Need Help regarding certificate load and IDP metadata configuration

Ram, Budh budh.ram at sap.com
Fri Apr 29 01:01:38 EDT 2016 

Hi,
I am using Shibboleth 2.5 (64 bit) on window server 2008. I have configured the shibboleth2.xml file for certificate and metadata provider. When I am running shibd -check command or on checking shibd.log file, I am getting below error

C:\opt\shibboleth-sp\sbin64>shibd -check
2016-04-29 00:42:40 WARN Shibboleth.Application : insecure cookieProps setting,
set to "https" for SSL/TLS-only usage
2016-04-29 00:42:40 WARN Shibboleth.Application : handlerSSL should be enabled f
or SSL/TLS-enabled web sites
2016-04-29 00:42:40 ERROR OpenSSL : error code: 151441516 in .\crypto\pem\pem_li
b.c, line 701
2016-04-29 00:42:40 ERROR OpenSSL : error data: Expecting: CERTIFICATE
2016-04-29 00:42:40 ERROR OpenSAML.Metadata : caught exception while installing
filters: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibb
oleth/sci-cert.pem).
2016-04-29 00:42:40 CRIT Shibboleth.Application : error building MetadataProvide
r: Unable to load certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/
sci-cert.pem).
2016-04-29 00:42:40 WARN Shibboleth.Application : no MetadataProvider available,
configure at least one for standard SSO usage
overall configuration is loadable, check console for non-fatal problems

My shibboleth2.xml configurations are:

            <SSO entityID="https://accounts400.sap.com ">
              SAML2
            </SSO>

<MetadataProvider type="XML" uri="https://accounts400.sap.com/saml2/metadata/accounts.sap.com"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="sci-cert.pem"/>
            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
              attributeName="http://macedir.org/entity-category"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>

This certificate file (sci-cert.pem) is available at this location. I am not sure why it is not able to load the certificate.
IDP has registered the SP metadata at their side still it is saying that metadataprovider not available.

Please help me out in this whether I am missing something in configuration.

Thanks in advance.

Thanks and Regards,
Budh Ram

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160429/d9c7d189/attachment.html>

More information about the users mailing list