I try to login and logout java-saml-toolkit-jpsample
https://github.com/onelogin/java-saml
to the IdP of samltest.id.
It's metadata is hosted here:
https://samltest.id/saml/idp
Here is a summary:
https://samltest.id/download/
If it is important: Its on Windows 10 (latest), Java 11 and Tomcat 9. No errors during build and no thrown errors during execution.
For the configuration of onelogin, I set the configuration to:
# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false
# Enable debug mode (to print errors)
onelogin.saml2.debug = true
# Service Provider Data that we are deploying
#
# Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://mysuperssoservice.de
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
onelogin.saml2.sp.assertion_consumer_service.url = http://localhost/java-saml-tookit-jspsample/acs.jsp
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = http://localhost/java-saml-tookit-jspsample/sls.jsp
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=\n-----END CERTIFICATE-----
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey = -----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9JbxuSrqatr4gJyifMZIjhSxzF+VG8+zrWL1mpXCLXOlAvXXX4mgBjDT84QFF6jCmdTgEfSipXQnkHF2piiRXiePZRMkow5LtKDsv5r3CrnZlm8XX+hLXDy3JSF2qTpYZeSF54RTGHwb3xRE+S2uGkFaOVIwQKdYVVZLAPDMvedIT/mHsIe8Bc2cGIGFsWrr3jb8Rvo9cGaSMwfXG3slwy+SuZowCE58YcMSw8JOOmi1pvS0/blGhZWIno+3K8WL3W4pUK8Wl/3Kfds1tpqqerVokO8umP26hAvetT5oG26G8+vFtV9tXOUOjjJ/TSmkh/Rm7rP9sb9bi5G0XshzPAgMBAAECggEAdnO1Z5Sg+9bJhjU/uUI/9MKnrYQfb6m+izxNkIS20G/lG0gLDqGY5K87V8pJE9Gvme76n8UJu9aqJRKmjVAXpkKSUDRFjaO81YxGVJ854zuCpetBoRnYxpmY4N7S2Z7RXS6AimUsr04q/OuK+uoccm7d5dCIzm6ExWOLvZt1qpqYVo9DvHoaJhZeKFHfnM/1wq7WvWe6wPQzTKiSHO0d9h4Vzi9UwoVn+TpeFspUzK2IbtslI+gr8GgJNdOtWMzbBGi7abuvDBWsiHCaAqNhKOM2nkq8OaCZbGRZ5E1k/3KaeFUljryOg4KBOwQIAg2yDbh3Vy+yEI6G4MSMn9ebEQKBgQD2Zvy+G8owLi7GsVCimjc5r/u+ElFgTPLcMNv4zQqjNJ3ZYC3tpwYw6ht4AqtXOypmPcDEucVOKVqeLAVddeCKqmhFar+YNm5kWE8BURP5rxKrVdyEORnfgOP+qzAQgMmSBtLLuWhizpKPg3eMea7G124LXJl4X1xyBjlzSW24owKBgQDEg9Qt1tF8O35iVq68pVsj2Z/K2sjP2HR87ftUATswAf79JQvm9hQdKgonfEfIef6vWsUbRSsqnKgKZI3D3Rebht+Vr0g4NzZiKMi/TfP1zxRa1v8X5O1As4b82LXnLlLeoQOYnG6InRqXjEuY+DE72Zgebc2FuiaL810PgoRx5QKBgDMGAoJPeN/fQFpur1bsflEYyxWB7430gTnteC+eLfy70ZAI5ZnXw2VvpP6F9vsaSl5fnUJfgab800H7taSz2yp7vRna0A/x/YwT6VBJfMxwX3pRTlenB1+L7ip3Qn24XYU6mn4LR71mL10+iQvyyqlsROJfa3xMqvUFqvHfm7PnAoGBAJSauB3936ZZewY0VKj1RkmC7VJCRi7emaBLeo4Y7EAukjuuAyUhmy4+tzUKx2Gz10OVmY44rR7pHi3VwlqF269Ru8v+o9dW8Toja0M3WK/ea58SDA9un3cZC5Ay9MOghSwziHukd/W5D/3gKt6/eMOwlVcVY6CnlzSn0QzEfxF9AoGBAI3LIHg3Yw2RzM6u6LzXEsbaxB8arDuCKWTlUqP8i7GdVnU3+CYkutBbGIIj1cWuSAWCB2svtLicjm4i2thd+wLkckGLaAtcZN/Ccd4LIjW/e/Qtl7QKf96cH96CZJd44K3XaLg0mzo+1RJFB8wrRlNFZQNcxUSbJ1AdMs6W6zNB\n-----END PRIVATE KEY-----
# Identity Provider Data that we want connect with our SP
#
# Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid = https://samltest.id/saml/idp
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://samltest.id/idp/profile/SAML2/Redirect/SSO
# SAML protocol binding to be used to deliver the <AuthnRequest> message
# to the IdP. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
onelogin.saml2.idp.single_logout_service.url = https://samltest.id/idp/profile/SAML2/Redirect/SLO
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOEjj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1klbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8nspXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0GA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHTTNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nblD1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcUZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==\n-----END CERTIFICATE-----
#onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgwODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd+nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/Kk2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kDc4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYDVR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0LmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUAA4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jCcxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCOL3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDANJXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/DPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjCvoQR2qr2xJBixsg+MIORKtmKHLfU\n-----END CERTIFICATE-----
#onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWaMwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4sSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89cauzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0GA1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdjWcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkDdmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3sQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4JW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKRzBDsMIEzRtQZm4GIoHJae4zmnCekkQ==-----END CERTIFICATE-----
# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha256
# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = true
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = true
# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = true
# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = true
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_messages_signed = true
# Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = true
# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata =
# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = true
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = true
# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest
# You can set multiple values (comma separated them)
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
# Allows duplicated names in the attribute statement
onelogin.saml2.security.allow_duplicated_attribute_name = false
# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
# Algorithm that the toolkit will use on digest process. Options:
# 'http://www.w3.org/2000/09/xmldsig#sha1'
# 'http://www.w3.org/2001/04/xmlenc#sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#sha384'
# 'http://www.w3.org/2001/04/xmlenc#sha512'
onelogin.saml2.security.digest_algorithm = http://www.w3.org/2001/04/xmlenc#sha256
# Reject Signatures with deprecated algorithms (sha1)
onelogin.saml2.security.reject_deprecated_alg = true
# Organization
#onelogin.saml2.organization.name = SP Java
#onelogin.saml2.organization.displayname = SP Java Example
#onelogin.saml2.organization.url = http://sp.example.com
#onelogin.saml2.organization.lang =
# Contacts
onelogin.saml2.contacts.technical.given_name = Andreas Andreas
onelogin.saml2.contacts.technical.email_address = andreas.andreas#andreas.com
onelogin.saml2.contacts.support.given_name = Olaf Olaf
onelogin.saml2.contacts.support.email_address = olaf.olaf#Olaf.de
The metadata I shared is:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2031-10-17T22:45:08Z" cacheDuration="PT604800S" entityID="https://mysuperssoservice.de">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost/java-saml-tookit-jspsample/sls.jsp"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/java-saml-tookit-jspsample/acs.jsp" index="1"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Andreas Andreas</md:GivenName>
<md:EmailAddress>andreas.andreas#andreas.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>Olaf Olaf </md:GivenName>
<md:EmailAddress>olaf.olaf#olaf</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
When I start the samples project, the login works perfectly and I receive all data about the user I log in.
However, when I try to logout, the SAML Toolkit Auth-object gives the error:
logout_not_success.urn:oasis:names:tc:SAML:2.0:status:Responder.
And when I look into the log of the IdP, I see the message:
2022-01-27 06:43:18,000 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Error
decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping
failed at
org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1533)
Caused by: java.security.InvalidKeyException: Unwrapping failed at
com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:447)
Caused by: javax.crypto.BadPaddingException: Decryption error at
sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:379) 2022-01-27
06:43:18,001 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Failed to
decrypt EncryptedKey, valid decryption key could not be resolved
2022-01-27 06:43:18,001 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Failed to
decrypt EncryptedData using either EncryptedData
KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey
KeyInfoCredentialResolver 2022-01-27 06:43:18,002 - ERROR
[org.opensaml.saml.saml2.encryption.Decrypter:?] - SAML Decrypter
encountered an error decrypting element content
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to
decrypt EncryptedData at
org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:548)
2022-01-27 06:43:18,002 - WARN
[org.opensaml.saml.saml2.profile.impl.DecryptNameIDs:?] - Profile
Action DecryptNameIDs: Failure performing decryption
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to
decrypt EncryptedData at
org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:548)
2022-01-27 06:43:18,002 - WARN
[org.opensaml.profile.action.impl.LogEvent:?] - A non-proceed event
occurred while processing the request: DecryptNameIDFailed 2022-01-27
06:43:18,002 - DEBUG
[org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:?]
Error event DecryptNameIDFailed will be handled with response
Do I miss something? Can you see an error in my setup?
Appreciate any kind of help! Thanks in advance.
Related
I trying to send pkcs10Request to EJBCA by SOAP web service. Method signature is
(from the docs)
CertificateResponse pkcs10Request(java.lang.String username,
java.lang.String password,
java.lang.String pkcs10,
java.lang.String hardTokenSN,
java.lang.String responseType)
where
pkcs10 - the base64 encoded PKCS10 (only the public key is used.)
username - the unique username
password - the password sent with editUser call
hardTokenSN - Hard Token support was dropped since 7.1.0. Use null as this parameter
responseType - indicating which type of answer that should be returned, on of the CertificateHelper.RESPONSETYPE_ parameters.
The goal is generating a certificate for a user.
PKCS#10 was made with java keytoll, and looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAweTELMAkGA1UEBhMCUlUxEjAQBgNVBAgTCVRhdGFyc3RhbjEO
MAwGA1UEBxMFS2F6YW4xGTAXBgNVBAoTEE9yZ2FuaXphdGlvbk5hbWUxFTATBgNV
BAsTDE9yZ2FuaXphdGlvbjEUMBIGA1UEAxMLdGVzdHVzZXIucnUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSDWv0Pt1cBDiqWAYLfQs2Dl0jDWmTK9/k
A46/SMg7GP3VY/KKFiMf0LbaYGHQclIy4wlkUA9408NEOoY6Ynuyh3rRHBnBGkpc
LflcTKfV74V5CbTXyIjFsFFN+WNVvfk+BPh6TVMhJ9NiDrcR4C80l0/MhT4OjG1T
2s5sShrYpdkmplFxIBXQd29aTTNVdgm11Vvs08OBXu8a9x3ND+ZxduXUgTxVmoOu
AA0PrE5lXTxD5zcTDuJi+Y2RTPS2SVeu4ghSbE64941W6PA3fzHz90n9uoeeJdUM
9jfWP/7LAeWahKJCtt+cAZ2yD2W1zBmz0LuHeH8YRUb//gGICf+3AgMBAAGgMDAu
BgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBSUO5s19l5tiHYPcvBYnVG0ULEYCTAN
BgkqhkiG9w0BAQsFAAOCAQEAD0Kpt9/CBwODUyv4lpt7i0ge6Wf0s/Oqbhbvw9Ih
zJnEaFzOHDaVufB1iJ+m3c+Arx7heCRQTnJRTOZ8a9pl3vGyy9Ik+O4+mc5qpLOs
bENMbg5t4KCI08+SjU/7S3woaWwXDL6QIzsoyhMmx8BhnK04T0P46PsTf2h/PE1E
Z5qRW8/VFTI7K1/q+/tbvIo1TCfb9eUDi+9h1GAQLVhBCNjR459qxzybmyhIclpr
I51hwyhkAi3u7uIIGXgvdfjt/pRbH5XmBaoaK5DC6ppEM4btp12aRZh8QB3xoO7q
2Geas0gYqew6MfHflHvktOk8RpAC+cM/rnfRYIWY7C96LQ==
-----END NEW CERTIFICATE REQUEST-----
I send request like this:
Pkcs10Request request = new Pkcs10Request();
request.setArg0(certRqDto.getUsername());
request.setArg1(certRqDto.getPassword());
request.setArg2(certRqDto.getPkcs10());
request.setArg3(null);
request.setArg4("CERTIFICATE");
JAXBElement<Pkcs10Request> element = objectFactory.createPkcs10Request(request);
JAXBElement<Pkcs10RequestResponse> response = (JAXBElement<Pkcs10RequestResponse>) wsClient.getWebServiceTemplate().marshalSendAndReceive(element, new SoapActionCallback(EMPTY_ACTION_STRING));
But I'm getting error, and in EJBCA's log I see this error:
2021-05-18 09:33:00,429 DEBUG [org.cesecore.certificates.certificate.request.RequestMessageUtils] (default task-2) Message not base64 encoded? Trying as binary: Error in input buffer, missing -----BEGIN NEW CERTIFICATE REQUEST----- boundary
2021-05-18 09:33:00,429 WARN [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-2) PKCS10 not initiated! unknown tag 13 encountered
...
2021-05-18 09:33:00,431 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component CertificateCreateSessionBean for method public abstract org.cesecore.certificates.certificate.request.CertificateResponseMessage org.cesecore.certificates.certificate.CertificateCreateSessionLocal.createCertificate(...)
...
Caused by: java.lang.NullPointerException
at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.verify(PKCS10RequestMessage.java:444)
at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.verify(PKCS10RequestMessage.java:430)
If I'm not mistaken, the reason is in pkcs10.
But it contains substring "-----BEGIN NEW CERTIFICATE REQUEST-----".
I can't understand, in what format I must send pkcs#10.
I'm new to this, please help.
Sending request without header
-----BEGIN NEW CERTIFICATE REQUEST-----
and footer helped me.
We have One QM and One CHANNEL and many QUEUES created for clients. Around 5 clients are connected to this QM for their transactions. Each 5 clients connected to their respective QUEUES . There is a jks file created in this QM for SSL connection. Each 5 clients connect with jks file + SSL_RSA_WITH_RC4_128_SHA from their javaClient. QM is also configured with SSLCIPH(RC4_SHA_US).
Now all of a sudden , without any javaClient change , 1 client could not able to connect to configured QM. All others are able to connect to same QM , without any issue.
AMQERR01.LOG is not logged with any specific exception or error
In application logs its saying common MQ exception
Error as com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2397'
2397 - Cipher spec<>suite not matching--is any possibility?
we enabled tracing (strmqtrc -m TEST.QM -t detail -t all) and saw Trace logs in path (C:\Program Files (x86)\IBM\Websphere MQ\trace) ,but could not get any details on why SSL-connection could not happening?
We done one more exercise like created a new QM for issue client and tested without SSL and its working. When we enabled SSL in new QM and javaClient , the same 2397 started logging.
Could someone guide me for better logging and tracing in MQ , which can see why 2397 is throwing?
Could someone guide me for better logging and tracing in Java using -D [-Djavax.net.debug=all] , which can see why 2397 is throwing?
MQ Version ->7
MQ Server in ->Windows
from trace logs
returning TEST.QM
Freeing cbmindex:0 pointer:24DDB540 length:2080
-----} TreeNode.getMQQmgrExtObject (rc=OK)
cbmindex:10
-------------} xcsFreeMemFn (rc=OK)
------------} amqjxcoa.wmqGetAttrs (rc=OK)
-----{ UiQueueManager.testQmgrAttribute
-------------{ Message.getMessage
testing object 'TEST.QM'
An internal method detected an unexpected system return code. The method {0} returned {1}. (AMQ4580)
checking attribute 'QmgrCmdLevelGreaterThan'
-------------} Message.getMessage (rc=OK)
for value '510'
-----------}! NativeCalls.getAttrs (rc=Unknown(C35E))
-----} UiQueueManager.testQmgrAttribute (rc=OK)
Message = An internal method detected an unexpected system return code. The method wmq_get_attrs returned "retval.rc2 = 268460388". (AMQ4580), msgID = AMQ4580, rc = 50014, reason = 268460388, severity = 30
result = true
---} TreeNode.testAttribute (rc=OK)
---{ TreeNode.testAttribute
-----{ QueueManagerTreeNode.toString
-----} QueueManagerTreeNode.toString (rc=OK)
testing object 'TEST.QM'
checking attribute 'OamTreeNode'
-----------{ NativeCalls.getAttrs
------------{ amqjxcoa.wmqGetAttrs
qmgr:2A7B32C8, stanza:2A7B32C4, version:1
for value 'true'
QMgrName('TEST.QM')
-----{ TreeNode.getMQQmgrExtObject
StanzaName('QMErrorLog')
testing object 'TEST.QM'
Full QM.INI filename: SOFTWARE\IBM\MQSeries\CurrentVersion\Configuration\QueueManager\TEST!QM, Multi-Instance: FALSE
--------------} xcsGetIniFilename (rc=OK)
--------------{ xcsGetIniAttrs
---------------{ xcsBrowseIniCallback
FileType = (1)
----------------{ xcsBrowseRegistryCallback
xcsBrowseRegistryCallback
-----------------{ xusAddStanzaLineList
------------------{ xcsGetMemFn
checking attribute 'PluginEnabled'
component:24 function:15 length:2080 options:0 cbmindex:0 *pointer:24DDB540
------------------} xcsGetMemFn (rc=OK)
for value 'com.ibm.mq.explorer.oam'
RetCode (OK)
-----------------} xusAddStanzaLineList (rc=OK)
-----------------{ xusAddStanzaLineList
------------------{ xcsGetMemFn
-----{ UiPlugin.isPluginEnabled
component:24 function:15 length:2080 options:0 cbmindex:1 *pointer:24DDDFE8
------------------} xcsGetMemFn (rc=OK)
RetCode (OK)
-----------------} xusAddStanzaLineList (rc=OK)
testing plugin_id: com.ibm.mq.explorer.oam
-----------------{ xurGetSpecificRegStanza
-------{ PluginRegistrationManager.isPluginEnabled
Couldn't open key (QMErrorLog) result 2: The system cannot find the file specified.
MQ version 7.0.1.9
jdk1.8.0_181-i586
com.ibm.mq*jar Version
Specification -version : 6.0.2.1
Implementation-Version :6.0.2.1 -j600-201-070305
I'm trying to setup The Hive 4 but it fails to start saying:
Cannot load module[Module [connectors.cortex.CortexConnector] cannot be instantiated
I look at the modules loaded in the java process module list and found:
/opt/thehive/lib/org.thp.thehive-cortex-4.0.0-RC1.jar
/opt/thehive/lib/org.thp.cortex-client-4.0.0-RC1.jar
/opt/thehive/lib/org.thp.cortex-dto-4.0.0-RC1.jar
As it is working with the version 3 of The Hive, I looked at the loaded modules and only found:
/opt/thehive/lib/org.thehive-project.thehivecortex-3.3.0-1.jar
I've checked the connection to my cortex server with:
curl -H 'Authorization: Bearer OBFUSCATED' http://OBFUSCATED:9001/api/analyzer
It works
I hop someone could help because I'm completely stuck.
Thanks in advance
Here's my application.conf
play.http.secret.key = OBFUSCATED
# Authentication
auth {
# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
provider = [local]
}
# Maximum time between two requests without requesting authentication
session {
warning = 5m
inactivity = 1h
}
play.http.parser.maxMemoryBuffer= 1M
play.http.parser.maxDiskBuffer = 1D
# Cortex
play.modules.enabled += connectors.cortex.CortexConnector
cortex {
"CORTEX-SERVER-ID" {
url = "https://OBFUSCATED:9001/"
key = "OBFUSCATED"
}
refreshDelay = 1 minute
maxRetryOnError = 3
statusCheckInterval = 1 minute
}
https.port: 9000
play.server.https.keyStore {
path: /etc/thehive/keystore.jks
type: JKS
password: OBFUSCATED
}
http.port: disabled
auth.method.basic = true
db {
provider: janusgraph
janusgraph {
storage {
backend: cql
hostname: [
"127.0.0.1"
] # seed node ip addresses
#username: "<cassandra_username>" # login to connect to database (if configured in Cassandra)
#password: "<cassandra_passowrd"
cql {
cluster-name: thehivedb # cluster name
keyspace: thehive # name of the keyspace
local-datacenter: datacenter1 # name of the datacenter where TheHive runs (relevant only on multi datacenter setup)
# replication-factor: 2 # number of replica
read-consistency-level: ONE
write-consistency-level: ONE
}
}
}
}
storage {
provider: hdfs
hdfs {
root: "hdfs://thehive1:10000" # namenode server
location: "/thehive"
username: thehive
}
}
this is the solution I've obtained on the TheHive github project:
See the key "play.modules.enabled" in application.conf. Replace
play.modules.enabled += connectors.cortex.CortexConnector
by
play.modules.enabled += org.thp.thehive.connector.cortex.CortexModule
I am stuck with an issue of (SSL alert number 46)
140097325019584:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
Above issue comes when I give crl-file in haproxy config.
Usecase
I am using HAPROXY for ssl termination. I had self signed ca.crt,ca.pem,server.crt,server.pem and client.crt,client.key,crl.pem
Working Scenario
I had generated self signed certificate using Certificate Generate
Ha proxy config
global
log 127.0.0.1 local0 debug
tune.ssl.default-dh-param 2048
defaults
log global
listen mqtt
bind *:2883
bind *:8883 ssl crt /etc/ssl/certs/server.pem verify required ca-file /etc/ssl/certs/ca.pem crl-file /etc/ssl/certs/crl.pem
mode tcp
option tcplog
option clitcpka # For TCP keep-alive
tcp-request content capture dst len 15
timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'
timeout server 3h #By default TCP keep-alive interval is 2hours in OS kernal
balance leastconn
# MQTT broker 1
server broker_1 ray-mqtt:1883 check send-proxy-v2-ssl-cn
# MQTT broker 2
# server broker_2 10.255.4.102:1883 check
This above config working well with and without crl-file while I generate certificate using Certificate Generate
Non Working Scenario
I generate all certificate using Java bouncy castle library.
Client Certi Generate
public static X509Certificate generateClientCertificate(X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, KeyPair keyPair, X500Name dnName, BigInteger serialNumber) throws IOException, OperatorCreationException, CertificateException {
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SHA_256_WITH_RSA).setProvider("BC");
JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
issuerCertificate, //here intermedCA is issuer authority
serialNumber, new Date(),
Date.from(Instant.now().plus(100, ChronoUnit.DAYS)),
dnName, keyPair.getPublic());
builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
X509Certificate x509Certificate = new JcaX509CertificateConverter()
.getCertificate(builder
.build(signerBuilder.build(issuerPrivateKey)));// private key of signing authority , here it is signed by intermedCA
return x509Certificate;
}
CRL Generate
private static X509CRL generateCrl(X509Certificate ca, PrivateKey caPrivateKey, PublicKey caPublicKey,
X509Certificate... revoked) throws Exception {
X509v2CRLBuilder builder = new X509v2CRLBuilder(
new X500Name(ca.getSubjectDN().getName()),
new Date()
);
builder.setNextUpdate(Date.from(Instant.now().plus(100000l, ChronoUnit.HOURS)));
for (X509Certificate certificate : revoked) {
builder.addCRLEntry(certificate.getSerialNumber(), new Date(), CRLReason.PRIVILEGE_WITHDRAWN.ordinal());
}
builder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.valueOf(4)));
// builder.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(ca.getEncoded()));
builder.addExtension(Extension.authorityKeyIdentifier, false,
new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(caPublicKey));
JcaContentSignerBuilder contentSignerBuilder =
new JcaContentSignerBuilder(SHA_256_WITH_RSA_ENCRYPTION);
contentSignerBuilder.setProvider(BC_PROVIDER_NAME);
X509CRLHolder crlHolder = builder.build(contentSignerBuilder.build(caPrivateKey));
JcaX509CRLConverter converter = new JcaX509CRLConverter();
converter.setProvider(BC_PROVIDER_NAME);
return converter.getCRL(crlHolder);
}
Here, In HAproxy config when I will not include crl-file then It works with the client certificates.
but when I include crl-file into the haproxy config then it will give alert number 46 (sslv3 alert certificate unknown) error.
I had verified using openssl
cat client3.pem | openssl verify -CAfile ca.crt
which returns OK.
Output of openssl s_client -connect haproxy:8883 -cert client3.crt -key client3.key -CAfile ca.crt
CONNECTED(00000005)
depth=1 CN = *.ray.life
verify return:1
depth=0 CN = haproxy
verify return:1
---
Certificate chain
0 s:CN = haproxy
i:CN = *.ray.life
1 s:CN = *.ray.life
i:CN = *.ray.life
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBujCCASOgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAoqLnJh
eS5saWZlMB4XDTIwMDEwNzExMzIyOFoXDTIwMDQxNjExMzIyOFowEjEQMA4GA1UE
AwwHaGFwcm94eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0CAq/xYcCXWl
PJgs2+DeRRO5DRK813LIiRzdoMFeKrI9X5yXeNFzc6mSAS9EdFITM/HJYSvL/XhZ
p+Hu3N2f9ZR/zD2hpTq2PP0lK3Ev6gryXpWXoJU2SbtOyLsjPmw1y/+xHUjVv5B6
V+m7b0I3RYN8blcJIkjl7Gz83GMlMucCAwEAAaMdMBswDgYDVR0PAQH/BAQDAgeA
MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAnmIG9SXICU78Dz2eGbNN2znY
OGCpt7TBDkuXthStAFAyzHxZFKqexkelnJNMg19CbWzxGrPk6lxJQ+ebCGEYZwiZ
/WB9C1fQm+07/FEKVc1TCKv0odpTGRyXno4NePnFz6MCJGfVmec0huVPMD9fAbeJ
DlcWed88CL1MdgmkKoQ=
-----END CERTIFICATE-----
subject=CN = haproxy
issuer=CN = *.ray.life
---
Acceptable client certificate CA names
CN = *.ray.life
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1440 bytes and written 1488 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
139659759231424:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46
Any help will be very useful for me.
You need to add the AKI and SKI extension in the CA certificate to validate the CRL by HA proxy.
I am trying to use Java APNS - an open source project - to send push notifications to iPhones.
I am getting an error, though.
I have used a .pem file as certificate. Should this have been a .p12 file? I am not sure what the difference is, but I read somewhere online that there is a difference between these file formats.
Here is the code:
ApnsService service =
APNS.newService()
.withCert("gpk.pem", "XXXX")
.withSandboxDestination()
.build();
String payload = APNS.newPayload().alertBody("Can't be simpler than this!").build();
String token = "theTokenIsRemoveHere";
service.push(token, payload);
And here is the error:
Exception in thread "main" com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: toDerInputStream rejects tag type 45
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:102)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:161)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:124)
at com.geomobsters.cli.ApnsClient.main(ApnsClient.java:12)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.io.IOException: toDerInputStream rejects tag type 45
at sun.security.util.DerValue.toDerInputStream(DerValue.java:806)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1201)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:87)
... 8 more
Java APNS is expecting the cert as .p12 file.
You have to check both privatekey and certificate in your keychain.
then right click-> "export 2 files"
and export them
you have to give it a password, this password you have to type here
.withCert("gpk.pem", "XXXX")
as your XXXX
good luck
EDIT:
.P12 – PKCS#12, contains certificates an private keys saved with a password
.PEM – is Base64-encoded certificate, lockedby „-----BEGIN CERTIFICATE-----“ and „-----END CERTIFICATE-----“