: CAS proxy validation failure - Configured TLS trust engine was not used

Tue Aug 18 01:23:20 UTC 2020

> From: Paul B. Henson
> Sent: Monday, August 17, 2020 6:16 PM
>
> to explicitly define the certificate to be trusted though? Where does the
> certificate defined in the metadata for that relying party get stuffed into the
> httpclient as the one that needs to be found?

Ah, it looks like that is done somewhere inside the httpclient by a class in org.opensaml.saml.security? I had previously only cranked the idp to debug level, now I tried also setting opensaml and httpclient to debug and found something interesting.

For the connections that work, I see the certificate being fetched by org.opensaml.saml.security.impl.MetadataCredentialResolver, either with no cached copy:

2020-08-17 17:55:56,853 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager:312] - Connection leased: [id: 0][route: {s}->https://www.idm.unx.cpp.edu:443][total available: 0; route allocated: 1 of 100; total allocated: 1 of 100]

2020-08-17 17:55:56,855 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.execchain.MainClientExec:234] - Opening connection {s}->https://www.idm.unx.cpp.edu:443
2020-08-17 17:55:56,859 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator:139] - Connecting to www.idm.unx.cpp.edu/134.71.247.16:443

2020-08-17 17:55:56,881 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:285] - Resolving credentials from metadata using entityID: https://www.idm.unx.cpp.edu/, role: {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor, protocol: https://www.apereo.org/cas/protocol, usage: SIGNING

2020-08-17 17:55:56,885 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:400] - After predicate filtering 1 RoleDescriptors remain
2020-08-17 17:55:56,885 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:354] - Found no cached credentials in KeyDescriptor object metadata, resolving from KeyInfo
2020-08-17 17:55:56,912 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator:146] - Connection established 134.71.246.199:55480<->134.71.247.16:443

Or a cached copy:

2020-08-17 18:04:41,951 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:285] - Resolving credentials from metadata using en
tityID: https://www.idm.unx.cpp.edu/, role: {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor, protocol: https://www.apereo.org/cas/protocol, usage: SIGNING
2020-08-17 18:04:41,952 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.opensaml.saml.security.impl.MetadataCredentialResolver:350] - Resolved cached credentials from KeyDescript
or object metadata

For the ones that fail, it jumps straight from opening connection to connection established with no sign of any activity by org.opensaml.saml.security.impl.MetadataCredentialResolver:

2020-08-17 18:05:22,612 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.PoolingHttpClientConnectionManager:312] - Connection leased: [id: 3][route: {s}->https://www.idm.unx.cpp.edu:443][total available: 0; route allocated: 4 of 100; total allocated: 4 of 100]

2020-08-17 18:05:22,612 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.execchain.MainClientExec:234] - Opening connection {s}->https://www.idm.unx.cpp.edu:443
2020-08-17 18:05:22,624 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator:139] - Connecting to www.idm.unx.cpp.edu/134.71.
247.16:443
2020-08-17 18:05:22,633 - 2620:df:8000:ff10:0:1:247:16 - DEBUG [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator:146] - Connection established 134.71.246.199:554

 So I'm guessing it fails when for some reason the certificate is not loaded into the TLS settings for that particular connection?