SAML intregation AEM 6.2 | Community
Skip to main content
inesj20324227
inesj20324227
August 18, 2017

SAML intregation AEM 6.2

  • August 18, 2017
  • 1 reply
  • 1516 views

Dear Team,

We are trying to integrate SAML in AEM 6.2 but running into the problem, that the private key can't be retrieved from the KeyStore.

This is the log output:

18.08.2017 12:10:07.935 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=200, id=/apps/system

/config/com.adobe.granite.auth.saml.SamlAuthenticationHandler-e6c48573-2b44-4e65-8e8b-21ea1490b701.config]

18.08.2017 12:10:19.486 *INFO* [qtp494497164-9824] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials

18.08.2017 12:10:19.758 *ERROR* [qtp494497164-9825] org.apache.felix.http.jetty Exception while processing request to /content/brands/myBBraun/saml_login (java.lang.RuntimeException: Could not retrie

ve SP's private key from KeyStore.)

java.lang.RuntimeException: Could not retrieve SP's private key from KeyStore.

        at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:98)

        at com.adobe.granite.auth.saml.binding.PostBinding.receive(PostBinding.java:95)

        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:738)

        at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:441)

        at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

        at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

        at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

        at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

        at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

        at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

        at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

        at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

        at org.eclipse.jetty.server.Server.handle(Server.java:499)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.security.UnrecoverableKeyException: Could not decrypt key: Could not decrypt data.

        at com.rsa.cryptoj.o.gx.engineGetKey(Unknown Source)

        at java.security.KeyStore.getKey(KeyStore.java:1023)

        at com.adobe.granite.keystore.internal.GraniteKeyStoreSpi.engineGetKey(GraniteKeyStoreSpi.java:96)

        at java.security.KeyStore.getKey(KeyStore.java:1023)

        at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:92)

        ... 31 common frames omitted

We entered the correct password for the KeyStore in the SAML Authentication Handler config. What could be another reason that the SP private key can't be loaded?

Furthermore we are not sure which format for key and certificate is the correct one?

In this documentation PKCS#8 is mentioned: SAML 2.0 Authentication Handler​, but in the SAML gems session AEM GEMS Session SAML authentication in AEM  there is a hint that key and certificate should be PKCS12 or JKS. Which one is correct?

Is there a documentation on how to correctly create a private key and certificate with openssl?

Thanks for your support.

Regards

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

smacdonald2008
smacdonald2008
Level 10
August 21, 2017

File a bug for this use case. Looks like the docs are not correct. GEMs was explained by AEM eng team.

Terms & ConditionsAccessibility statement

Loading footer...