Inorder to talk to my LDAP Server, I need to talk over LDAPS, so I have gotten my truststore setup, but now is where I am running into a problem...
From what I know there are 2 ways to tell tomcat to use my trust store...
1. update Server.XML and include trustStoreFile & truststorePass
truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
truststorePass="xxxxxx"
2. update catalina.sh and add JAVA_OPTS
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"
But I keep getting errors,
If I do option 1 I get the following error...
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If option 2 I get this error...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I know I have to be missing something simple, but could anyone point me in the right direction, to help me determine what I'm missing..
Thanks,
Don
--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
what does this mean?
the trustAnchors parameter must be non-empty
Okay, then the docs you need to follow are:
https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
> what does this mean?
>
> the trustAnchors parameter must be non-empty
It doesn't appear in the doc above and you haven't provided any
context on where you found that so it's hard to say.
I get the trustAnchors message when tomcat tries to start my shib in my idp-process.log file...
Full, ugly message below if it helps...
10:01:27.659 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] - unabled to connect to the ldap
javax.naming.CommunicationException: simple bind failed: storm.muohio.edu:636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) ~[na:1.5.0_09]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) ~[na:1.5.0_09]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247) ~[na:1.5.0_09]
at javax.naming.InitialContext.init(InitialContext.java:223) ~[na:1.5.0_09]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) ~[na:1.5.0_09]
at edu.vt.middleware.ldap.handler.DefaultConnectionHandler.connectInternal(DefaultConnectionHandler.java:102) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:160) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.AbstractLdap.connect(AbstractLdap.java:1006) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:106) [vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:28) [vt-ldap-3.3.1.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapPoolEmptyStrategy.checkOut(LdapPoolEmptyStrategy.java:52) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:274) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) [shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) [na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1485) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1468) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1394) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) ~[na:1.5]
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) ~[na:1.5.0_09]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:256) ~[na:1.5.0_09]
at java.io.BufferedInputStream.read(BufferedInputStream.java:313) ~[na:1.5.0_09]
at com.sun.jndi.ldap.Connection.run(Connection.java:784) ~[na:1.5.0_09]
at java.lang.Thread.run(Thread.java:595) ~[na:1.5.0_09]
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56) ~[na:1.5.0_09]
at sun.security.validator.Validator.getInstance(Validator.java:146) ~[na:1.5.0_09]
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:678) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) ~[na:1.5]
... 5 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183) ~[na:1.5.0_09]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103) ~[na:1.5.0_09]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87) ~[na:1.5.0_09]
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:54) ~[na:1.5.0_09]
... 17 common frames omitted
10:01:27.678 - ERROR [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:276] - Unable to retrieve an LDAP connection
10:01:27.682 - ERROR [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:287] - Could not retrieve Ldap object from pool
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:277) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) [shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) [na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
10:01:27.686 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
10:01:27.713 - ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp-2.2.0]:3733] - Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.AttributeResolver': Invocation of init method failed; nested exception is edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1338) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) ~[spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) ~[spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:191) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) ~[shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
... 39 common frames omitted
Caused by: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:277) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) ~[shibboleth-common-1.2.0.jar:na]
... 47 common frames omitted
--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu
--
Is there some startup script that is perhaps causing it to be looked
for in the right place?
Nick
I put this is the Server.xml file...
does it have to be called cacert?
is there a way to see where tomcat is looking for the truststore?
The file does not have to be called cacerts but is must exist and be
readable by the Tomcat user.
In addition to what Chad said, the semantic answer to your question is that
SAML does not define any semantics for the various technical NameID formats
in 1.1, like email, Kerberos, etc. Some people think they mean "it must look
like one" and some people think they have to be one, and my opinion,
reflected in the 2.0 text, is that they're best avoided as underspecified.
-- Scott
I have a following up question about this I would like to get your opinion:
The IdP in northwestern university is set up to use "cryptohandle" to do
load balance
between two servers. If I use nameID as the following, will this work
for both servers?
Or will it only work for one server and the application would have
intermediate problem
because it won't be ale to carry over from one server to another?
Thanks again.
--
=======================================
Xiaoxia Dong
x-d...@northwestern.edu
Northwestern University Information Technology
--
Nick
You can't use that mechanism with an email-based name identifier, that
requires using a different set of plugins.
> Or will it only work for one server and the application would have
> intermediate problem
> because it won't be ale to carry over from one server to another?
Nothing that wants emailAddress would be querying for attributes anyway.
The "best" answer, frankly, is to refuse to do this and pass the data in an
attribute.
-- Scott
Looking at
https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
I see this line...
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file directory.crt -keystore $JAVA_HOME/lib/security/cacerts
is that where the cacerts goes or is it..
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file directory.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
Maybe I am putting the cacerts file in the wrong folder, and that might be part of my problem...
Don
jre/lib/security/cacerts
Nick
So maybe I am missing something then How do I tell the resolver where to find the cacerts?
Don
As for the answer to your direct question, see
http://www.exampledepot.com/egs/javax.net.ssl/client.html (unless
Tomcat has its own scheme). That says to use JRE command line
options:
java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=123456 MyApp
Nick
On Tue, Nov 2, 2010 at 11:00, Nick Newman <nick.x...@gmail.com> wrote:
> I think there are three things to check:
> - Is the cacerts file being found?
> - Is the cacerts readable (in a file permission sense) by he user
> running Tomcat?
> - Does Tomcat have the right password for the cacerts file?
>
> As for the answer to your direct question, see
> http://www.exampledepot.com/egs/javax.net.ssl/client.html (unless
> Tomcat has its own scheme). That says to use JRE command line
> options:
>
> java -Djavax.net.ssl.trustStore=truststore
> -Djavax.net.ssl.trustStorePassword=123456 MyApp
--
But my problem is that I am getting errors when the resolver is loaded using either of the 2 ways...
1. update Server.XML and include trustStoreFile & truststorePass
truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
truststorePass="xxxxxx"
2. update catalina.sh and add JAVA_OPTS
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"
But I keep getting errors,
If I do option 1 I get the following error...
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If option 2 I get this error...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I know I have to be missing something simple, but could anyone point me in the right direction, to help me determine what I'm missing..
--------
For option 1, as I already said, the server.xml file has *nothing* to
do with your issue and the error you're getting is because the file
doesn't exist or can't be read.
For option 2 the error you get is because you didn't import the entire
cert chain. So to fix it you'd need to import the full cert chain.
The LDAP connector's decisions about SSL connections to directory servers
have *nothing* to do with Tomcat, server.xml, catalina.sh, etc. At least I
don't think they do...
> 1. update Server.XML and include trustStoreFile & truststorePass
> truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
> truststorePass="xxxxxx"
That's got to be about SSL connectors in Tomcat, nothing whatsoever to do
with the resolver.
> 2. update catalina.sh and add JAVA_OPTS
> JAVA_OPTS="$JAVA_OPTS -
>
Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"
Not sure sure about that, but I don't think I'd do it unless the IdP
documentation says so...
Normally all you do is import the LDAP server's CA cert(s) into the JVM
truststore. Period.
-- Scott
I guess the problem is really a tomcat problem, but shib happens to be the first thing that is using the truststore on this machine, so im trying to determine what I am doing wrong... or what people might know any suggestions on how to make it work...
Don
--------
Nick
--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Nick Newman
Sent: Tuesday, November 02, 2010 4:22 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] Attribute Resolver Security Error