search

Unicon / shib-cas-authn

Apache License 2.0
13 stars 9 forks source link

not validating due to trust chain / x509 ? #5

Closed kevinfoote closed 2 years ago

kevinfoote commented 3 years ago

I'm implementing this external flow on v 4.1 of the Shib-IdP.

shib-cas-authn 4.0.0 ShibIdP 4.1.2

Things seem to be working until I get back from the CAS-IdP. The Shib side I think is not validating the ticket to populate the the subject context and other attributes if present. When I do a run that exercises this authn module I get errors in the log. 


2021-09-24 23:44:15,632 - ERROR [org.jasig.cas.client.util.CommonUtils:439] - SSL error getting response from host: cbu-2.test.technolutions.net : Error Message: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2021-09-24 23:44:15,633 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:111] - Ticket validation failed, returning InvalidTicket
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:440)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2021-09-24 23:44:15,636 - DEBUG [org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository:106] - Getting flow execution with key 'e1s2'
2021-09-24 23:44:15,639 - DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl:58] - Getting FlowDefinition with id 'SAML2/Redirect/SSO'
2021-```
pspaude commented 3 years ago

You'll need to add the SSL certificate for your CAS server (cbu-2.test.technolutions.net) into your Shibboleth IdP's JVM truststore. The process goes something like this:

  1. Export SSL certificate and chain using something like: openssl -s_client -showcerts -servername cbu-2.test.technolutions.net. Grab the certificate(s) needed in PEM format including the begin and end notation.
  2. If the lowest level cert expires or changes, consider adding the root if you have one. Many self-signed will just have one certificate.
  3. In any case save each one you want to import to a file. The ending doesn't matter, most choose .crt or .pem.
  4. Next import the file(s) into your JVM trustore using the Java keytool command: keytool -import -alias cas -file cas_cert_file_saved -keystore /path/to/your/jvm/lib/security/cacerts. Note that the path to your JVM truststore varies depending on OS and Java JDK installation method.
  5. Restart Shibboleth IdP and the problem should be resolved.
kevinfoote commented 3 years ago

@pspaude Thanks I'll try that .. I imported it into the JVM cacerts file originally. I'll update and post back.

kevinfoote commented 3 years ago

hey there @pspaude I'm still seeing that same error after adding the cert into the cacerts file. 

idphost>:/opt/shibboleth-idp/logs>java -version
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
idphost>:/opt/shibboleth-idp/logs>keytool -list -alias cbu-2.test -keystore /usr/local/java/current/lib/security/cacerts
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:
cbu-2.test, Sep 28, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): D8:B0:B7:A7:56:6D:D8:46:40:CA:CB:20:2F:4E:96:2E:FE:E7:2D:31:B8:EE:D7:DD:74:94:B1:7A:4D:A5:EC:49
idphost>:/opt/shibboleth-idp/log

Error is still the same in the idp logs..

2021-09-28 10:01:03,392 - ERROR [org.jasig.cas.client.util.CommonUtils:439] - [172.21.39.44] - SSL error getting response from host: cbu-2.test.technolutions.net : Error Message: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2021-09-28 10:01:03,395 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:111] - [172.21.39.44] - Ticket validation failed, returning InvalidTicket
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:440)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2021-09-28 10:01:03,787 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:171] - [172.21.39.44] - Profile Action ValidateExternalAuthentication: External authentication produced error message: InvalidTicket
2021-09-28 10:01:03,789 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - [172.21.39.44] - A non-proceed event occurred while processing the request: AuthenticationException
2021-09-28 10:01:03,799
pspaude commented 3 years ago

Unfortunately I can't provide much more help in this medium. This is one of the classic pain points of the CAS SSO protocol and has nothing to do with internal code of the shib-cas-authn plugin or your Shibboleth IdP. In every case with PKIX on CAS protocol ticket validation, it is solved by finding the correct cert (or adding all in the chain in case an intermediate isn't trusted) to the JVM truststore in use. Note the actual JVM trustore used can be different depending on OS and how Java was installed and in many cases may be different than the one your JAVA_HOME points to. If you were a client of Unicon, I could assist you by jumping on a troubleshooting call (we usually solve these in an hour or less). You can contact us here: https://www.unicon.net/contact-us

It can take awhile but that is the only solution to fix the error in question. Note that Shibboleth IdP v4.x+ has a Proxy or Delegated Authentication mechanism. So you could use SAML2 SSO protocol to delegate to your Apereo CAS SSO server. This would require enabling that functionality in your Shibboleth IdP described https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1282539600/SAMLAuthnConfiguration and enabling SAML2 IdP functionality in CAS SSO server as described here: https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Authentication.html#saml2-authentication.

kevinfoote commented 3 years ago

@pspaude Thanks for the assist .. I will continue on the PKI track trying to locate / add the missing intermediate that is breaking the chain.

I may reach out via the Unicon route - we'll see.