Error after idp 3.4.3 upgrade from 3.4.1

Mathis, Bradley bmathis at pima.edu
Mon Feb 18 10:29:09 EST 2019 

Howdy all and Happy Monday!


I had a functioning idp 3.4.1. installation.  I ran the upgrade to 3.4.3
 and I now get this error.

2019-02-15 15:35:24,089 - ERROR
[org.springframework.web.context.ContextLoader:350] - Context
initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'proxyHttpSecurity' defined in file
[/opt/shibboleth-idp/systecd /cas-protocol-system.xml]: Cannot create inner
bean 'org.opensaml.security.trust.impl.ChainingTrustEngine#340da44c' of
type [org.opensaml.security.trust.impl.ChainingTrustEngine] while setting
bean property 'tLSTrustEngine'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.opensaml.security.trust.impl.ChainingTrustEngine#340da44c' defined in
file [/opt/shibboleth-idp/system/conf/cas-protocol-system.xml]: Cannot
create inner bean 'shibboleth.StaticPKIXTrustEngine$child#a43ce46' of type
[net.shibboleth.idp.profile.spring.factory.StaticPKIXFactoryBean] while
setting constructor argument with key [1]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.StaticPKIXTrustEngine$child#a43ce46' defined in
file [/opt/shibboleth-idp/system/conf/cas-protocol-system.xml]:
Initialization of bean failed; nested exception is
org.springframework.beans.TypeMismatchException: Failed to convert property
value of type 'java.util.ArrayList' to required type 'java.util.List' for
property 'certificates'; nested exception is
java.lang.IllegalArgumentException: Cannot convert value of type
'sun.security.x509.X509CertImpl' to required type
'org.springframework.core.io.Resource' for property 'certificates[0]':
PropertyEditor [org.springframework.core.io.ResourceEditor] returned
inappropriate value of type 'sun.security.x509.X509CertImpl'


The file referenced in the message
"/opt/shibboleth-idp/system/conf/cas-protocol-system.xml"  is changed in
the new version 3.4.3

Here are the changes:

3.4.3 version:

    <bean id="proxyHttpSecurity"
class="org.opensaml.security.httpclient.HttpClientSecurityParameters">
        <property name="tLSTrustEngine">
            <bean
class="org.opensaml.security.trust.impl.ChainingTrustEngine">
                <constructor-arg name="chain">
                    <list>
                        <bean
class="org.opensaml.security.trust.impl.ExplicitX509CertificateTrustEngine"

c:resolver-ref="shibboleth.MetadataCredentialResolver" />
                        <bean parent="shibboleth.StaticPKIXTrustEngine"

p:certificates="#{getObject('shibboleth.CASProxyTrustedCertificates') ?:
getObject('shibboleth.DefaultCASProxyTrustedCertificates')}"
                              p:checkNames="true" />
                    </list>
                </constructor-arg>
            </bean>
        </property>
    </bean>


3.4.1 version (the above section replaced this section below)

    <bean id="proxyTrustEngine"
class="org.opensaml.security.trust.impl.ChainingTrustEngine">
        <constructor-arg name="chain">
            <list>
                <bean
class="org.opensaml.security.trust.impl.ExplicitX509CertificateTrustEngine"

c:resolver-ref="shibboleth.MetadataCredentialResolver" />
                <bean
class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine"
c:nameEvaluator="#{null}">
                    <constructor-arg name="resolver">
                        <bean
class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver"
c:names="#{null}">
                            <constructor-arg name="info">
                                <bean
class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation"

c:anchors="#{getObject('shibboleth.CASProxyTrustedCertificates') ?:
getObject('shibboleth.DefaultCASProxyTrustedCertificates')}"
                                      c:crls="#{null}"
                                      c:depth="5" />
                            </constructor-arg>
                        </bean>
                    </constructor-arg>
                    <constructor-arg name="pkixEvaluator">
                        <bean
class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
                    </constructor-arg>
                </bean>
            </list>
        </constructor-arg>
    </bean>


Where do I start to fix this?

Thanks in advance for the help!


Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190218/b2efb428/attachment.html>

More information about the users mailing list