[gridshib-user] Re: Still having trouble with the tests

Tom Scavo trscavo at gmail.com
Wed Feb 7 11:59:07 CST 2007 

Hmm, well, the only thing I can think of at the moment is that it's
not finding the metadata file.  Could you try this syntax instead?

# /usr/local/shibboleth-idp/bin/shib-aa-test -d \
  -m file:///usr/local/shibboleth-idp/etc/InCommon-metadata.xml ...

Can you report what happens when you use a file URL like the above?

Also, I assume incommonshibaa.crt and incommonshibaa.key are for the
client (not the AA).  Those are weird names for client credentials.

Thanks,
Tom

On 2/7/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> Here you go:
>
> # /usr/local/shibboleth-idp/bin/shib-aa-test -d -m
> /usr/local/shibboleth-idp/etc/InCommon-metadata.xml -p
> /usr/local/shibboleth-idp/etc/inc
> ommonshibaa.crt -q /usr/local/shibboleth-idp/etc/incommonshibaa.key -i
> urn:mace:incommon:clemson.edu
>
> ** Using metadata for server certificates to trust
> Metadata path: /usr/local/shibboleth-idp/etc/InCommon-metadata.xml
> log4j:WARN No appenders could be found for logger
> (edu.internet2.middleware.shibboleth.xml.Parser).
> log4j:WARN Please initialize the log4j system properly.
> Error: ProviderId not found in metadata: urn:mace:incommon:clemson.edu
>
>
> --------------- STACKTRACE ---------------
> java.lang.Exception: ProviderId not found in metadata:
> urn:mace:incommon:clemson.edu
>         at
> org.globus.gridshib.idptest.CertUtils.findAAcerts(CertUtils.java:72)
>         at
> org.globus.gridshib.idptest.BaseClient.setCerts(BaseClient.java:497)
>         at org.globus.gridshib.idptest.BaseClient.parse(BaseClient.java:415)
>         at
> org.globus.gridshib.idptest.ShibTestClient.main(ShibTestClient.java:68)
> ------------------------------------------
>
> Thanks,
> Kyle
>
> -----Original Message-----
> From: owner-gridshib-user at globus.org [mailto:owner-gridshib-user at globus.org]
> On Behalf Of Tom Scavo
> Sent: Wednesday, February 07, 2007 10:40 AM
> To: Kyle Peacock
> Cc: GridShib Users
> Subject: [gridshib-user] Re: Still having trouble with the tests
>
> That is strange.  Kyle, can you post the command-line invocation
> you're using and a complete stack trace?
>
> Thanks,
> Tom
>
> On 2/7/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > Hey Tom,
> >
> > Still kind of confused here.
> >
> > InCommon's entityID for us is urn:mace:incommon:clemson.edu
> > Our idp.xml says our providerId is urn:mace:incommon:clemson.edu
> > I used -i urn:mace:incommon:clemson.edu with shib-aa-test.
> >
> > I'm still getting this though:
> >
> > Metadata path: /usr/local/shibboleth-idp/etc/InCommon-metadata.xml
> > Error: ProviderId not found in metadata: urn:mace:incommon:clemson.edu
> >
> > Are there other places that the id needs to be specified?
> >
> > Thanks,
> > Kyle
> >
> > -----Original Message-----
> > From: Tom Scavo [mailto:trscavo at gmail.com]
> > Sent: Tuesday, February 06, 2007 2:25 PM
> > To: Kyle Peacock
> > Cc: GridShib Users
> > Subject: Re: Still having trouble with the tests
> >
> > I should have mentioned this earlier, sorry, but the Shib IdP Tester
> > assumes your IdP has identifier "https://idp.example.org/shibboleth".
> > It uses this identifier as a key to access metadata.  This works fine
> > for the default metadata (example-metadata.xml) but of course there is
> > no such IdP in InCommon metadata.
> >
> > You have to specify the IdP entityID (as it's called) on the command
> > line.  The exact syntax is discussed in the Guide:
> >
> > http://gridshib.globus.org/docs/test-idp-0.5.1/guide.html
> >
> > Let me know if there's something in the Guide that doesn't make sense.
> >
> > Cheers,
> > Tom
> >
> > On 2/6/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > Hey Tom,
> > > I tried shib-aa-test with my InCommon metadata instead of the example
> > stuff
> > > (and had to use -p and -q instead), but I'm getting some odd error about
> > > idp.example.org
> > >
> > > # /usr/local/shibboleth-idp/bin/shib-aa-test -d -m
> > > /usr/local/shibboleth-idp/etc/InCommon-metadata.xml -p
> > > /usr/local/shibboleth-idp/etc/incommonshibaa.crt -q
> > > /usr/local/shibboleth-idp/etc/incommonshibaa.key
> > >
> > > ** Using metadata for server certificates to trust
> > > Metadata path: /usr/local/shibboleth-idp/etc/InCommon-metadata.xml
> > > log4j:WARN No appenders could be found for logger
> > > (edu.internet2.middleware.shibboleth.xml.Parser).
> > > log4j:WARN Please initialize the log4j system properly.
> > > Error: ProviderId not found in metadata:
> > https://idp.example.org/shibboleth
> > >
> > >
> > > --------------- STACKTRACE ---------------
> > > java.lang.Exception: ProviderId not found in metadata:
> > > https://idp.example.org/shibboleth
> > >         at
> > > org.globus.gridshib.idptest.CertUtils.findAAcerts(CertUtils.java:72)
> > >         at
> > > org.globus.gridshib.idptest.BaseClient.setCerts(BaseClient.java:497)
> > >         at
> > org.globus.gridshib.idptest.BaseClient.parse(BaseClient.java:415)
> > >         at
> > > org.globus.gridshib.idptest.ShibTestClient.main(ShibTestClient.java:68)
> > > ------------------------------------------
> > >
> > > Where does the reference to idp.example.org come from?  Fairly sure that
> I
> > > don't reference it anywhere specifically.
> > >
> > > Kyle
> > >
> > > -----Original Message-----
> > > From: Tom Scavo [mailto:trscavo at gmail.com]
> > > Sent: Monday, February 05, 2007 2:12 PM
> > > To: Kyle Peacock
> > > Cc: GridShib Users
> > > Subject: Re: Still having trouble with the tests
> > >
> > > Kyle, I think all you have to do is point shib-aa-test to InCommon
> > > metadata instead of example-metadata.xml.
> > >
> > > Tom
> > >
> > > PS. Have you tested the shib attribute resolver configuration using
> > > resolvertest?
> > > https://spaces.internet2.edu/display/SHIB/AtributeResolutionTest
> > > https://spaces.internet2.edu/display/SHIB/AttributeReleaseTest
> > >
> > > On 2/5/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > Here's the command line and the local variables that have been set:
> > > >
> > > > # export JAVA_HOME=/usr/java/latest
> > > > # export JRE_HOME=/usr/java/latest
> > > > # export IDP_HOME=/usr/local/shibboleth-idp
> > > > # export CATALINA_HOME=/usr/share/tomcat5
> > > > # export EXT_NAME=test-idp
> > > > # ./shib-aa-test -d -j
> > > /usr/local/shibboleth-idp/etc/test-idp/sp-example.jks
> > > > -k exampleorg -l exampleorg -m
> > > > file:/usr/local/shibboleth-idp/etc/example-metadata.xml
> > > >
> > > > The key specified for the AA in our apache conf is the one for
> InCommon.
> > > Is
> > > > there a specific way I need to point this out to the tester?
> > > >
> > > > Thanks,
> > > > Kyle
> > > >
> > > > -----Original Message-----
> > > > From: Tom Scavo [mailto:trscavo at gmail.com]
> > > > Sent: Friday, February 02, 2007 5:11 PM
> > > > To: Kyle Peacock
> > > > Cc: GridShib Users
> > > > Subject: Re: Still having trouble with the tests
> > > >
> > > > Hi Kyle,
> > > >
> > > > First, it would help if you posted the exact command line you're using
> > > > to invoke the Shib IdP Tester.  That will tell me where the tool is
> > > > getting its trust information.
> > > >
> > > > Evidently, the tool can not locate the key of AA.  This can be done by
> > > > specifying a path to a certificate on the command line.  If I recall,
> > > > the certificate can be PEM-encoded, a Java KeyStore, or a SAML
> > > > metadata file.  So the basic questions are:  What SSL certificate on
> > > > the server, and how are you making this certificate known to the
> > > > client (in this case, the IdP Tester)?
> > > >
> > > > Cheers,
> > > > Tom
> > > >
> > > > On 2/2/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > >
> > > > > Hey Tom,
> > > > >
> > > > > Changing the KeyStore lines seem to have cleared up the rest of my
> > > > > connection problems.  I think all the errors I'm getting now from
> > > > > shib-aa-test are trust errors.  I'm a little confused by the
> language
> > > > > though.  Could you elaborate on what this error is saying?
> > > > >
> > > > > ** SAML problem:
> > > > >
> > > > > SAMLSOAPBinding.send() caught an I/O exception (wrapped:
> > > > > sun.security.validator.ValidatorException: No trusted
> > > > > certificate found)
> > > > >
> > > > > ** Solution:
> > > > >
> > > > > This error means that our end of the SSL handshake is not completing
> > > > because
> > > > > we do not trust the AA's SSL certificate, you need adjust your trust
> > > > > configuration.
> > > > >
> > > > > If you have the IdP metadata file, it should be populated with that
> > (try
> > > > the
> > > > > metadata option to this program).
> > > > >
> > > > > If you have the certificate and it is self-signed or if you have the
> > > > > certificate of the CA that signed the AA's SSL certificate, try the
> > > > > pem_truststore option to this program.
> > > > >
> > > > > I'm also getting an "Unable to read metadata" error on the
> > > > gridshib-aa-test.
> > > > >  Is that an indication of incorrect metadata files, poorly formed
> > > metadata
> > > > > files, or just something simple like permission errors?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Kyle
> > > >
> > > >
> > >
> > >
> >
> >
>
>

More information about the gridshib-user mailing list