SAML错误:不受信任的凭据的PKIX路径构建失败

时间:2016-12-06 09:16:33

标签: spring-saml

我已在我的系统中集成了SAML 2.0,而我正在像IDP一样使用文件http://idp.ssocircle.com/idp-meta.xml。 上周我的应用程序工作正常,但从昨天(2016年12月5日)起,我在配置文件中没有做任何修改时出错。

The error is: 
2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target
2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2016-12-06 10:00:07 INFO : Retrying request

我的metada bean是:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
    <list>
        <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
            <constructor-arg>
                <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
            </constructor-arg>
            <constructor-arg>
                <value type="int">5000</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
        </bean>
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
            <constructor-arg>
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                             <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value>
                       </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="local" value="true"/>
                    <property name="securityProfile" value="metaiop"/>
                    <property name="sslSecurityProfile" value="pkix"/>
                    <property name="signMetadata" value="true"/>
                    <property name="signingKey" value="apollo"/>
                    <property name="encryptionKey" value="apollo"/>
                    <property name="requireArtifactResolveSigned" value="false"/>
                    <property name="requireLogoutRequestSigned" value="false"/>
                    <property name="requireLogoutResponseSigned" value="false"/>
                    <property name="idpDiscoveryEnabled" value="false"/>
                    <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/>
                    <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/>
                </bean>
            </constructor-arg>
         </bean>
    </list>
</constructor-arg>
    <property name="hostedSPName" value="http://88.161.49.14/sg1"/> 

感谢您的帮助。

1 个答案:

答案 0 :(得分:2)

SSOCircle上使用的根CA证书昨天发生了变化。这可能表现在工件解析期间,当Spring SAML需要通过HTTPS进行调用时。

certification authority's website下载证书,将其存储在文件中(例如,采用PEM格式的ca.cer)并导入到Spring SAML的密钥库:

 keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

证书示例:

    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
    PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
    Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
    rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
    OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
    xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
    7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
    aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
    SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
    ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
    AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
    R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
    JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
    Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    -----END CERTIFICATE-----

Spring SAML不使用Java默认密钥库中的可信CA,以便更好地控制哪些证书颁发机构受信任。