Menu
▾
▴
Re: [Unity-idm-discuss] unable to find a decryption key error
|
From: Sander A. <sa....@fz...> - 2022-06-07 05:38:31
|
Good morning Krzysztof, today it works fine as expected. I assume that the IdP did still use the old certificate, although the admin said they updated it. Best regards, Sander On Fri, 2022-06-03 at 13:45 +0200, Sander Apweiler wrote: > Hi Krzysztof, > we updated our certificate today and splittet web part and SAML > signing > part into two different certificates. While the Webserver part and > the > SAML part in direction to SPs is working fine, I got errors while > trying to login with our IdP. I see an unable to find a decryption > key > error in the logs. The IdP admin said, he already fetched the new > federation metadata which contains the new signing certificate. Do > you > know some other reasons for the problem? Stacktrace and config is > below. > > Cheers, > Sander > > pki.properties: > unity.pki.credentials.SAML.format=pkcs12 > unity.pki.credentials.SAML.path=/usr/local/unity/pki/b2access.eudat.e > u_SAML.p12 > unity.pki.credentials.SAML.keyAlias=saml > unity.pki.credentials.SAML.password=******** > unity.pki.truststores.SAML.type=directory > unity.pki.truststores.SAML.allowProxy=DENY > unity.pki.truststores.SAML.directoryLocations.1=/usr/local/unity/cert > s/* > unity.pki.truststores.SAML.crlLocations.1=/etc/grid- > security/certificates/*.crl > unity.pki.truststores.SAML.directoryEncoding=PEM > unity.pki.truststores.SAML.crlUpdateInterval=400 > > remoteSamlAuth.properties: > unity.saml.requester.requesterCredential=SAML > > > 2022-06-03T13:36:27,462 [qtp1691841404-39] ERROR > org.apache.xml.security.encryption.XMLCipher: > XMLCipher::decryptElement unable to resolve a decryption key > 2022-06-03T13:36:27,462 [qtp1691841404-39] INFO > unity.server.saml.SAMLResponseVerificator: SAML response verification > or processing failed > pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: The > SAML response is either invalid or is issued by an untrusted identity > provider. > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:89) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.getRemotelyAuthentic > atedInput(SAMLResponseVerificator.java:118) ~[unity-server-saml- > 3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.verifySAMLResponse(S > AMLResponseVerificator.java:88) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.processResponse(SAML > ResponseVerificator.java:75) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLVerificator.processResponse(SAMLVerifica > tor.java:289) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.process > Answer(RedirectedAuthnState.java:99) ~[unity-server-engine-api- > 3.8.1.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.jav > a:62) ~[unity-server-engine-3.8.1.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity- > server-engine-3.8.1.jar:?] > at > pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProc > essingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.j > ava:78) ~[unity-server-web-common-3.8.1.jar:?] > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193 > ) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandle > r.java:1601) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java > :548) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl > er.java:1624) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl > er.java:1434) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:188) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java: > 501) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle > r.java:1594) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:186) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle > r.java:1349) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j > ava:141) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIP > SettingHandler.java:68) ~[unity-server-engine-3.8.1.jar:?] > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont > extHandlerCollection.java:234) ~[jetty-server- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle > r.java:322) ~[jetty-rewrite-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler. > java:763) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at org.eclipse.jetty.server.Server.handle(Server.java:516) > ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java: > 216) ~[unity-server-engine-3.8.1.jar:?] > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java > :400) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) > [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) > [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.jav > a:277) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(Abstra > ctConnection.java:311) [jetty-io- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(S > slConnection.java:555) [jetty-io- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java: > 410) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java > :164) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhat > YouKill.java:338) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWh > atYouKill.java:315) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatW > hatYouKill.java:173) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouK > ill.java:131) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.r > un(ReservedThreadExecutor.java:409) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo > l.java:883) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThrea > dPool.java:1034) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at java.lang.Thread.run(Thread.java:829) [?:?] > Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: XML > handling problem during retrieval of response assertions > at > eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAu > thnResponseValidator.java:97) ~[samly2-2.7.1.jar:?] > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?] > ... 49 more > Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > encryption.nokey > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCi > pher.java:1746) ~[xmlsec-2.2.2.jar:2.2.2] > at > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher > .java:1662) ~[xmlsec-2.2.2.jar:2.2.2] > at > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:9 > 46) ~[xmlsec-2.2.2.jar:2.2.2] > at > eu.unicore.security.enc.EncryptionUtil.decrypt(EncryptionUtil.java:53 > ) ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.assertion.AssertionParser.<init>(AssertionParser.ja > va:74) ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.SAMLUtils.extractAllAssertions(SAMLUtils.java:204) > ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAu > thnResponseValidator.java:94) ~[samly2-2.7.1.jar:?] > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?] > ... 49 more > 2022-06-03T13:36:27,463 [qtp1691841404-39] INFO > unity.server.authn.InteractiveAuthneticationProcessorImpl: > Authentication failure: AuthenticationProcessorImpl.authnFailed deny > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
