<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">That’s very strange, then. It still looks like it’s a configuration problem with Glassfish’s SSL client setup that isn’t specific to the MITREid Connect code. The MITREid client shouldn’t be touching the SSL stores unless you’re pointing it at an HTTPS URL. I would try to dig more into Glassfish configuration to see if that’s really the issue.<div class=""><br class=""></div><div class="">The warning you got about non-HTTPS is just that — a warning, and it doesn’t cause an error unless you lock it down for a full production deployment. </div><div class=""><br class=""></div><div class=""> — Justin Richer</div><div class=""> <a href="http://bspk.io/" class="">http://bspk.io/</a></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 16, 2015, at 12:23 PM, Lachezar Dobrev <<a href="mailto:l.dobrev@paladin.bulgarpress.com" class="">l.dobrev@paladin.bulgarpress.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""> No, not HTTPS, I'm trying the following:<br class=""> * <a href="mailto:user@mitreid.org" class="">user@mitreid.org</a><br class=""> * <a href="http://localhost:8080/openid-connect-server-webapp/" class="">http://localhost:8080/openid-connect-server-webapp/</a><br class=""> * <a href="http://localhost:8080/my-openid-connect-provider/" class="">http://localhost:8080/my-openid-connect-provider/</a><br class=""><br class=""> I also tried:<br class=""> * <a href="https://demo.c2id.com/c2id" class="">https://demo.c2id.com/c2id</a><br class=""><br class=""> Same error.<br class=""><br class=""> This is my local development environment, not production.<br class=""><br class=""> For the http URLs I get a warning in the logs about https being<br class="">required (apologies, I did not save that message), but it seems to<br class="">continue forward and get the same result. Which is why I'm doubly puzzled.<br class=""><br class="">На 16.02.2015 в 19:07, Justin Richer написа:<br class=""><blockquote type="cite" class="">From the error logs below, it looks like you’re pointing to an HTTPS server<br class="">URL that your client isn’t able to read. This appears to be happening from<br class="">the Webfinger Issuer Service trying to do its lookup, which is what’s causing<br class="">the “No issuer found” message. What URL are you entering in to the client<br class="">application?<br class=""><br class="">If it’s a real deployment, you’ll need to have your server set up with a<br class="">valid certificate that the client will trust. Without that, you’ll get SSL<br class="">errors like the below as the client tries to connect. Note that simply<br class="">having the cert trusted in your browser isn’t enough, as the client makes<br class="">its own HTTPS connections directly to the server as well. It looks like<br class="">you’re configuring the keystore/truststore below but you’ve got the wrong<br class="">password or the file is corrupted. Can you open up the truststore with<br class="">‘keytool’ on the command line? Do the parameters there match what you’re<br class="">passing to Glassfish’s configuration? (Apologies, I’m not immediately<br class="">familiar with Glassfish enough to know how it’s put together).<br class=""><br class="">If it’s a test deployment or a development setup, we recommend deploying<br class="">on plain HTTP and using HTTPS for production services. This side-steps<br class="">the issues around SSL certificates that can be problematic in development.<br class="">You’ll need to solve those for production, of course, but by then you’ll<br class="">probably have a commercial certificate that’s already trusted in the trust<br class="">store.<br class=""><br class=""> — Justin<br class=""><br class=""><br class=""><blockquote type="cite" class="">On Feb 16, 2015, at 11:55 AM, Lachezar Dobrev <<a href="mailto:l.dobrev@paladin.bulgarpress.com" class="">l.dobrev@paladin.bulgarpress.com</a>> wrote:<br class=""><br class=""> Hello all.<br class=""><br class=""> I am (trying to) developing an OpenID-Connect provider.<br class=""><br class=""> To try it I decided to use the MitreID-Connect example simple-web-app<br class="">client. The platform is a Glassfish-4 with OpenJDK 7.<br class=""><br class=""> I fail in using it. No matter what I try I get a:<br class=""><br class=""><blockquote type="cite" class="">HTTP Status 401 - Authentication Failed: No issuer found.<br class=""></blockquote><br class=""> And the following stack trace:<br class=""><br class=""><blockquote type="cite" class="">2015-02-16T18:53:22.462+0200|INFO: WARN : org.mitre.openid.connect.client.service.impl.WebfingerIssuerService - Issue fetching issuer for user input: <a href="mailto:user@mitreid.org" class="">user@mitreid.org</a><br class="">com.google.common.util.concurrent.UncheckedExecutionException: org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2258)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache.get(LocalCache.java:3990)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService.getIssuer(WebfingerIssuerService.java:89)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.service.impl.HybridIssuerService.getIssuer(HybridIssuerService.java:48)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationRequest(OIDCAuthenticationFilter.java:197)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.OIDCAuthenticationFilter.attemptAuthentication(OIDCAuthenticationFilter.java:176)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at java.lang.Thread.run(Thread.java:745)<br class="">Caused by: org.apache.http.conn.ssl.SSLInitializationException: Failure initializing default system SSL context<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.client.AbstractHttpClient.createHttpContext(AbstractHttpClient.java:286)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:851)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:88)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:488)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:465)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:236)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:207)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:174)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>... 46 more<br class="">Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at java.security.KeyStore.load(KeyStore.java:1214)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>... 65 more<br class="">Caused by: java.security.UnrecoverableKeyException: Password verification failed<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>... 69 more<br class="">2015-02-16T18:53:22.462+0200|INFO: ERROR: org.mitre.openid.connect.client.OIDCAuthenticationFilter - Null issuer response returned from service.<br class=""></blockquote></blockquote></blockquote></div></blockquote></div><br class=""></div></body></html>