Shibboleth: Update an IdP certificate in my Service Provider - sp

I have a Service Provider (Shibboleth/Apache) in production connected with an Identity Provider (IdP). Everything worked perfectly until the IdP updated its certificate.
As far as I understand I need to update it in my configuration, but I'm confused.
I received a PEM certificate and don't know exactly what to do. I don't seem to have the IdP metadata locally or a X509 certificate.
When the IdP certificate was put in production I saw this in my logs:
2022-06-03 10:17:50 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [830]: unable to verify message signature with supplied trust engine
2022-06-03 10:17:50 WARN Shibboleth.SSO.SAML2 [830]: detected a problem with assertion: Message was signed, but signature could not be verified.```
Any help would be much appreciated.
Thanks in advance!

Related

Error: unable to verify the first certificate - Springboot

I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.

Configuring SSL on Nifi 1.9 Single Node setup

Could you please help me setup the SSL on the Nifi Application.
To explain about the steps taken so far.
I have used the following link intructions to use the CA signed certs provided to us (This include root,intermediate and Server cert). I have sucessfully configured Nifi to run on SSL on server end but i am not getting the steps to create a client cert so that using the client cert we can login to Nifi.
Help in this regard will be highly appreciated.
You'll need to generate a Certificate Signing Request (CSR) or request from your security/IT team who provided the CA-signed server certs that they provide a client certificate (and private key) signed by the same intermediate or root CA. You could also generate your own client certificate signed by a self-signed CA and put the public certificate of that CA in the NiFi truststore. More documentation around this process can be found in the NiFi Toolkit Guide.

TIBCO - Server Certificate Rejected by Chain Verifier

We are getting this error
"BW-HTTP-100300 Job-29000 Error in [Processes/Services/HTTP Request/Process Definition.process/Send HTTP Request]
An IOException was thrown while trying to execute the Http method
caused by: java.io.IOException: Failed to create secure client socket: Server certificate rejected by ChainVerifier"
I have done the following:
1. Created send http request.
2. Configured everything in the Configuration tab and the Input tabs. 
3. Created Identity and imported the same into Identity
4. Downloaded the certificate and imported it in to 'Configure SSL'
5. While running the process I get the error mentioned above. 
Am I missing anything?  
Please provide me some guidance.  Thanks in advance
Downloading the server certificate is not enough, you need to download the whole certificate chain from the root CA down to the server cert.
In the above example, you need to download all certs (except the last one mail.google.com which is optional) and add them to your trusted certificates folder.
Have you enabled VerifyHostName option while making the connection? If yes, then the server name should be in the allowed list too. In most cases you dont need this option enabled.

Windows Store App connect to HTTPS with an self-signed SSL certificate

I'm having a Windows Store App (Metro App) which I want to connect a web service I built through HTTPS. And I am using a self-signed certificate for my web service. But when I tried to connect it from my App through System.Net.HttpClient.PostAsync I got an exception said
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
Inner exception said
"The remote certificate is invalid according to the validation procedure."
I know this is because I'm using a self-signed certificate. I remembered in .NET I can use System.Net.ServicePointManager.ServerCertificateValidationCallback so that my application can pass the validation if the thumbprint is mine.
But I cannot find the relevant class/method in Windows Store runtime. How can I do that?
First, you should ideally be using Windows.Web.HttpClient. On that API, you can use httpClient.HttpBaseProtocolFilter.IgnorableServerCertificateErrors to set the cert errors that you're willing to accept. You can choose to ignore the Untrusted error, for example, but you should then manually check the thumbprint before actually sending any data.

Apache 2 authentication error

Attempting to implement client authentication with an SSL cert, according to this HOWTO,
I receive the following errors.
Apache:
Re-negotiation handshake failed: Not accepted by client!?
Firefox:
ssl_error_handshake_failure_alert
I assume it is a configuration error, but have not been able to locate it.
Additional info:
Commercial CA server cert servers secure works without problem in Apache 2.2 & Passenger.
Only client authentication related directives do not work.
Is your certificate signed by verizon or someone like that? If not, you might want to add an exception in firefox. By default it stops you.
pd. doesn't sound like a passenger question
When you require client certificate authorization, you have to point Apache to file containing the root CA (and intermediates also) certificates which issued the client certificate
Also post your client authentication config part.

Resources