Jetty Keystore Trouble with jetty-base provided in Shibboleth 3

McKean, Brandon Scott - mckeanbs mckeanbs at jmu.edu
Tue Jul 14 11:25:27 EDT 2015


Hey Scott, Rod,
This is ultimately for the browser facing port, 443. However I'm using
8443 and then having iptables redirect 443 to 8443. 
I've used openssl as outlined, without keytool involved in the
equation. 
The command looked like:
openssl pkcs12 -export -out itfederation_jmu_edu.p12 -inkey keyfile.key
-in intermediatecertandroot.crt -certfile cert.crt
When I plug this into the Jetty configuration, and make sure the format
is set to PKCS12, this is the error I get:
tail -f 2015_07_14.stderrout.log 
11:07:25,464 |-INFO in
ch.qos.logback.classic.joran.action.ConfigurationAction - debug
attribute not set
11:07:25,476 |-INFO in ch.qos.logback.core.joran.action.AppenderAction 
- About to instantiate appender of type
[ch.qos.logback.core.ConsoleAppender]
11:07:25,483 |-INFO in ch.qos.logback.core.joran.action.AppenderAction 
- Naming appender as [STDOUT]
11:07:25,602 |-INFO in
ch.qos.logback.classic.joran.action.RootLoggerAction - Setting level of
ROOT logger to WARN
11:07:25,602 |-INFO in
ch.qos.logback.core.joran.action.AppenderRefAction - Attaching appender
named [STDOUT] to Logger[ROOT]
11:07:25,602 |-INFO in
ch.qos.logback.classic.joran.action.ConfigurationAction - End of
configuration.
11:07:25,603 |-INFO in 
ch.qos.logback.classic.joran.JoranConfigurator at 4550bb58 - Registering
current configuration as safe fallback point
SLF4J: Actual binding is of type
[ch.qos.logback.classic.util.ContextSelectorStaticBinder]
2015-07-14 11:07:25.606:INFO:/idp:main: Initializing Spring root
WebApplicationContext
2015-07-14 11:07:32.666:INFO:/idp:main: Initializing Spring
FrameworkServlet 'idp'
2015-07-14 11:07:33.701:INFO:oejsh.ContextHandler:main: Started
o.e.j.w.WebAppContext at 14bf9759{/idp,[file:///opt/shibboleth-idp/jetty
-base/tmp/jetty-localhost-8080-webapp-_idp-any
-3492213470564608669.dir/webinf/, file:///opt/shibboleth
-idp/webapp/],AVAILABLE}{../webapp}
2015-07-14 11:07:33.729:INFO:oejs.ServerConnector:main: Started 
ServerConnector at 7ccfdaef{HTTP/1.1,[http/1.1]}{localhost:8080}
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
va:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
rImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
        at org.eclipse.jetty.start.Main.start(Main.java:457)
        at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: MultiException[java.io.IOException: Invalid keystore format,
java.io.IOException: Invalid keystore format]
        at org.eclipse.jetty.server.Server.doStart(Server.java:347)
        at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCy
cle.java:68)
        at
org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1520
)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1445)
        ... 7 more
Usage: java -jar start.jar [options] [properties] [configs]
       java -jar start.jar --help  # for more information
The config snippet looks like this:
jetty.backchannel.keystore.path=/opt/shibboleth-idp/credentials/idp
-backchannel.p12
jetty.browser.keystore.path=/opt/shibboleth
-idp/credentials/itfederation_jmu_edu.p12
# Keystore passwords
jetty.backchannel.keystore.password=pass
jetty.browser.keystore.password=pass
# Keystore types
jetty.backchannel.keystore.type=PKCS12
jetty.browser.keystore.type=PKCS12
I'm not understanding what makes it considered invalid.
Thanks,

-- 
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235
On Tue, 2015-07-14 at 13:59 +0000, Cantor, Scott wrote:
> On 7/14/15, 9:28 AM, "users on behalf of McKean, Brandon Scott -
> mckeanbs" <users-bounces at shibboleth.net on behalf of mckeanbs at jmu.edu
> > wrote:
> 
> > Accordingly, I have keys, X509 certs, etc for the existing
> > configuration that have worked fine in Apache, but I'm having a
> > difficult time getting them to work with Jetty using the jetty-base
> > that ships with Shibboleth 3. 
> 
> As Rod said, that's not right. We provide material on configuring
> Jetty in the wiki.
> 
> > cat cert.crt intermediate-reverse.crt > cert-chain.txt
> > openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out
> > example.pkcs12
> 
> I use a command like this with the intermediate in a separate file.
> 
> openssl pkcs12 -export -out file.p12 -inkey private.key -in
> public.crt -certfile chain.crt
> 
> > Then I use keytool like this:
> > keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype
> > PKCS12 -destkeystore keystore
> 
> That will create what you don't want, a keystore.
> 
> -- Scott
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150714/937f5ba6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5673 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150714/937f5ba6/attachment-0001.bin>


More information about the users mailing list