Configuring additional signing/encryption certificate/key pairs for IDP 3.4.6

Mak, David d.mak at northeastern.edu
Thu May 28 21:32:37 UTC 2020 

Has anyone run into a problem with configuring additional signing/encryption keys for IDP 3.4.6?

We have a vendor who is complaining about a SHA1 signed RSA2048 self signed cert (not due to expire until 2032) and how they need to configure an exception to accept our signed responses (that they require) so we looked into creating a new SHA256 MD/signed RSA2048 cert and added it as per:

https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration#SecurityConfiguration-SigningandEncryptionConfiguration

Creating a credentials.xml entry:
  <bean id="shibboleth.SHA256RSA2048SigningCredential"
        class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
        p:privateKeyResource="%{idp.signing.key.2}"
        p:certificateResource="%{idp.signing.cert.2}"
        p:entityId-ref="entityID" />

that references some new idp.properties values:
idp.signing.key.2 = %{idp.home}/credentials/idp-signing-new.key
idp.signing.cert.2 = %{idp.home}/credentials/idp-signing-new.crt

coupled with a relying-party configuration:

<bean id="SHA2SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
    p:signatureSigningConfiguration-ref="shibboleth.SHA256RSA2048SigningCredential" />

        <bean parent="RelyingPartyByName"
                c:relyingPartyIds="#{{'http://fs.crisis24.com/adfs/services/trust'}}">
                <property name="profileConfigurations">
                        <list>
                                <bean parent="SAML2.SSO" p:securityConfiguration-ref="SHA2SecurityConfig" />
                        </list>
                </property>
        </bean>

We get the following exception/error in our IDP process logs as pasted below, complaining about not being able to convert a property value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration'

Digging further into the signatureSigningConfiguration, I don’t see other beans I could be referencing to configure these other than the ones documented here (the above is using the resources based bean vs the inline one): https://wiki.shibboleth.net/confluence/display/IDP30/CredentialBeanFactories

Error entry in log:

Caused by: org.springframework.beans.factory.BeanCreationException:
  Error creating bean with name 'SHA2SecurityConfig' defined in file [/idm/AuthenticationServices/shibboleth-idp/conf/relying-party.xml]:
    Initialization of bean failed; nested exception is org.springframework.beans.ConversionNotSupportedException:
      Failed to convert property value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration'; nested exception is java.lang.IllegalStateException: Cannot convert value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration': no matching editors or conversion strategy found at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:562)

Caused by: org.springframework.beans.ConversionNotSupportedException:
  Failed to convert property value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration'; nested exception is java.lang.IllegalStateException: Cannot convert value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration': no matching editors or conversion strategy found
        at org.springframework.beans.AbstractNestablePropertyAccessor.convertIfNecessary(AbstractNestablePropertyAccessor.java:603)
Caused by: java.lang.IllegalStateException: Cannot convert value of type 'org.opensaml.security.x509.BasicX509Credential' to required type 'org.opensaml.xmlsec.SignatureSigningConfiguration' for property 'signatureSigningConfiguration': no matching editors or conversion strategy found
        at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:307)



--
David Mak
Identity Services Specialist
Information Technology Services
Northeastern University
360 Huntington Ave. Boston MA 02115-5000
Mail Stop: 356-C2
Office: 617-373-7836 Mobile: 617-840-7543
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200528/0ef13916/attachment.htm>

More information about the users mailing list