Menu
▾
▴
[Unity-idm-discuss] unable to find a decryption key error
|
From: Sander A. <sa....@fz...> - 2022-06-03 11:45:40
|
Hi Krzysztof,
we updated our certificate today and splittet web part and SAML signing
part into two different certificates. While the Webserver part and the
SAML part in direction to SPs is working fine, I got errors while
trying to login with our IdP. I see an unable to find a decryption key
error in the logs. The IdP admin said, he already fetched the new
federation metadata which contains the new signing certificate. Do you
know some other reasons for the problem? Stacktrace and config is
below.
Cheers,
Sander
pki.properties:
unity.pki.credentials.SAML.format=pkcs12
unity.pki.credentials.SAML.path=/usr/local/unity/pki/b2access.eudat.eu_SAML.p12
unity.pki.credentials.SAML.keyAlias=saml
unity.pki.credentials.SAML.password=********
unity.pki.truststores.SAML.type=directory
unity.pki.truststores.SAML.allowProxy=DENY
unity.pki.truststores.SAML.directoryLocations.1=/usr/local/unity/certs/*
unity.pki.truststores.SAML.crlLocations.1=/etc/grid-security/certificates/*.crl
unity.pki.truststores.SAML.directoryEncoding=PEM
unity.pki.truststores.SAML.crlUpdateInterval=400
remoteSamlAuth.properties:
unity.saml.requester.requesterCredential=SAML
2022-06-03T13:36:27,462 [qtp1691841404-39] ERROR org.apache.xml.security.encryption.XMLCipher: XMLCipher::decryptElement unable to resolve a decryption key
2022-06-03T13:36:27,462 [qtp1691841404-39] INFO unity.server.saml.SAMLResponseVerificator: SAML response verification or processing failed
pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider.
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:89) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.getRemotelyAuthenticatedInput(SAMLResponseVerificator.java:118) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.verifySAMLResponse(SAMLResponseVerificator.java:88) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.processResponse(SAMLResponseVerificator.java:75) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLVerificator.processResponse(SAMLVerificator.java:289) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.processAnswer(RedirectedAuthnState.java:99) ~[unity-server-engine-api-3.8.1.jar:?]
at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.java:62) ~[unity-server-engine-3.8.1.jar:?]
at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity-server-engine-3.8.1.jar:?]
at pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:78) ~[unity-server-web-common-3.8.1.jar:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:68) ~[unity-server-engine-3.8.1.jar:?]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.Server.handle(Server.java:516) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.8.1.jar:?]
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:400) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: XML handling problem during retrieval of response assertions
at eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAuthnResponseValidator.java:97) ~[samly2-2.7.1.jar:?]
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?]
... 49 more
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: encryption.nokey
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1746) ~[xmlsec-2.2.2.jar:2.2.2]
at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1662) ~[xmlsec-2.2.2.jar:2.2.2]
at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:946) ~[xmlsec-2.2.2.jar:2.2.2]
at eu.unicore.security.enc.EncryptionUtil.decrypt(EncryptionUtil.java:53) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.assertion.AssertionParser.<init>(AssertionParser.java:74) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.SAMLUtils.extractAllAssertions(SAMLUtils.java:204) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAuthnResponseValidator.java:94) ~[samly2-2.7.1.jar:?]
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?]
... 49 more
2022-06-03T13:36:27,463 [qtp1691841404-39] INFO unity.server.authn.InteractiveAuthneticationProcessorImpl: Authentication failure: AuthenticationProcessorImpl.authnFailed deny
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
