MetadataResolverService Initial load failed?

Wed Nov 27 13:40:03 EST 2019

To back up a bit, this is a new tomcat server and shibboleth idp 3.4.6. I
have copied the data over from an existing (working) shibboleth idp 3.2.1.
The data would include idp.property settings, metadata, and credentials.
The entire credentials directory. I am concerned copying the cert files
over may be the issue, but tomcat and shibboleth are set up properly to use
them. My thinking now is that copying over the conf directory metadata is
ok with a few minor tweaks, but I need to create a whole suite of new certs
for this new server.

 Service 'shibboleth.MetadataResolverService': Initial load failed
net.shibboleth.utilities.java.support.service.ServiceException:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter#0':
Cannot create inner bean '(inner bean)#3e38a99c' of type
[org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine]

The entire error message are in my first post.

Scott Gilbert
IAM System Admin
ETS Enterprise Technology Services
University of California Santa Barbara

On Wed, Nov 27, 2019 at 10:04 AM Scott Gilbert <sgilbert at ucsb.edu> wrote:

> Still getting the same error message. Below is my current incommon config.
>
>     <MetadataProvider id="INCOMMON"
> xsi:type="FileBackedHTTPMetadataProvider"
>         metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
> backingFile="%{idp.home}/metadata/incommon-metadata.xml">
>       <MetadataFilter xsi:type="SignatureValidation"
> certificateFile="%{idp.home}/credentials/inc-md-cert.pem" />
>     </MetadataProvider>
>
> Do I need to state this?
>         <MetadataFilter xsi:type="RequiredValidUntil"
> maxValidityInterval="P30D"/>
>
> I have enough memory allocated
> Environment="CATALINA_OPTS=-Xms512M -Xmx2048M -server -XX:+UseG1GC"
>
>
> Scott Gilbert
> IAM System Admin
> ETS Enterprise Technology Services
> University of California Santa Barbara
>
>
>
> On Tue, Nov 26, 2019 at 3:16 PM Christopher Bongaarts <cab at umn.edu> wrote:
>
>> Within that <MetadataProvider> element you'll find a nested element like
>> this:
>>
>>       <MetadataFilter xsi:type="SignatureValidation"
>> requireSignedRoot="true"
>>               certificateFile="%{idp.home}/credentials/incommon.pem" />
>>
>> It's having trouble loading that certificateFile.
>> On 11/26/2019 5:02 PM, Scott Gilbert wrote:
>>
>> Thanks for the reply.
>>
>> So this metadata provider statement is not sufficient
>>
>>     <MetadataProvider id="INCOMMON"
>> xsi:type="FileBackedHTTPMetadataProvider"
>>     metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
>> backingFile="%{idp.home}/metadata/incommon-metadata.xml">
>>
>> as I recall there is some form of verification, so as not to spoof, it
>> may be in the incommon docs.
>>
>> Scott Gilbert
>> IAM System Admin
>> ETS Enterprise Technology Services
>> University of California Santa Barbara
>>
>>
>>
>> On Tue, Nov 26, 2019 at 2:44 PM Christopher Bongaarts <cab at umn.edu>
>> wrote:
>>
>>> Check the contents and permissions of your InCommon metadata validation
>>> certificate...
>>>
>>> On 11/26/2019 4:28 PM, Scott Gilbert wrote:
>>> > Caused by: org.springframework.beans.factory.BeanCreationException:
>>> > Error creating bean with name '(inner bean)#5ff6431a': Invocation of
>>> > init method failed; nested exception is
>>> > org.cryptacular.StreamException: IO error
>>> > at
>>> >
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1631)
>>> > Caused by: org.cryptacular.StreamException: IO error
>>> > at
>>> org.cryptacular.util.CertUtil.readCertificateChain(CertUtil.java:328)
>>> > Caused by: java.io.IOException: Incomplete data
>>> > at sun.security.provider.X509Factory.readOneBlock(X509Factory.java:612)
>>> > 2019-11-26 14:07:11,867 -  - ERROR
>>> >
>>> [net.shibboleth.utilities.java.support.service.AbstractReloadableService:186]
>>>
>>> > - Service 'shibboleth.MetadataResolverService': No further attempts
>>> > will be made to reload
>>>
>>> --
>>> %%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
>>> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>>> %%  University of Minnesota    %%  +1 (612) 625-1809    %%
>>>
>>> --
>>> For Consortium Member technical support, see
>>> https://wiki.shibboleth.net/confluence/x/coFAAg
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>
>>
>> --
>> %%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
>> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>> %%  University of Minnesota    %%  +1 (612) 625-1809    %%
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191127/0cfb5068/attachment.html>