X509 Authn in IDPv3

Emilio Penna emilio.penna at seciu.edu.uy
Wed Apr 6 11:47:10 EDT 2016 

I used X509 Authn with following versions:

- apache 2.2.22 (debian)
- tomcat 8.0.18
- mod jk: libapache2-mod-jk 1:1.2.37-1+deb

Location configuration in apache:

<Location /idp/Authn/X509>
         SSLVerifyClient require
         SSLVerifyDepth 1
         SSLOptions -StdEnvVars +ExportCertData
</Location>

One suggestion: When initially configuring the environment, I used a 
little jsp (independent from IdP) for testing client certificate authn 
and cert info passing from apache to tomcat. The jsp has some code to 
verify that a servlet can access the certificate information, it can be 
something like:

<%@ page import = "java.security.cert.*" %>
<%@ page import = "javax.security.auth.x500.*" %>
<%
X509Certificate certs[] = 
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate"); 

X509Certificate clientCert = certs[0];
X500Principal subjectDN = clientCert.getSubjectX500Principal();
%>
DN: <%=subjectDN.getName() %>


Regards
Emilio



El 05/04/2016 21:54, Pradeep Jamble escribió:
> Hello,
>
> Has anyone setup X509 Authn in IDP v3 via Apache front-end? I keep 
> getting this exception in Tomcat logs but nothing in the IdP logs 
> (with debug logs enabled) to indicate where it's failing.
>
> Apr 05, 2016 3:19:23 AM org.apache.catalina.core.StandardWrapperValve 
> invoke
> SEVERE: Servlet.service() for servlet [X509AuthHandler] in context 
> with path [/idp] threw exception [Error processing external 
> authentication request] with root cause
> net.shibboleth.idp.authn.ExternalAuthenticationException: No 
> conversation state found in session for key (e1s1)
>
> Here's what I've setup so far with Apache and Tomcat/Shibboleth on the 
> same host.
>
> -Enabled the authn flow in idp.properties
> -Configured Apache for client certificate authentication
> -Enabled Apache to forward request headers as well as '+ExportCertData'
>
> In Apache SSL logs, I see the cert has been validated and 
> authorization granted. So, I'm not quite sure where it's broken. 
> Initially, I thought it was an issue with Apache not being able to 
> validate client cert but from the SSL logs looks like it's not the issue.
>
> Any troubleshooting or configuration guidance is greatly appreciated.
>
> Thanks in advance,
> Pradeep
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160406/4e8c125a/attachment.html>

More information about the users mailing list