OpenAM:处理AuthnRequest时出错。空值

时间:2014-10-17 10:31:05

标签: saml-2.0 openam

尝试通过OpenAM初始化SSO时,出现以下错误:

HTTP Status 400 - Error processing AuthnRequest. null
The request sent by the client was syntactically incorrect (Error processing AuthnRequest. null).

日志链接到方法AMKeyProvider.getPrivateKey,(NullPointerException),所以我知道无法读取私钥。 但是,我是OpenAM / SAML的新手,不知道在哪里/如何解决这个问题。

这是完整的堆栈跟踪:

 libSAML2:10/17/2014 12:06:41:247 PM CEST: Thread[http-bio-8443-exec-8,5,main]
ERROR: Error processing Request 
java.lang.NullPointerException
    at org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)
    at com.sun.identity.saml.xmlsig.JKSKeyProvider.getPrivateKey(JKSKeyProvider.java:112)
    at com.sun.identity.saml2.profile.SPSSOFederate.signQueryString(SPSSOFederate.java:1125)
    at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:346)
    at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:146)
    at org.apache.jsp.saml2.jsp.spSSOInit_jsp._jspService(spSSOInit_jsp.java:149)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:98)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

2 个答案:

答案 0 :(得分:1)

您可以查看

http://docs.forgerock.org/en/openam/11.0.0/admin-guide/index.html#set-up-federation

您必须配置一个特定的SAML密钥库。

答案 1 :(得分:1)

异常指向:     org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)

方法getPrivateKey如下所示:

public java.security.PrivateKey getPrivateKey (String certAlias) {
   java.security.PrivateKey key = null;
   try {
       key = (PrivateKey) ks.getKey(certAlias,
               privateKeyPass.toCharArray());
   } catch (KeyStoreException e) {
       logger.error(e.getMessage());
   } catch (NoSuchAlgorithmException e) {
       logger.error(e.getMessage());
   } catch (UnrecoverableKeyException e) {
       logger.error(e.getMessage());
   }
   return key;

}

因此,在预期路径上根本没有密钥库,密钥库中没有相应别名的有效密钥,或密钥库和/或密钥密码错误。

密钥库路径(以及包含加密密码的文件的路径)可以在配置 - 服务器下的openAM管理Web UI中看到和网站 - myServerName - 安全,通常为:

%BASE_DIR%/%SERVER_URI%/keystore.jks

,其中%BASE_DIR%配置在配置 - 服务器和网站 - myServerName - 常规下。