我已经通过复制我计划连接的IDP的509条目生成了testIdp.cer文件。然后我通过执行以下命令
创建了JKS文件keytool -importcert -alias adfssigning -keystore C:\Users\user\Desktop\samlKeystore.jks -file C:\Users\user\Desktop\testIdp.cer
执行时,它要求输入我已输入密码的密码。对于“信任这个证书?[no]:”这个问题,我给出了“y”作为输入。消息显示为“证书已添加到密钥库”。
然后我在securityContext.xml
中配置了以下详细信息<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="mypassword"/>
<constructor-arg>
<map>
<entry key="adfssigning" value="mypassword"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="adfssigning"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="alias" value="adfssigning" />
<property name="signingKey" value="adfssigning"/>
</bean>
但是当我运行应用程序时,我在服务器启动时以及加载应用程序的主页时遇到以下两个异常。如果我错过任何其他内容,任何人都可以告诉我。
启动服务器时出现此异常
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.processEntityGroup(SignatureValidationFilter.java:240)
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.doFilter(SignatureValidationFilter.java:158)
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.filterMetadata(AbstractMetadataProvider.java:493)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processNonExpiredMetadata(AbstractReloadingMetadataProvider.java:395)
当我运行应用程序的主页时出现此异常
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
at java.security.KeyStoreSpi.engineGetEntry(Unknown Source)
at java.security.KeyStore.getEntry(Unknown Source)
at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)
答案 0 :(得分:9)
您的.cer证书只包含公钥,您不能为公钥定义<entry key="adfssigning" value="mypassword"/>;它只能用于私人。只需取出adfssigning条目,并确保包含私钥 - 就像在Spring SAML示例应用程序中一样。
SAML密钥库可以包含两种基本类型的密钥 - 公钥和私钥(加上其证书)。每个键都有一个别名,用于引用它。密钥库本身可以通过密码保护(在第二个构造函数参数中提供),另外每个私钥也可以通过附加密码保护(这些密码在别名 - >密码映射中的构造函数的第三个参数中定义) 。您必须在此映射中定义导入密钥库的公钥(就像您在上面的命令中所做的那样)。它们将在导入后自动可用,无需其他声明。要使Spring SAML正常工作,密钥库必须至少包含一个私钥(示例应用程序包含带别名apollo的私钥),并且需要在构造函数的第三个参数中提供其别名。
上面的示例失败,因为您已导入公钥,但将其包含在地图中,该地址只能用于私钥。
答案 1 :(得分:7)
弗拉基米尔正确回答了为什么错误发生的问题。 在我的回答中,我想显示如何您可以将证书导入密钥库以解决该问题:
您必须导入证书和私钥,这不能通过keytool直接完成。
详细描述的解决方案可在此处找到:https://stackoverflow.com/a/8224863/1909531
这是一段摘录:
<rss xmlns:media="http://search.yahoo.com/mrss/" version="2.0">
<channel>
<title>Wochit - Top Stories</title>
<link>http://www.wochit.com</link>
<description>
Features the latest breaking news videos from Wochit
</description>
<copyright>Copyright 2012, wochit.com</copyright>
<language>en-us</language>
<lastBuildDate>Mar 17, 2016 8:22:46 AM</lastBuildDate>
<source>
Rolling Stone Music, EOnline, The Guardian USnews, AP Entertainment, Mashable, Reuters Entertainment, AP US, The Hollywood Reporter, Reuters, The Daily Beast, Wired.com Tech, News 24, Buzzfeed US, MSNBC, CNN Entertainment, Geek.com, Reuters World, Rolling Stone News, The Hollywood Reporter - TV, Comic_book, CBS US News, Politico Picks, Fusion. net, Screen Rant
</source>
<item>
<link>http://www.wochit.com/share-video/107249827</link>
<guid>107249827</guid>
<origin>
<link>
http://www.cbsnews.com/videos/what-do-we-know-about-obamas-supreme-court-pick/
</link>
<title>Obama's Supreme Court Pick</title>
<source>CBS US News</source>
</origin>
<pubDate>Mar 17, 2016 8:22:46 AM</pubDate>
<media:description>
President Obama has nominated Judge Merrick Garland as the nominee for the Supreme Court to replace the late Justice Antonin Scalia. Garland is a known and respected figure for environmental causes. He is considered a moderate as well. Obama demanded a fair hearing for Judge Garland and said that refusing to even consider his nomination would provoke “an endless cycle. The republican party and its senate members have vowed to disapprove of anyone the current president nominates.
</media:description>
<media:transcript>
President Obama has nominated Judge Merrick Garland as the nominee for the Supreme Court to replace the late Justice Antonin Scalia. Garland is a known and respected figure for environmental causes. He is considered a moderate as well. Obama demanded a fair hearing for Judge Garland and said that refusing to even consider his nomination would provoke “an endless cycle. The republican party and its senate members have vowed to disapprove of anyone the current president nominates.
</media:transcript>
<media:backlink>
http://api.wochit.com/api/linkback?VIDEO_GUID=107249827&sc=f2c3306810e1c7658ebfbad2d70a2c92cc6dcdae515ff5605a4b9b38a1361bac
</media:backlink>
<media:source>CBS US News</media:source>
<embedCodeSnippet>
<![CDATA[
<script language='javascript' type='text/javascript' src='http://api.wochit.com/api/wochitplayer.js?code=eyJ2ZXJzaW9uIjoiMS4wIiwicGFydG5lcklkIjoiZjJjMzMwNjgxMGUxYzc2NThlYmZiYWQyZDcwYTJjOTJjYzZkY2RhZTUxNWZmNTYwNWE0YjliMzhhMTM2MWJhYyIsInByb2dyYW1tZXJOYW1lIjoid29jaGl0IiwidHlwZSI6IkNMSVBfSUQiLCJkYXRhIjoiMTA3MjQ5ODI3IiwicHJlZmVycmVkVmlkZW9GYW1pbHkiOiJIRCJ9&pid=f2c3306810e1c7658ebfbad2d70a2c92cc6dcdae515ff5605a4b9b38a1361bac&progn=wochit&autostart=false&width=640&height=360' data-wochit-uid='b0pciod062'></script>
]]>
</embedCodeSnippet>
<embedCodeIframe>
<![CDATA[
<iframe src="http://api.wochit.com/api/player?code=eyJ2ZXJzaW9uIjoiMS4wIiwicGFydG5lcklkIjoiZjJjMzMwNjgxMGUxYzc2NThlYmZiYWQyZDcwYTJjOTJjYzZkY2RhZTUxNWZmNTYwNWE0YjliMzhhMTM2MWJhYyIsInByb2dyYW1tZXJOYW1lIjoid29jaGl0IiwidHlwZSI6IkNMSVBfSUQiLCJkYXRhIjoiMTA3MjQ5ODI3IiwicHJlZmVycmVkVmlkZW9GYW1pbHkiOiJIRCJ9&pid=f2c3306810e1c7658ebfbad2d70a2c92cc6dcdae515ff5605a4b9b38a1361bac&progn=wochit&autostart=false&width=640&height=360" frameBorder="0" style="overflow:hidden" scrolling="no" height="360" width="640"></iframe>
]]>
</embedCodeIframe>
<media:vidAssetPart>34</media:vidAssetPart>
<media:text>
Contact your |local office| for all commercial or promotional uses. Full editorial rights UK, US, Ireland, Canada (not Quebec). Restricted editorial rights for daily newspapers elsewhere, please call. A MAY 1, 2008, FILE PHOTO Broadcasters: NO ACCESS USA/NO ACCESS CNN Digital: FOR BROADCAST CLIENT USE ONLY/NO ACCESS INTERNET/MOBILE/WIRELESS . For Reuters customers only.
</media:text>
<media:category>Law & Crime</media:category>
<media:category>News</media:category>
<description>
President Obama has nominated Judge Merrick Garland as the nominee for the Supreme Court to replace the late Justice Antonin Scalia. Garland is a known and respected figure for environmental causes. He is considered a moderate as well. Obama demanded a fair hearing for Judge Garland and said that refusing to even consider his nomination would provoke “an endless cycle. The republican party and its senate members have vowed to disapprove of anyone the current president nominates.
</description>
<media:keywords>...</media:keywords>
<media:thumbnail url="http://wochitprod3-a.akamaihd.net/artifacts/headlines/singlePlus/107249827/107249827-1280x720_1_Mar_17_2016_13_22_15_poster.jpg"/>
<title>Obama's Supreme Court Pick</title>
<media:content medium="VIDEO" channels="2" bitrate="3072.0" duration="43" expression="full" fileSize="14985855" framerate="0.0" height="720" lang="en" samplingrate="44100.0" type="video/mp4" width="1280" isDefault="true" url="http://wochitprod3-a.akamaihd.net/artifacts/headlines/singlePlus/107249827/107249827-1280x720_Mar_17_2016_13_22_15.MP4?sc=f2c3306810e1c7658ebfbad2d70a2c92cc6dcdae515ff5605a4b9b38a1361bac"/>
</item>
</channel>
</rss>
答案 2 :(得分:2)
如果您的密钥库中没有私钥,也会发生此错误。 SAML使用私钥生成用于与IDP通信的服务提供者元数据。 只需像这样在Keystore中添加一个:keytool -genkey -v -keystore some_key_store.jks -alias some_alias -keyalg RSA -keysize 2048 -validity 36500 填写问题并将有效期设置为适当的天数。 (在我的例子中,它有效期为100年) 请记住从IDP添加公共证书。那你应该准备好了。
答案 3 :(得分:0)
使用openssl命令获取公共证书:
openssl s_client -showcerts -connect iam-sso.google.net:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
将其导入密钥库:
keytool -import -alias "new-qet-alias" -keystore /usr/share/tomcat8/webapps/ROOT/WEB-INF/classes/saml/samlKeystore.jks -file mycertfile.pem
答案 4 :(得分:0)
对于那些在Java配置中寻找答案的人,请注释掉该行 passwords.put(“ mykeyalias”,“ mystorepass”); ....如下面的代码段所示。
'UUID_SHORT'