Expand my Community achievements bar.

SAML intregation AEM 6.2

Avatar

Level 1
Level 1
8/18/17 3:30:59 AM

Dear Team,

We are trying to integrate SAML in AEM 6.2 but running into the problem, that the private key can't be retrieved from the KeyStore.

This is the log output:

18.08.2017 12:10:07.935 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system

/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-e6c48573-2b44-4e65-8e8b-21ea1490b701.config]

18.08.2017 12:10:19.486 *INFO* [qtp494497164-9824] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

18.08.2017 12:10:19.758 *ERROR* [qtp494497164-9825] org.apache.felix.http.jetty Exception while processing request to /content/brands/myBBraun/saml_login (java.lang.RuntimeException: Could not retrie

ve SP's private key from KeyStore.)

java.lang.RuntimeException: Could not retrieve SP's private key from KeyStore.

        at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:98)

        at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:95)

        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:738)

        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:441)

        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

        at org.eclipse.jetty.server.Server.handle(Server.java:499)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decrypt data.

        at com.rsa.cryptoj.o.gx.engineGetKey(Unknown Source)

        at java.security.KeyStore.getKey(KeyStore.java:1023)

        at com.adobe.granite.keystore.internal.GraniteKeyStoreSpi.engineGetKey(GraniteKeyStoreSpi.java:96)

        at java.security.KeyStore.getKey(KeyStore.java:1023)

        at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:92)

        ... 31 common frames omitted

We entered the correct password for the KeyStore in the SAML Authentication Handler config. What could be another reason that the SP private key can't be loaded?

Furthermore we are not sure which format for key and certificate is the correct one?

In this documentation PKCS#8 is mentioned: SAML 2.0 Authentication Handler​, but in the SAML gems session AEM GEMS Session SAML authentication in AEM  there is a hint that key and certificate should be PKCS12 or JKS. Which one is correct?

Is there a documentation on how to correctly create a private key and certificate with openssl?

Thanks for your support.

Regards

Views

1.1K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Reply

Avatar

Level 10
Level 10
8/21/17 8:17:58 AM

File a bug for this use case. Looks like the docs are not correct. GEMs was explained by AEM eng team.

Views

718

Replies

0
Sign in to like this content

Total Likes

Translate
Translate