IdP deployment troubles about SSL-v3 keyUsages of IdP x509 certificate...

FUGAGNOLI Bertrand - Contractor bertrand.fugagnoli at external.thalesgroup.com
Tue Aug 28 10:31:15 EDT 2012


Hi,



I would like to know more about Shibboleth IDP certificate and SSL-v3 keyUsages...



Question: what are the specs about Shibboleth IDP x509 certificate SSL-v3 extension KeyUsage?



For historical reasons, I use Shibboleth IdP v2.3.6 and OpenDJ v2.4.4 as LDAP server and I need to connect IdP to Ldap server with LDAPS.

If I try to deploy IdP servlet on Tomcat 6 with an IdP x509 certificate whith the folowing extension: keyUsage=critical, digitalSignature

That make IdP servlet's deployment failed as is:


17:44:32.997 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.AttributeResolver
...
17:44:33.146 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for AttributeDefinition plugin with ID: role
17:44:33.168 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for AttributeDefinition plugin with ID: identite
17:44:33.168 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for AttributeDefinition plugin with ID: idajuste
...
17:44:33.633 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] - unabled to connect to the ldap
javax.naming.CommunicationException: simple bind failed: myldaps_server.mydomain:636
      at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) ~[na:1.6.0_26]
      ...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) ~[na:1.6]
      ... 82 common frames omitted
Caused by: sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
      ...
      at edu.vt.middleware.ldap.ssl.AggregateTrustManager.checkServerTrusted(AggregateTrustManager.java:77) ~[vt-ldap-3.3.5.jar:na]
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198) ~[na:1.6]
      ... 94 common frames omitted
      ...
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [bootstrap.jar:6.0.28]
18:04:24.114 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.  The root cause of this error was: edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException: Unable to retrieve LDAP connection



I have no problem to deploy IdP servlet on Tomcat 6 if my IdP x509 certificate has SSLv3 keyUsage extensions : keyUsage=critical, digitalSignature, keyEncipherment



So is there any way to use Shibboleth IdP without keyEncipherment as keyUsage?
Do you think the problem is with the LDAP server or Shibboleth IdP?

Thanks for response, best regards,

Bertrand FUGAGNOLI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120828/dd239552/attachment.html 


More information about the users mailing list