0 Replies Latest reply on Feb 3, 2017 4:52 AM by mike Houghton

    Tomcat IdP and SSL

    mike Houghton Newbie

      I have setup two simple picketlink based apps on Tomcat 7. I have an identity provider (IdP) and a service provider (SP). It is used  by accessing the SP which communicates with the IdP which provides login againt a local db, it then goes back to the SP that confirms login and offers a logout button. I see SAML messages all the way and it works fine.

      However this is using HTTP.

       

      I need to use HTTPS and SSL.

       

      So I followed the instructions on https://github.com/picketlink2/picketlink-quickstarts/tree/master/saml/idp-ssl that describe the use of keytool to create keystores, truststores and certificates.

      Unfortunately the instuctions do not have details of how to configure Tomcat with the various stores and certificates. I've spent a couple of days getting nowhere! Here is part of my Tomcat server.xml

       

      <Connector  SSLEnabled="true"

                      acceptCount="100"

                      clientAuth="want"

                      disableUploadTimeout="true"

                      enableLookups="false"

                      maxThreads="25"

                      port="8443"

                      keystoreFile= "conf/server.keystore"

                      keystorePass="change_it"

       

                      truststoreFile="conf/client.keystore"

                      truststorePass="change_it"

                      protocol="org.apache.coyote.http11.Http11NioProtocol"

                      scheme="https"

                      secure="true" sslProtocol="TLS" />

       

      This is part of the debug log

       

      ------------------

      Padded plaintext after DECRYPTION:  len = 7

      0000: 0B 00 00 03 00 00 00                               .......

      *** Certificate chain

      <Empty>

      ***

      http-nio-8443-exec-2, fatal error: 42: null cert chain

      javax.net.ssl.SSLHandshakeException: null cert chain

      %% Invalidated:  [Session-10, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

      %% Invalidated:  [Session-12, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

      http-nio-8443-exec-2, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate

       

       

      and here is the  browser message

      ------------------

      This site can’t provide a secure connection

       

      127.0.0.1 didn’t accept your login certificate, or one may not have been provided.

      Try contacting the system admin.

      ERR_BAD_SSL_CLIENT_AUTH_CERT

      ------------------

       

      I'm using Tomcat 7.0.75, Java 1.8.0_102 and Picket link 2.7.1.Final. Running lcoally on  OS X El Capitan 10.11.6

       

      Can any please help with what is probably a minor config issue and something I can't see for having looked too long!

       

      Many Thanks