updating SP's cert in metadata
Nate Klingenstein
ndk at sudonym.me
Fri Sep 28 12:42:08 EDT 2018
David,
I can't speak to exactly what went wrong(copy paste issues, random
whitespace, actually broken certificate), but apparently parsing is failing
although the overall approach of putting both certificates in the metadata
should be fine. I would guess the certificate data that you put in the
element itself is broken. You might use openssl x509's toolkit as a sanity
check.
Hope this helps,
Nate.
On Fri, Sep 28, 2018 at 4:37 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
> SP provided new cert (they provide self-signed certs in metadata with 1
> year lifetime).
>
> I added the new cert to my copy of the SP metadata, anticipating a
> transition period where either cert could be used, but that triggers this
> error in processing an incoming request:
>
> ERROR [137.229.160.20] org.springframework.webflow.execution.ActionExecutionException:76
> >
>
> org.springframework.webflow.execution.ActionExecutionException: Exception
> thrown executing net.shibboleth.idp.profile.impl.
> WebFlowMessageHandlerAdaptor at 71d0fe07 in state 'SAML2SSOSecurityPolicy'
> of flow 'intercept/security-policy/saml2-sso' -- action execution
> attributes were 'map[[empty]]'
>
> at org.springframework.webflow.execution.ActionExecutor.
> execute(ActionExecutor.java:60)
>
> Caused by: org.cryptacular.StreamException: IO error
>
> at org.cryptacular.util.CertUtil.readCertificate(CertUtil.java:
> 256)
>
> Caused by: java.io.IOException: Incomplete BER/DER data
>
> at sun.security.provider.X509Factory.readBERInternal(
> X509Factory.java:751)
>
>
> Is the strategy flawed or did I do something else dumb?
>
>
> David Bantz
>
> UA OIT IAM
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180928/1b4cab43/attachment.html>
More information about the users
mailing list