1. 首頁
  2. 問答
  3. SAML錯誤:對於不受信任的憑據,PKIX路徑構造失敗

SAML錯誤:對於不受信任的憑據,PKIX路徑構造失敗

2016-12-06 48 views
1

我在系統中集成了SAML 2.0,我正在使用像IDP文件http://idp.ssocircle.com/idp-meta.xml。 上週我的應用程序工作正常,但自昨天(2016年12月5日)以來,我的錯誤沒有在配置文件中做任何修改。SAML錯誤:對於不受信任的憑據,PKIX路徑構造失敗

The error is: 
2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target 
2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null 
2016-12-06 10:00:07 INFO : Retrying request

我metada bean是:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> 
<constructor-arg> 
    <list> 
     <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider"> 
      <constructor-arg> 
       <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value> 
      </constructor-arg> 
      <constructor-arg> 
       <value type="int">5000</value> 
      </constructor-arg> 
      <property name="parserPool" ref="parserPool"/> 
     </bean> 
     <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
      <constructor-arg> 
       <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
        <constructor-arg> 
          <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value> 
         </constructor-arg> 
        <property name="parserPool" ref="parserPool"/> 
       </bean> 
      </constructor-arg> 
      <constructor-arg> 
       <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
        <property name="local" value="true"/> 
        <property name="securityProfile" value="metaiop"/> 
        <property name="sslSecurityProfile" value="pkix"/> 
        <property name="signMetadata" value="true"/> 
        <property name="signingKey" value="apollo"/> 
        <property name="encryptionKey" value="apollo"/> 
        <property name="requireArtifactResolveSigned" value="false"/> 
        <property name="requireLogoutRequestSigned" value="false"/> 
        <property name="requireLogoutResponseSigned" value="false"/> 
        <property name="idpDiscoveryEnabled" value="false"/> 
        <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/> 
        <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/> 
       </bean> 
      </constructor-arg> 
     </bean> 
    </list> 
</constructor-arg> 
    <property name="hostedSPName" value="http://88.161.49.14/sg1"/>

感謝您的幫助。

來源

2016-12-06 mkaayn

回答

2

昨天,SSOCircle上使用的根CA證書發生了變化。這可能體現在工件解析期間,當時,Spring SAML需要通過HTTPS進行調用。

certification authority's website下載證書,它存儲在文件(例如,ca.cer PEM格式),並導入到春天SAML的密鑰庫:

keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

證書例如:

-----BEGIN CERTIFICATE----- 
    MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ 
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT 
    DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow 
    PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD 
    Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 
    AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O 
    rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 
    OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b 
    xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 
    7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD 
    aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV 
    HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG 
    SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 
    ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr 
    AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz 
    R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 
    JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo 
    Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ 
    -----END CERTIFICATE-----

春天SAML不使用Java默認密鑰庫中的可信CA來更好地控制哪些認證機構可信。

來源

2016-12-06 09:40:07

+0

感謝您的回覆。我試圖導入到密鑰庫,但我有一個錯誤:響應的公鑰和密鑰庫不相同。 法語:'erreur keytool:java.lang.Exception:Lescléspubliques de laréponseet du keystore ne concordent pas' – mkaayn

+0

對於正確的PEM格式可能是挑剔的 - 我更新了上述內容。 –

+0

It works.Thank you very much。 – mkaayn

相關問題

 相關問題