Dear Team,
We are trying to integrate SAML in AEM 6.2 but running into the problem, that the private key can't be retrieved from the KeyStore.
This is the log output:
18.08.2017 12:10:07.935 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system
/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-e6c48573-2b44-4e65-8e8b-21ea1490b701.config]
18.08.2017 12:10:19.486 *INFO* [qtp494497164-9824] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
18.08.2017 12:10:19.758 *ERROR* [qtp494497164-9825] org.apache.felix.http.jetty Exception while processing request to /content/brands/myBBraun/saml_login (java.lang.RuntimeException: Could not retrie
ve SP's private key from KeyStore.)
java.lang.RuntimeException: Could not retrieve SP's private key from KeyStore.
at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:98)
at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:95)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:738)
at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:441)
at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)
at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)
at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)
at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)
at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)
at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)
at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)
at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decrypt data.
at com.rsa.cryptoj.o.gx.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at com.adobe.granite.keystore.internal.GraniteKeyStoreSpi.engineGetKey(GraniteKeyStoreSpi.java:96)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:92)
... 31 common frames omitted
We entered the correct password for the KeyStore in the SAML Authentication Handler config. What could be another reason that the SP private key can't be loaded?
Furthermore we are not sure which format for key and certificate is the correct one?
In this documentation PKCS#8 is mentioned: SAML 2.0 Authentication Handler, but in the SAML gems session AEM GEMS Session SAML authentication in AEM there is a hint that key and certificate should be PKCS12 or JKS. Which one is correct?
Is there a documentation on how to correctly create a private key and certificate with openssl?
Thanks for your support.
Regards
