1. 首页
  2. 问答
  3. SAML错误:对于不受信任的凭据,PKIX路径构造失败

SAML错误:对于不受信任的凭据,PKIX路径构造失败

2016-12-06 30 views
1

我在系统中集成了SAML 2.0,我正在使用像IDP文件http://idp.ssocircle.com/idp-meta.xml。 上周我的应用程序工作正常,但自昨天(2016年12月5日)以来,我的错误没有在配置文件中做任何修改。SAML错误:对于不受信任的凭据,PKIX路径构造失败

The error is: 
2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target 
2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null 
2016-12-06 10:00:07 INFO : Retrying request

我metada bean是:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> 
<constructor-arg> 
    <list> 
     <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider"> 
      <constructor-arg> 
       <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value> 
      </constructor-arg> 
      <constructor-arg> 
       <value type="int">5000</value> 
      </constructor-arg> 
      <property name="parserPool" ref="parserPool"/> 
     </bean> 
     <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> 
      <constructor-arg> 
       <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> 
        <constructor-arg> 
          <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value> 
         </constructor-arg> 
        <property name="parserPool" ref="parserPool"/> 
       </bean> 
      </constructor-arg> 
      <constructor-arg> 
       <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> 
        <property name="local" value="true"/> 
        <property name="securityProfile" value="metaiop"/> 
        <property name="sslSecurityProfile" value="pkix"/> 
        <property name="signMetadata" value="true"/> 
        <property name="signingKey" value="apollo"/> 
        <property name="encryptionKey" value="apollo"/> 
        <property name="requireArtifactResolveSigned" value="false"/> 
        <property name="requireLogoutRequestSigned" value="false"/> 
        <property name="requireLogoutResponseSigned" value="false"/> 
        <property name="idpDiscoveryEnabled" value="false"/> 
        <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/> 
        <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/> 
       </bean> 
      </constructor-arg> 
     </bean> 
    </list> 
</constructor-arg> 
    <property name="hostedSPName" value="http://88.161.49.14/sg1"/>

感谢您的帮助。

来源

2016-12-06 mkaayn

回答

2

昨天,SSOCircle上使用的根CA证书发生了变化。这可能体现在工件解析期间,当时,Spring SAML需要通过HTTPS进行调用。

certification authority's website下载证书,它存储在文件(例如,ca.cer PEM格式),并导入到春天SAML的密钥库:

keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

证书例如:

-----BEGIN CERTIFICATE----- 
    MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ 
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT 
    DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow 
    PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD 
    Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 
    AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O 
    rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 
    OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b 
    xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 
    7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD 
    aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV 
    HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG 
    SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 
    ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr 
    AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz 
    R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 
    JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo 
    Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ 
    -----END CERTIFICATE-----

春天SAML不使用Java默认密钥库中的可信CA来更好地控制哪些认证机构可信。

来源

2016-12-06 09:40:07

+0

感谢您的回复。我试图导入到密钥库,但我有一个错误:响应的公钥和密钥库不相同。 法语:'erreur keytool:java.lang.Exception:Lescléspubliques de laréponseet du keystore ne concordent pas' – mkaayn

+0

对于正确的PEM格式可能是挑剔的 - 我更新了上述内容。 –

+0

It works.Thank you very much。 – mkaayn

相关问题

 相关问题