
Can someone suggest where I need to look for this?
2. A bit later on, just trying to make sure that I can connect to
https://idp:8443, using this definition in server.xml
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="200"
scheme="https"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="obfuscatory"/>
I get
"idp.otago.ac.nz:8443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)"
Now self signed ought to be OK? SO I accept it and get
"An error occurred during a connection to idp.xxxx.edu:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)"
Again - any ideas?
thanks anyone for anything that gets me moving a bit more forward.
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
> I have two problems (so far)
>
> 1. I can't get the idp to run. The error is familiar to this list:
Is there nothing further up the Tomcat logs (or perhaps anything in the Shib logs)?
> I believe I have correctly added the ${cataline_home}/endorsed/*.jar to
> conf/catalina.properties
Note that RHEL 6 is known to do crazy things with the endorsed directory.
You state that you are using 5.6, but craziness is infectious
> "An error occurred during a connection to idp.xxxx.edu:8443.
>
> SSL peer cannot verify your certificate.
>
> (Error code: ssl_error_bad_cert_alert)"
>
>
> Again - any ideas?
This means you have configured the port correctly - that port isn't meant for browsers. For now I'd assume that this is OK and go
back to it when you test the SAML1 flows.
You really could have asked after, say, days, not months! ;)
> I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
> I have downloaded and installed with install.sh from
> shibboleth-identityprovider-2.3.5-bin.zip
>
> I have installed from source both apache-tomcat-6.0.33.tar.gz and
> apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
> yum install
Jfyi, I've long switched to Jason Brittain's excellent Tomcat packages on RHEL:
http://code.google.com/p/webdroid-tomcat-package/
-peter
I hate asking, and I absolutely dread being told to RTFM, so sometimes
torture myself for far too long before asking.
>
>> I am running Red Hat Enterprise Linux Server release 5.6 (Tikanga)
>> I have downloaded and installed with install.sh from
>> shibboleth-identityprovider-2.3.5-bin.zip
>>
>> I have installed from source both apache-tomcat-6.0.33.tar.gz and
>> apache-tomcat-7.0.16.tar.gz - tomcat6 isn't directly available for
>> yum install
>
> Jfyi, I've long switched to Jason Brittain's excellent Tomcat packages on RHEL:
> http://code.google.com/p/webdroid-tomcat-package/
All built for a later version of rpm than the box I have to do the
install on. Unfortunately.
Thanks. I'll ignore that for now. Casting about for reasons I guess.
There is nothing in /opt/shibboleth-idp/logs. The idp never gets that far.
I'm using Tomcat 6.0.33. I downloaded 6.0.35 today and tried that, No change.
I believe I'm closer to getting it to see the right endorsed files.
The error in catalina.out, surrounded by a few INFO mesages is
Dec 20, 2011 10:14:32 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Dec 20, 2011 10:14:32 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.33
Dec 20, 2011 10:14:32 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Dec 20, 2011 10:14:32 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor idp.xml
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/idp] startup failed due to previous errors
Dec 20, 2011 10:14:33 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Dec 20, 2011 10:14:33 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
So that tells me catalina sees the idp.xml, which looks like the one
on every shibboleth example I seem to have found on the web.
localhost.2011-12-20.log, from the top...
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'org.springframework.web.context.Context
LoaderListener'
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Error configuring application listener of class org.springframework.web.
context.ContextLoaderListener
java.lang.NoClassDefFoundError: javax/servlet/ServletContextListener
at java.lang.ClassLoader.findBootstrapClass(Native Method)
at java.lang.ClassLoader.findBootstrapClass0(ClassLoader.java:900)
at java.lang.ClassLoader.loadClass(ClassLoader.java:316)
at java.lang.ClassLoader.loadClass(ClassLoader.java:314)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1595)
.....
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Skipped installing application listeners due to previous error(s)
Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext filterStop
FINE: Stopping filters
Dec 20, 2011 10:14:34 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'listeners.ContextListener'
Dec 20, 2011 10:14:34 AM org.apache.catalina.core.StandardContext listenerStart
FINE: Configuring event listener class 'listeners.SessionListener'
Maybe a class path thing, but it's not an exception so I'm unsure.
Thanks
Brendan
On 12/19/11 5:05 PM, Brendan Murray wrote:
> I believe I'm closer to getting it to see the right endorsed files.
> The error in catalina.out, surrounded by a few INFO mesages is
Nothing you've posted so far has anything to do with endorsed files.
When you get to the point where such a thing would matter, if you don't
have them endorsed properly you'll get an error that leaves no doubt
that that is the problem.
> Dec 20, 2011 10:14:33 AM org.apache.catalina.core.StandardContext listenerStart
> SEVERE: Error configuring application listener of class org.springframework.web.
> context.ContextLoaderListener
> java.lang.NoClassDefFoundError: javax/servlet/ServletContextListener
> at java.lang.ClassLoader.findBootstrapClass(Native Method)
> at java.lang.ClassLoader.findBootstrapClass0(ClassLoader.java:900)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:316)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:314)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
> at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1595)
> .....
> at java.lang.reflect.Method.invoke(Method.java:616)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Well, that class is required to provided by the Servlet container, so
not being able to find that class would suggest something amiss with the
container (Tomcat) itself. From your previous notes it looks like
you've tried Tomcat 6.0.33, 6.0.35, and 7.0.16. I wonder if some
libraries have been corrupted. When you say you "downloaded" 6.0.35, do
you mean you grabbed the tarball or that you installed it via some
package manager?
> Well, that class is required to provided by the Servlet container, so
> not being able to find that class would suggest something amiss with the
> container (Tomcat) itself. From your previous notes it looks like
> you've tried Tomcat 6.0.33, 6.0.35, and 7.0.16. I wonder if some
> libraries have been corrupted. When you say you "downloaded" 6.0.35, do
> you mean you grabbed the tarball or that you installed it via some
> package manager?
# wget -c
http://mirrors.kahuki.com/apache/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz
#
# cd /opt
# tar xzvf apache-tomcat-6.0.35.tar.gz
# cd apache-tomcat-6.0.35
and then modify conf/web.xml, conf/server.xml,
conf/catalina.properties, create conf/Catalina/localhost/idp.xml, create
a bin/setenv.sh to set JAVA_ENDORSED_DIRS (just in case)
# rm logs/*
# bin/startup.sh
and then I get the NoClassDefFoundError
And I agree, it sounds like a corruption.
Also got a new java from java.com, just in case.
Good point. Not modifying web.xml. Thinking of a different file.
catalina.properties, cos of the endorsed dirs thing
#common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/
*.jar
common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*
.jar,/opt/apache-tomcat-6.0.35/endorsed/*.jar
which may have been unnecessary. Now that you asked I restored the
original line for common.loader and my error doesn't change. All about
chasing red herrings I guess. Also made sure that web.xml was the one
from the installation tar archive.
Thanks.
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
Here you go
META-INF/
META-INF/MANIFEST.MF
WEB-INF/
WEB-INF/web.xml
WEB-INF/lib/
WEB-INF/lib/activation-1.1.jar
WEB-INF/lib/antlr-2.7.7.jar
WEB-INF/lib/antlr-runtime-3.1.3.jar
WEB-INF/lib/bcprov-jdk15-1.45.jar
WEB-INF/lib/beanshell-engine-20080611.jar
WEB-INF/lib/c3p0-0.9.1.2.jar
WEB-INF/lib/commons-cli-1.2.jar
WEB-INF/lib/commons-codec-1.4.jar
WEB-INF/lib/commons-collections-3.2.1.jar
WEB-INF/lib/commons-httpclient-3.1.jar
WEB-INF/lib/commons-lang-2.6.jar
WEB-INF/lib/dom4j-1.6.1.jar
WEB-INF/lib/ehcache-core-1.7.2.jar
WEB-INF/lib/esapi-2.0.1.jar
WEB-INF/lib/groovy-engine-20080611.jar
WEB-INF/lib/janino-2.5.10.jar
WEB-INF/lib/jargs-1.0.jar
WEB-INF/lib/jcip-annotations-1.0.jar
WEB-INF/lib/jcl-over-slf4j-1.6.2.jar
WEB-INF/lib/jgrapht-jdk1.5-0.7.3.jar
WEB-INF/lib/jna-3.2.3.jar
WEB-INF/lib/joda-time-1.6.2.jar
WEB-INF/lib/jruby-engine-20080611.jar
WEB-INF/lib/js-engine-20080611.jar
WEB-INF/lib/jul-to-slf4j-1.6.2.jar
WEB-INF/lib/jython-engine-20080611.jar
WEB-INF/lib/log4j-over-slf4j-1.6.2.jar
WEB-INF/lib/logback-classic-0.9.29.jar
WEB-INF/lib/logback-core-0.9.29.jar
WEB-INF/lib/mail-1.4.1.jar
WEB-INF/lib/not-yet-commons-ssl-0.3.9.jar
WEB-INF/lib/opensaml-2.5.2.jar
WEB-INF/lib/openws-1.4.3.jar
WEB-INF/lib/rhino-1.7R1.jar
WEB-INF/lib/scripting-api-1.0.jar
WEB-INF/lib/shibboleth-common-1.3.4.jar
WEB-INF/lib/shibboleth-identityprovider-2.3.5.jar
WEB-INF/lib/slf4j-api-1.6.2.jar
WEB-INF/lib/spring-beans-2.5.6.SEC02.jar
WEB-INF/lib/spring-context-2.5.6.SEC02.jar
WEB-INF/lib/spring-context-support-2.5.6.SEC02.jar
WEB-INF/lib/spring-core-2.5.6.SEC02.jar
WEB-INF/lib/spring-web-2.5.6.SEC02.jar
WEB-INF/lib/sqljet-1.0.4.jar
WEB-INF/lib/stringtemplate-3.2.jar
WEB-INF/lib/svnkit-1.3.5.jar
WEB-INF/lib/trilead-ssh2-build213-svnkit-1.3-patch.jar
WEB-INF/lib/velocity-1.5.jar
WEB-INF/lib/vt-ldap-3.3.4.jar
WEB-INF/lib/xmlsec-1.4.5.jar
WEB-INF/lib/xmltooling-1.3.3.jar
WEB-INF/idpui.tld
images/
error-404.jsp
error.jsp
images/internet2.gif
images/logo.jpg
login-error.jsp
login.css
login.jsp
shibboleth.jsp
I never had any problems using any of those releases on RHEL5.x boxen
(and still use them on RHEL6 over the provided tomcat packages because
of the latter's crazy dependencies) which is what you said you were
using. Also there are the SRPMs available as well, so not sure what
problems with rpm you're referring to. Anyway,
-peter
So, everything you've provided so far points to an issue with Tomcat
itself and there isn't anything I can really do about that other than to
suggest you go over to their mailing list and ask why that error might
occur.
<usual install stuff elided>
Total size: 9.5 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
ERROR with rpm_check_debug vs depsolve:
rpmlib(FileDigests) is needed by tomcat-6.0.33-0.noarch
rpmlib(PayloadIsXz) is needed by tomcat-6.0.33-0.noarch
Complete!
(1, [u'Please report this error in
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%205&component=yum'])
The two rpmlib errors say the rpm package I'm trying to install is
created by a more recent version of rpm. I've seen it before a few years
ago, the fix process as I recall is extremely painful.
Probably somethign wrong with the install I'm working with.
Chad La Joie wrote:
> Okay, I'm not sure what the issue is then. There was a packaging issue
> with previous version of the IdP where an old Servlet API jar was
> included in the war. That caused an error similar, though not the same,
> to what you're seeing. However, that JAR is not in your war.
>
> So, everything you've provided so far points to an issue with Tomcat
> itself and there isn't anything I can really do about that other than to
> suggest you go over to their mailing list and ask why that error might
> occur.
>
I'll go look at the tomcat lists and see what they have to say.
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
>It seems like the webapps that Tomcat ships with should fail to load,
>as well, if it were missing these APIs. But I can't explain that
>error any other way.
On the occasional case that I've had a weird class missing error, I've
sometimes gone searching into jars to find the matching class. Sometimes
that reveals versioning issues or some such.
-- Scott