[Shib-Users] Attribute Resolver Security Error

[Kidd, Don W.]

I am getting my idp 2.2 setup and seem to be running into an error...

Inorder to talk to my LDAP Server, I need to talk over LDAPS, so I have gotten my truststore setup, but now is where I am running into a problem...

From what I know there are 2 ways to tell tomcat to use my trust store...

1. update Server.XML and include trustStoreFile & truststorePass
truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
truststorePass="xxxxxx"

2. update catalina.sh and add JAVA_OPTS
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"

But I keep getting errors,
If I do option 1 I get the following error...
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If option 2 I get this error...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I know I have to be missing something simple, but could anyone point me in the right direction, to help me determine what I'm missing..

Thanks,
Don

--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu

[Chad La Joie]

Well, you didn't say whether you were using LDAP for authn or
attribute resolution. So the only thing I can suggest is reading the
documentation for whichever usage you have.

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

[Kidd, Don W.]

Im trying it for Resolver...

what does this mean?

the trustAnchors parameter must be non-empty

[Chad La Joie]

On Mon, Nov 1, 2010 at 10:02, Kidd, Don W. <kid...@muohio.edu> wrote:
> Im trying it for Resolver...

Okay, then the docs you need to follow are:
https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector

> what does this mean?
>
> the trustAnchors parameter must be non-empty

It doesn't appear in the doc above and you haven't provided any
context on where you found that so it's hard to say.

[Xiaoxia Dong]

Hello experts,

Could someone tell me what the format of the this configuration in the IdP is?

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Does this has something like ne...@univeristy.edu, or is it a real email address?

Thanks for any help in advance.

[Kidd, Don W.]

I've gone over and over that document, and think I have done everything as I am supposed too.. I look more to see if I am missing something, but nothing has jumped out at me thus far...

I get the trustAnchors message when tomcat tries to start my shib in my idp-process.log file...

Full, ugly message below if it helps...

10:01:27.659 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] - unabled to connect to the ldap
javax.naming.CommunicationException: simple bind failed: storm.muohio.edu:636
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) ~[na:1.5.0_09]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) ~[na:1.5.0_09]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) ~[na:1.5.0_09]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247) ~[na:1.5.0_09]
at javax.naming.InitialContext.init(InitialContext.java:223) ~[na:1.5.0_09]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) ~[na:1.5.0_09]
at edu.vt.middleware.ldap.handler.DefaultConnectionHandler.connectInternal(DefaultConnectionHandler.java:102) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:160) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.AbstractLdap.connect(AbstractLdap.java:1006) ~[vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:106) [vt-ldap-3.3.1.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:28) [vt-ldap-3.3.1.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapPoolEmptyStrategy.checkOut(LdapPoolEmptyStrategy.java:52) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:274) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) [shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) [na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1485) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1468) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1394) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86) ~[na:1.5]
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) ~[na:1.5.0_09]
at java.io.BufferedInputStream.read1(BufferedInputStream.java:256) ~[na:1.5.0_09]
at java.io.BufferedInputStream.read(BufferedInputStream.java:313) ~[na:1.5.0_09]
at com.sun.jndi.ldap.Connection.run(Connection.java:784) ~[na:1.5.0_09]
at java.lang.Thread.run(Thread.java:595) ~[na:1.5.0_09]
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56) ~[na:1.5.0_09]
at sun.security.validator.Validator.getInstance(Validator.java:146) ~[na:1.5.0_09]
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:678) ~[na:1.5]
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) ~[na:1.5]
... 5 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183) ~[na:1.5.0_09]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103) ~[na:1.5.0_09]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87) ~[na:1.5.0_09]
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:54) ~[na:1.5.0_09]
... 17 common frames omitted
10:01:27.678 - ERROR [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:276] - Unable to retrieve an LDAP connection
10:01:27.682 - ERROR [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:287] - Could not retrieve Ldap object from pool
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:277) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) [shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) [shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) [na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) [spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) [spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) [spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
10:01:27.686 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
10:01:27.713 - ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp-2.2.0]:3733] - Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.AttributeResolver': Invocation of init method failed; nested exception is edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1338) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728) ~[spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380) ~[spring-context-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45) ~[spring-web-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729) [catalina.jar:na]
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4187) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:904) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:867) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122) [catalina.jar:na]
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310) [catalina.jar:na]
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021) [catalina.jar:na]
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) [catalina.jar:na]
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013) [catalina.jar:na]
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) [catalina.jar:na]
at org.apache.catalina.core.StandardService.start(StandardService.java:450) [catalina.jar:na]
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) [catalina.jar:na]
at org.apache.catalina.startup.Catalina.start(Catalina.java:551) [catalina.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) [bootstrap.jar:na]
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) [bootstrap.jar:na]
Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:191) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:147) ~[shibboleth-common-1.2.0.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.5.0_09]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) ~[na:1.5.0_09]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) ~[na:1.5.0_09]
at java.lang.reflect.Method.invoke(Method.java:585) ~[na:1.5.0_09]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335) ~[spring-beans-2.5.6.SEC02.jar:2.5.6.SEC02]
... 39 common frames omitted
Caused by: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:277) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.onNewContextCreated(ShibbolethAttributeResolver.java:504) ~[shibboleth-common-1.2.0.jar:na]
at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:173) ~[shibboleth-common-1.2.0.jar:na]
... 47 common frames omitted

--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu

[Chad La Joie]

The IdP does not use that name ID format by default. If you've
configured the IdP to encode an attribute as a NameID of that format
than the value will be whatever the value of the attribute is. So if
attribute value is ne...@univeristy.edu then that is what you'll get.

--

[Nick Newman]

This means that the Java Runtime couldn't find the trusted
certificates keustore - the cacerts file that is under Java's jre/lib
directory.

Is there some startup script that is perhaps causing it to be looked
for in the right place?

Nick

[Kidd, Don W.]

I've tried both ways...

I put this is the Server.xml file...

does it have to be called cacert?

is there a way to see where tomcat is looking for the truststore?

[Chad La Joie]

Yeah, I'm pretty sure Nick is right. You said you changed Tomcat's
startup script to point to a different trust store than the default
one. So I'm guessing the file isn't there or can't be read by the
Tomcat user.

[Chad La Joie]

The server.xml has nothing to do with the IdP, so making changes to
that won't affect anything.

The file does not have to be called cacerts but is must exist and be
readable by the Tomcat user.

[Scott Cantor]

> Does this has something like ne...@univeristy.edu, or is it a real email
> address?

In addition to what Chad said, the semantic answer to your question is that
SAML does not define any semantics for the various technical NameID formats
in 1.1, like email, Kerberos, etc. Some people think they mean "it must look
like one" and some people think they have to be one, and my opinion,
reflected in the 2.0 text, is that they're best avoided as underspecified.

-- Scott

[Xiaoxia Dong]

Thanks Chad for the information and it is very helpful.

I have a following up question about this I would like to get your opinion:
The IdP in northwestern university is set up to use "cryptohandle" to do
load balance
between two servers. If I use nameID as the following, will this work
for both servers?
Or will it only work for one server and the application would have
intermediate problem
because it won't be ale to carry over from one server to another?

Thanks again.

--
=======================================
Xiaoxia Dong
x-d...@northwestern.edu
Northwestern University Information Technology

[Chad La Joie]

You'll need to ask your IdP admin. There is no supported version of
the IdP that has something called a cryptohandle. So either you have
a 1.3 IdP, which is no longer supported, or a 2.X IdP with a custom
extension, which I wouldn't know anything about.

--

[Xiaoxia Dong]

Thanks Chad and Scot for your helpful information.

[Nick Newman]

I wonder if this thread
http://coding.derkeiler.com/Archive/Java/comp.lang.java.programmer/2010-04/msg00305.html
where someone had similar problems with Tomcat would throw any light
on the problem.

Nick

[Scott Cantor]

> The IdP in northwestern university is set up to use "cryptohandle" to do
> load balance between two servers. If I use nameID as the following, will
this work
> for both servers?

You can't use that mechanism with an email-based name identifier, that
requires using a different set of plugins.

> Or will it only work for one server and the application would have
> intermediate problem
> because it won't be ale to carry over from one server to another?

Nothing that wants emailAddress would be querying for attributes anyway.

The "best" answer, frankly, is to refuse to do this and pass the data in an
attribute.

-- Scott

[Kidd, Don W.]

I wish but no cd, in our starup script that I can see...

Looking at

https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector

I see this line...
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file directory.crt -keystore $JAVA_HOME/lib/security/cacerts

is that where the cacerts goes or is it..

keytool -import -trustcacerts -alias "sensible-name-for-ca" -file directory.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

Maybe I am putting the cacerts file in the wrong folder, and that might be part of my problem...

Don

[Nick Newman]

The normal (as delivered) location is:

jre/lib/security/cacerts

Nick

[Kidd, Don W.]

That’s where i have it,

So maybe I am missing something then How do I tell the resolver where to find the cacerts?

Don

[Nick Newman]

I think there are three things to check:
- Is the cacerts file being found?
- Is the cacerts readable (in a file permission sense) by he user
running Tomcat?
- Does Tomcat have the right password for the cacerts file?

As for the answer to your direct question, see
http://www.exampledepot.com/egs/javax.net.ssl/client.html (unless
Tomcat has its own scheme). That says to use JRE command line
options:

java -Djavax.net.ssl.trustStore=truststore
-Djavax.net.ssl.trustStorePassword=123456 MyApp

Nick

[Chad La Joie]

Maybe the question to ask at this point is, why are you trying to
change the default JVM truststore?

On Tue, Nov 2, 2010 at 11:00, Nick Newman <nick.x...@gmail.com> wrote:
> I think there are three things to check:
>  - Is the cacerts file being found?
>  - Is the cacerts readable (in a file permission sense) by he user
> running Tomcat?
>  - Does Tomcat have the right password for the cacerts file?
>
> As for the answer to your direct question, see
> http://www.exampledepot.com/egs/javax.net.ssl/client.html (unless
> Tomcat has its own scheme).  That says to use JRE command line
> options:
>
>                java -Djavax.net.ssl.trustStore=truststore
> -Djavax.net.ssl.trustStorePassword=123456 MyApp

--

[Kidd, Don W.]

I don't have to change the trust store, I have tried to add the crt's to the cacerts file I'm getting the errors like this...

But my problem is that I am getting errors when the resolver is loaded using either of the 2 ways...

1. update Server.XML and include trustStoreFile & truststorePass
truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
truststorePass="xxxxxx"

2. update catalina.sh and add JAVA_OPTS
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"

But I keep getting errors,
If I do option 1 I get the following error...

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If option 2 I get this error...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I know I have to be missing something simple, but could anyone point me in the right direction, to help me determine what I'm missing..

--------

[Chad La Joie]

Both options change the default trust store (option 1 for Tomcat's
connector and option 2 for the JVM itself).

For option 1, as I already said, the server.xml file has *nothing* to
do with your issue and the error you're getting is because the file
doesn't exist or can't be read.

For option 2 the error you get is because you didn't import the entire
cert chain. So to fix it you'd need to import the full cert chain.

[Scott Cantor]

> But my problem is that I am getting errors when the resolver is loaded
using
> either of the 2 ways...

The LDAP connector's decisions about SSL connections to directory servers
have *nothing* to do with Tomcat, server.xml, catalina.sh, etc. At least I
don't think they do...

> 1. update Server.XML and include trustStoreFile & truststorePass
> truststoreFile="/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
> truststorePass="xxxxxx"

That's got to be about SSL connectors in Tomcat, nothing whatsoever to do
with the resolver.

> 2. update catalina.sh and add JAVA_OPTS
> JAVA_OPTS="$JAVA_OPTS -
>
Djavax.net.ssl.trustStore=/usr/java/jdk1.5.0_09/jre/lib/security/truststore"
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=xxxxxxx"

Not sure sure about that, but I don't think I'd do it unless the IdP
documentation says so...

Normally all you do is import the LDAP server's CA cert(s) into the JVM
truststore. Period.

-- Scott

[Kidd, Don W.]

BUt how does tomcat know about the truststore... I assume I have to tell tomcat where the keystore is... I think the error is showing up in the resolver cause it is the first thing that is tring to use the truststore...

I guess the problem is really a tomcat problem, but shib happens to be the first thing that is using the truststore on this machine, so im trying to determine what I am doing wrong... or what people might know any suggestions on how to make it work...

Don

--------

[Nick Newman]

But in your case #2 it DID find the keystore - and then said the
certificate path wasn't right. As someone else pointed out, that
means the cert isn't imported properly with its trust path complete.

Nick

[Kidd, Don W.]

OK... Yea I saw that other message after I replied to yours... I'll try to add the whole chain, and see if that fixes my problem...

--------
Don Kidd
Senior Systems Analyst
Information Technology Services
Miami University
312 Hoyt Hall
Oxford OH 45056
Office : 513.529.9655
Fax : 513.529.1496
EMail: dk...@muohio.edu

-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Nick Newman
Sent: Tuesday, November 02, 2010 4:22 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] Attribute Resolver Security Error