[gridshib-user] Re: Derby connection problems

Tom Scavo trscavo at gmail.com
Thu Feb 8 15:20:23 CST 2007 

Thanks for creating this bug report, Kyle:

http://bugzilla.globus.org/globus/show_bug.cgi?id=5002

Tom

On 2/2/07, Tom Scavo <trscavo at gmail.com> wrote:
> Hi Kyle,
>
> Thanks for reporting this bug with Shib IdP Tester v0.5.1.  Would you
> mind creating a bugzilla for this?
>
> Thanks much,
>
> Tom
>
> PS. For others following this thread, the problem lies with this line of code:
>
> KeyStore ks = KeyStore.getInstance("JKS", "SUN");
>
> Kyle is using JDK 1.4.2 from Sun, so you wouldn't think the second
> argument "SUN" would cause problems, but evidently it does since this
> line of code seems to work:
>
> keyStore = KeyStore.getInstance("JKS");
>
> I predict that someday, somebody will find an incompatibility with the
> previous line of code as well, so we'll try the following fix:
>
> keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
>
> Hopefully that does the trick.
>
>
> On 1/30/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > Hey Tom,
> >
> > Sorry to take so long to get back to you, but there's still something else
> > going wrong with this thing.  Any form of a servlet.jar that I point
> > SERVLET_JAR at gives me an error like this:
> >
> > Ephemeral certstore: shib_server.jks
> > Ephemeral certstore pass: globus
> > Failed to create Java key store: no such provider: SUN
> > Error: no such provider: SUN
> >
> >
> > --------------- STACKTRACE ---------------
> > java.security.NoSuchProviderException: no such provider: SUN
> >      at java.security.Security.getAlgClassName(Security.java:643)
> >      at java.security.Security.getImpl(Security.java:1118)
> >      at java.security.KeyStore.getInstance(KeyStore.java:230)
> >      at
> > org.globus.gridshib.idptest.CertUtils.createCertStore(CertUtils.java:158)
> >      at
> > org.globus.gridshib.idptest.BaseClient.initEphemeralTrustJKS(BaseClient.java
> > :681)
> >      at org.globus.gridshib.idptest.BaseClient.setCerts(BaseClient.java:507)
> >      at org.globus.gridshib.idptest.BaseClient.parse(BaseClient.java:415)
> >      at
> > org.globus.gridshib.idptest.ShibTestClient.main(ShibTestClient.java:68)
> > ------------------------------------------
> >
> > Is this indicative of a wrong version of the servlet-api.jar, or is there
> > still something worse going on here?  Are we still talking Derby problems
> > here or is there some other thing broken for me?
> >
> > Thanks,
> > Kyle
> >
> >
> > -----Original Message-----
> > From: owner-gridshib-user at globus.org [mailto:owner-gridshib-user at globus.org]
> > On Behalf Of Tom Scavo
> > Sent: Friday, January 26, 2007 4:32 PM
> > To: Kyle Peacock
> > Cc: GridShib Users
> > Subject: Re: [gridshib-user] Re: Derby connection problems
> >
> > So it looks like you have tomcat 5.5.17, right?  Yes, if there's no
> > servlet-api.jar in there, that's a problem.  I guess we need to
> > somehow remove the dependency on servlet*.jar.  Can you create a
> > bugzilla for this, please?
> >
> > In the meantime, here's a workaround.  Locate $IDP_HOME/bin/java and
> > modify the line
> >
> > SERVLET_JAR=$CATALINA_HOME/common/lib/servlet-api.jar
> >
> > to correspond to your environment.  If you could include the details
> > of your workaround in bugzilla, that would help a lot.
> >
> > Thanks, Kyle.
> >
> > Tom
> >
> > On 1/26/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > There's a plain old servlet.jar in that directory, but nothing named
> > > servlet-api.jar.
> > >
> > > Here's the pertinent entry from the directory listing:
> > > lrwxrwxrwx  1 root root 27 Jan 25 15:33 [servlet].jar ->
> > > /usr/share/java/servlet.jar
> > >
> > > Which just points to the same tomcat5-servlet-2.4-api-5.5.17.jar file I
> > > mentioned previously.  Is there a chance that this version is incompatible
> > > with GridShib?
> > >
> > > Kyle
> > >
> > > -----Original Message-----
> > > From: owner-gridshib-user at globus.org
> > [mailto:owner-gridshib-user at globus.org]
> > > On Behalf Of Tom Scavo
> > > Sent: Friday, January 26, 2007 4:06 PM
> > > To: Kyle Peacock
> > > Cc: GridShib Users
> > > Subject: Re: [gridshib-user] Re: Derby connection problems
> > >
> > > There's no JAR file with the root "servlet" in that directory?  What
> > > version of tomcat are you using?  Is there a servlet JAR to be found
> > > anywhere in the tomcat directory?
> > >
> > > Tom
> > >
> > > On 1/26/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > No, I can't.  That's not good.  What do I need to do?
> > > >
> > > > Kyle
> > > >
> > > > -----Original Message-----
> > > > From: owner-gridshib-user at globus.org
> > > [mailto:owner-gridshib-user at globus.org]
> > > > On Behalf Of Tom Scavo
> > > > Sent: Friday, January 26, 2007 3:51 PM
> > > > To: Kyle Peacock
> > > > Cc: GridShib Users
> > > > Subject: Re: [gridshib-user] Re: Derby connection problems
> > > >
> > > > Kyle, can you locate $CATALINA_HOME/common/lib/servlet-api.jar ?
> > > >
> > > > Tom
> > > >
> > > > On 1/26/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > > Tom,
> > > > > That's the document I've been going by for the test-idp stuff.  I'm
> > > fairly
> > > > > sure I have CATALINA_HOME set correctly.  It's pointed to
> > > > /usr/share/tomcat5
> > > > > for me, which appears to be the right place.
> > > > >
> > > > > Kyle
> > > > >
> > > > > -----Original Message-----
> > > > > From: owner-gridshib-user at globus.org
> > > > [mailto:owner-gridshib-user at globus.org]
> > > > > On Behalf Of Tom Scavo
> > > > > Sent: Friday, January 26, 2007 3:13 PM
> > > > > To: Kyle Peacock
> > > > > Cc: GridShib Users
> > > > > Subject: Re: [gridshib-user] Re: Derby connection problems
> > > > >
> > > > > Kyle, did you set CATALINA_HOME properly?
> > > > >
> > > > > http://gridshib.globus.org/docs/test-idp-0.5.1/install.html
> > > > >
> > > > > Hope this helps,
> > > > > Tom
> > > > >
> > > > > On 1/26/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > > > I can't find a copy of servlet.jar on my system that looks corrupt.
> > > The
> > > > > one
> > > > > > I have eventually links down to tomcat5-servlet-2.4-api-5.5.17.jar,
> > if
> > > > > that
> > > > > > helps.
> > > > > >
> > > > > > Thanks,
> > > > > > Kyle
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: owner-gridshib-user at globus.org
> > > > > [mailto:owner-gridshib-user at globus.org]
> > > > > > On Behalf Of Tom Scavo
> > > > > > Sent: Friday, January 26, 2007 11:16 AM
> > > > > > To: Kyle Peacock
> > > > > > Cc: gridshib-user at globus.org
> > > > > > Subject: [gridshib-user] Re: Derby connection problems
> > > > > >
> > > > > > Kyle, now you really have me worried :-) please check to see if
> > > > > > servlet.jar is corrupt (like derby.jar).
> > > > > >
> > > > > > Thanks,
> > > > > > Tom
> > > > > >
> > > > > > On 1/26/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > > > > Tom,
> > > > > > > I think I've basically just about left every step out in the book.
> > > > > Anyway
> > > > > > > though, I'm getting Java exceptions for shib-aa-test too.
> > > > > > >
> > > > > > > [root at shibboleth etc]# /usr/local/shibboleth-idp/bin/shib-aa-test
> > -d
> > > > -j
> > > > > > > /usr/local/shibboleth-idp/etc/test-idp/sp-example.jks -k
> > exampleorg
> > > -l
> > > > > > > exampleorg -m
> > > > file:///usr/local/shibboleth-idp/etc/example-metadata.xml
> > > > > > >
> > > > > > > ** Using metadata for server certificates to trust
> > > > > > > Metadata path:
> > > > file:///usr/local/shibboleth-idp/etc/example-metadata.xml
> > > > > > > log4j:WARN No appenders could be found for logger
> > > > > > > (edu.internet2.middleware.shibboleth.xml.Parser).
> > > > > > > log4j:WARN Please initialize the log4j system properly.
> > > > > > > Ephemeral certstore: shib_server.jks
> > > > > > > Ephemeral certstore pass: globus
> > > > > > > Added 'cert-0' to shib_server.jks: CN=idp.example.org,
> > O=Internet2,
> > > > C=US
> > > > > > > Added 'cert-1' to shib_server.jks: CN=wayf.internet2.edu,
> > > O=Internet2,
> > > > > > C=US
> > > > > > > Java keystore file (shib_server.jks) successfully created.
> > > > > > > This program will remove ephemeral JKS file:
> > > > > > > /usr/local/shibboleth-idp/etc/shib_server.jks
> > > > > > >
> > > > > > >
> > > > > > > ** Using existing JKS for certificate to present to server for SSL
> > > > > > > connection
> > > > > > > JKS path: /usr/local/shibboleth-idp/etc/test-idp/sp-example.jks
> > > > > > > JKS pass: exampleorg
> > > > > > > JKS keypass: exampleorg
> > > > > > > PEM paths set to null.
> > > > > > > Remove-JKS flag set to false
> > > > > > >
> > > > > > > ** Sending query
> > > > > > > Exception in thread "main" java.lang.NoClassDefFoundError:
> > > > > > > javax/servlet/ServletInputStream
> > > > > > >         at java.lang.Class.forName0(Native Method)
> > > > > > >         at java.lang.Class.forName(Class.java:141)
> > > > > > >         at org.opensaml.SAMLBindingFactory.getInstance(Unknown
> > > Source)
> > > > > > >         at org.opensaml.SAMLBindingFactory.getInstance(Unknown
> > > Source)
> > > > > > >         at
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > org.globus.gridshib.idptest.AttributeQuery.runSAML(AttributeQuery.java:167)
> > > > > > >         at
> > > > > > >
> > > > org.globus.gridshib.idptest.AttributeQuery.run(AttributeQuery.java:161)
> > > > > > >         at
> > > > > > >
> > org.globus.gridshib.idptest.ShibClient.shibQuery(ShibClient.java:83)
> > > > > > >         at
> > > > > > >
> > > > org.globus.gridshib.idptest.ShibTestClient.main(ShibTestClient.java:107)
> > > > > > >
> > > > > > > Any thoughts?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Kyle
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Tom Scavo [mailto:trscavo at gmail.com]
> > > > > > > Sent: Thursday, January 25, 2007 4:23 PM
> > > > > > > To: Kyle Peacock
> > > > > > > Cc: GridShib Users
> > > > > > > Subject: Re: Derby connection problems
> > > > > > >
> > > > > > > On 1/25/07, Kyle Peacock <kpeacoc at clemson.edu> wrote:
> > > > > > > > Alright, now we're getting somewhere.  I deleted derby.jar and
> > > > > > reinstalled
> > > > > > > > and got the full jar this time.  CertificateRegistry is working
> > > now.
> > > > > > >
> > > > > > > Okay, great, but I'm surprised that
> > $SHIB_DIST$/custom/lib/derby.jar
> > > > > > > was corrupt.  I didn't know the problem went that deep, I thought
> > it
> > > > > > > was tied to Shibboleth 1.3.1.
> > > > > > >
> > > > > > > For the record, your previous problem is (somewhat) solved and
> > we're
> > > > > > > moving on to something else...
> > > > > > >
> > > > > > > > Still failing on the gridshib-aa-test.
> > > > > > >
> > > > > > > Did you successfully test the IdP with shib-aa-test before
> > > installing
> > > > > > > GridShib for Shibboleth?
> > > > > > >
> > > > > > > > Here's the output:
> > > > > > > >
> > > > > > > > [root at shibboleth etc]#
> > > > /usr/local/shibboleth-idp/bin/gridshib-aa-test
> > > > > -d
> > > > > > > -j
> > > > > > > > $IDP_HOME/etc/$EXT_NAME/sp-example.jks -k exampleorg -l
> > exampleorg
> > > > -m
> > > > > > > > file://$IDP_HO
> > > > > > > > ME/etc/$EXT_NAME/gridshib-idp-metadata.xml
> > > > > > > >
> > > > > > > > ** Using metadata for server certificates to trust
> > > > > > > > Metadata path:
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > file:///usr/local/shibboleth-idp/etc/gridshib-idp/gridshib-idp-metadata.xml
> > > > > > > > log4j:WARN No appenders could be found for logger
> > > > > > > > (edu.internet2.middleware.shibboleth.xml.Parser).
> > > > > > > > log4j:WARN Please initialize the log4j system properly.
> > > > > > > > Error: Unable to read metadata: + e
> > > > > > >
> > > > > > > Did you create gridshib-idp-metadata.xml according to the docs?
> > > > > > >
> > > > > > > > --------------- STACKTRACE ---------------
> > > > > > > > edu.internet2.middleware.shibboleth.metadata.MetadataException:
> > > > Unable
> > > > > > to
> > > > > > > > read metadata: + e
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata.<init>(XML
> > > > > > > > Metadata.java:94)
> > > > > > > >         at
> > > > > > > >
> > > org.globus.gridshib.idptest.CertUtils.findAAcerts(CertUtils.java:64)
> > > > > > > >         at
> > > > > > > >
> > > org.globus.gridshib.idptest.BaseClient.setCerts(BaseClient.java:497)
> > > > > > > >         at
> > > > > > > org.globus.gridshib.idptest.BaseClient.parse(BaseClient.java:415)
> > > > > > > >         at
> > > > > > > >
> > > > >
> > org.globus.gridshib.idptest.GridShibClient.main(GridShibClient.java:70)
> > > > > > > > ------------------------------------------
> > > > > > >
> > > > > > > Did you insert the IdP's SSL cert into the metadata?  Is that cert
> > > > > > > self-signed?
> > > > > > >
> > > > > > > > I can tell we're getting a lot closer here, but I'm not really
> > > sure
> > > > to
> > > > > > > make
> > > > > > > > of the "+ e".
> > > > > > >
> > > > > > > This is a bug in Shibboleth IdP 1.3c (misplaced double quote).  It
> > > may
> > > > > > > be fixed in Shibboleth IdP 1.3.1, I don't know.
> > > > > > >
> > > > > > > Tom
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>

More information about the gridshib-user mailing list