尝试通过OpenAM初始化SSO时,出现以下错误:
HTTP Status 400 - Error processing AuthnRequest. null
The request sent by the client was syntactically incorrect (Error processing AuthnRequest. null).
日志链接到方法AMKeyProvider.getPrivateKey
,(NullPointerException),所以我知道无法读取私钥。
但是,我是OpenAM / SAML的新手,不知道在哪里/如何解决这个问题。
这是完整的堆栈跟踪:
libSAML2:10/17/2014 12:06:41:247 PM CEST: Thread[http-bio-8443-exec-8,5,main]
ERROR: Error processing Request
java.lang.NullPointerException
at org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)
at com.sun.identity.saml.xmlsig.JKSKeyProvider.getPrivateKey(JKSKeyProvider.java:112)
at com.sun.identity.saml2.profile.SPSSOFederate.signQueryString(SPSSOFederate.java:1125)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:346)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:146)
at org.apache.jsp.saml2.jsp.spSSOInit_jsp._jspService(spSSOInit_jsp.java:149)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:98)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
答案 0 :(得分:1)
您可以查看
http://docs.forgerock.org/en/openam/11.0.0/admin-guide/index.html#set-up-federation
您必须配置一个特定的SAML密钥库。
答案 1 :(得分:1)
异常指向: org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)
方法getPrivateKey
如下所示:
public java.security.PrivateKey getPrivateKey (String certAlias) {
java.security.PrivateKey key = null;
try {
key = (PrivateKey) ks.getKey(certAlias,
privateKeyPass.toCharArray());
} catch (KeyStoreException e) {
logger.error(e.getMessage());
} catch (NoSuchAlgorithmException e) {
logger.error(e.getMessage());
} catch (UnrecoverableKeyException e) {
logger.error(e.getMessage());
}
return key;
}
因此,在预期路径上根本没有密钥库,密钥库中没有相应别名的有效密钥,或密钥库和/或密钥密码错误。
密钥库路径(以及包含加密密码的文件的路径)可以在配置 - 服务器下的openAM管理Web UI中看到和网站 - myServerName - 安全,通常为:
%BASE_DIR%/%SERVER_URI%/keystore.jks
,其中%BASE_DIR%
配置在配置 - 服务器和网站 - myServerName - 常规下。