[gridshib-user] Re: Still having trouble with the tests
Tom Scavo
trscavo at gmail.com
Mon Feb 5 13:11:49 CST 2007
Kyle, I think all you have to do is point shib-aa-test to InCommon
metadata instead of example-metadata.xml.
Tom
PS. Have you tested the shib attribute resolver configuration using
resolvertest?
https://spaces.internet2.edu/display/SHIB/AtributeResolutionTest
https://spaces.internet2.edu/display/SHIB/AttributeReleaseTest
On 2/5/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> Here's the command line and the local variables that have been set:
>
> # export JAVA_HOME=/usr/java/latest
> # export JRE_HOME=/usr/java/latest
> # export IDP_HOME=/usr/local/shibboleth-idp
> # export CATALINA_HOME=/usr/share/tomcat5
> # export EXT_NAME=test-idp
> # ./shib-aa-test -d -j /usr/local/shibboleth-idp/etc/test-idp/sp-example.jks
> -k exampleorg -l exampleorg -m
> file:/usr/local/shibboleth-idp/etc/example-metadata.xml
>
> The key specified for the AA in our apache conf is the one for InCommon. Is
> there a specific way I need to point this out to the tester?
>
> Thanks,
> Kyle
>
> -----Original Message-----
> From: Tom Scavo [mailto:trscavo at gmail.com]
> Sent: Friday, February 02, 2007 5:11 PM
> To: Kyle Peacock
> Cc: GridShib Users
> Subject: Re: Still having trouble with the tests
>
> Hi Kyle,
>
> First, it would help if you posted the exact command line you're using
> to invoke the Shib IdP Tester. That will tell me where the tool is
> getting its trust information.
>
> Evidently, the tool can not locate the key of AA. This can be done by
> specifying a path to a certificate on the command line. If I recall,
> the certificate can be PEM-encoded, a Java KeyStore, or a SAML
> metadata file. So the basic questions are: What SSL certificate on
> the server, and how are you making this certificate known to the
> client (in this case, the IdP Tester)?
>
> Cheers,
> Tom
>
> On 2/2/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> >
> > Hey Tom,
> >
> > Changing the KeyStore lines seem to have cleared up the rest of my
> > connection problems. I think all the errors I'm getting now from
> > shib-aa-test are trust errors. I'm a little confused by the language
> > though. Could you elaborate on what this error is saying?
> >
> > ** SAML problem:
> >
> > SAMLSOAPBinding.send() caught an I/O exception (wrapped:
> > sun.security.validator.ValidatorException: No trusted
> > certificate found)
> >
> > ** Solution:
> >
> > This error means that our end of the SSL handshake is not completing
> because
> > we do not trust the AA's SSL certificate, you need adjust your trust
> > configuration.
> >
> > If you have the IdP metadata file, it should be populated with that (try
> the
> > metadata option to this program).
> >
> > If you have the certificate and it is self-signed or if you have the
> > certificate of the CA that signed the AA's SSL certificate, try the
> > pem_truststore option to this program.
> >
> > I'm also getting an "Unable to read metadata" error on the
> gridshib-aa-test.
> > Is that an indication of incorrect metadata files, poorly formed metadata
> > files, or just something simple like permission errors?
> >
> > Thanks,
> >
> > Kyle
>
>
More information about the gridshib-user
mailing list