Jetty Keystore Trouble with jetty-base provided in Shibboleth 3
McKean, Brandon Scott - mckeanbs
mckeanbs at jmu.edu
Tue Jul 14 09:28:10 EDT 2015
Hi Everyone,
I've been working to convert one of our existing Shibboleth v2
installations to v3. Part of the process is to stop fronting the web
container with Apache and instead use the container itself.
Accordingly, I have keys, X509 certs, etc for the existing
configuration that have worked fine in Apache, but I'm having a
difficult time getting them to work with Jetty using the jetty-base
that ships with Shibboleth 3. I was hoping to avoid using a keystore
and just use them directly, but from what I can tell this isn't
possible. (Please correct me if I'm wrong here.)
From what I've gathered, as the keys and certs are separate files, that
I need to convert them to PKCS12. I've done so based on thes example
from Jetty's documentation:
http://www.eclipse.org/jetty/documentation/current/configuring
-ssl.html#loading-keys-and-certificates-via-pkcks12
cat cert.crt intermediate-reverse.crt > cert-chain.txt
openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out
example.pkcs12
The Incommon intermediates we get have the rootCA included within, and
I reversed it from the original so the order within the intermediate
-reverse.crt is intermediate -> rootCA, as they specify is needed.
Then I use keytool like this:
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12
-destkeystore keystore
And then I edit jetty-base/start.d/idp.ini to have the
jetty.browser.keystore.path point to the absolute location of the
certificate, in JKS format, and then I set the password and the
keystore type to JKS.
Then when I start Jetty up, invariably, I get complaints about the
keystore format being invalid. I have also tried using keystore to
output PKCS12 (and setting the format and filename accordinglly in
idp.ini), using keystore to list out the keystore with success, and as
a troubleshooting step I've deliberately put in the wrong password for
the keystore to see if it's any different, and it responds by saying
the password is wrong, so it obviously can read it in some capacity, it
just never accepts it as valid.
Am I on the right track for this? I know this is more Jetty related
than Shibboleth, but I'm at a loss as the to what to try next.
Thanks for any help you guys could render on this, I spent the better
part of yesterday trying to work this out and haven't been successful
thus far.
--
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150714/384b04b6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5673 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150714/384b04b6/attachment.bin>
More information about the users
mailing list