Hello
I'm trying to upload idp certificate in global trust store to configure SSO in aem 6.5 author using curl command. I copied the cert in a directory in Amazon Linux server and tried running few curl commands in the same directory to upload cert but the commands are not working.
Facing issues with ipd cert upload using curl cmd other curl commands for integrating SSO, installing aem, replication agants curl is working fine.
Can you please help me in knowing the curl command for idp certificate upload?
Thanks in advance.
Views
Replies
Total Likes
Hi @KRenuka ,
You can try the following steps below
With Basic Authentication:
curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
With Client Certificate Authentication:
curl -v --cert /path/to/client_cert.pem --key /path/to/client_key.pem --pass my_password -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" https://localhost:4502/libs/granite/security/truststore.json
Thanks,
Madhur
Thanks for the response Madhur.
I am using Basic AUthentication and when I try below curl cmd with my credentials and values, I am getting below error in console
ERROR:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head>
<body>
<h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1>
<p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>
<hr>
<address>Apache Sling</address>
</body>
</html>
curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
Hi @KRenuka ,
There are several reasons which could generate the error. You can try the below mentioned steps to debug.
curl -v -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
Replace placeholders like /path/to/idp_certificate.crt and my_idp_cert with the actual values.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head> <body>
<h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1> <p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>
<hr>
<address>Apache Sling</address> </body>
Hi @KRenuka ,
That’s expected behavior. In AEM, the /libs/granite/security/content/truststore.json endpoint is designed for write operations, such as updating or adding certificates to the truststore.
On the other hand, the /libs/granite/security/truststore.json endpoint is typically used for read operations, like viewing the truststore.
So, if you’re trying to upload an Identity Provider (IdP) certificate to the global truststore in AEM to configure Single Sign-On (SSO), you should use the /libs/granite/security/content/truststore.json endpoint.
@Madhur-Madan
I am able to update cert alias under /libs/granite/security/content/truststore.json using curl cmd but the certificate is not getting uploaded in trust store.
Unable to find cert details below:
I am facing the same issue...
curl -k -s -u "admin:**********" -F "certificate=@/DevOps/Main/config-files/certs/sso/sso-certs/_.esso-uat.********.cer" -F "alias=admin" https://*******************/libs/granite/security/content/truststore.json
I get the response back...
<html>
<head>
<title>Content modified /libs/granite/security/content/truststore</title>
</head>
<body>
<h1>Content modified /libs/granite/security/content/truststore</h1>
<table>
<tbody>
<tr>
<td>Status</td>
<td><div id="Status">200</div></td>
</tr>
<tr>
<td>Message</td>
<td><div id="Message">OK</div></td>
</tr>
<tr>
<td>Location</td>
<td><a href="/libs/granite/security/content/truststore" id="Location">/libs/granite/security/content/truststore</a></td>
</tr>
<tr>
<td>Parent Location</td>
<td><a href="/libs/granite/security/content" id="ParentLocation">/libs/granite/security/content</a></td>
</tr>
<tr>
<td>Path</td>
<td><div id="Path">/libs/granite/security/content/truststore</div></td>
</tr>
<tr>
<td>Referer</td>
<td><div id="Referer"></div></td>
</tr>
<tr>
<td>ChangeLog</td>
<td><div id="ChangeLog"><pre>modified("/libs/granite/security/content/truststore/certificate/jcr:lastModified");<br/>modified("/libs/granite/security/content/truststore/certificate/jcr:mimeType");<br/>modified("/libs/granite/security/content/truststore/certificate/jcr:data");<br/>modified("/libs/granite/security/content/truststore/alias");<br/></pre></div></td>
</tr>
</tbody>
</table>
<p><a href="/libs/granite/security/content/truststore">Modified Resource</a></p>
<p><a href="/libs/granite/security/content">Parent of Modified Resource</a></p>
</body>
</html>
So it looks fine
But no cert when I go to the global trust store
Does it need a restart of the instance?
I do notice it doesn't seem to give the user to map to in the command - could that be the issue? I always have to map it to the admin user to make it work when I do it manually.
I tried to look at the payload when I do it manually and get this...
certificate: (binary)
userPath:
userPath@Delete:
:cq_csrf_token:
eyJleHAiOjE3MTYxMDE3MzcsImlhdCI6MTcxNjEwMTEzN30.7d6EENxcEF_bKETDrOh70DeZEIu7p5DutVtgPRvve50
I tried adding in as a real shot in the dark...
-F "userPath=" -F "userPath@Delete="
But nothing
When I go to the authentication service it has no keystore using the curl
when I do it manually it still does not have one where as in a current environment that works it shows one is there but no actual cert listed.
I have a command which does seem to create the global trust store but I was trying then to add a package with the certs and that was getting wiped out. Seems to be a dead end
Views
Replies
Total Likes
@KRenuka Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes
@KRenuka Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes
@Madhur-Madan Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes