We are trying to setup SAML on AEM 5.6.1 for one of our client. We are facing an issue while using the private key. We have generated the private key using OpenSSO using the below commands.
openssl genrsa -out SP-server.pem 2048
openssl rsa -in SP-server.pem -pubout > SP-public-server.pem
openssl req -new -key SP-server.pem -out SP-server.csr
openssl x509 -req -days 365 -in SP-server.csr -signkey SP-server.pem -out SP-server.crt
openssl pkcs8 -topk8 -inform PEM -outform DER -in SP-server.pem -nocrypt > SP-server.PKCS8.key
I have uploaded the key using CURL .But when I access the path set to the SAML auth I am getting the below error.
CURL:
C:\curl -u admin:admin -F priv
ate=\<sp.pem -F private@TypeHint=Binary http://localhost:4502
/etc/key/saml
testing/test1.html HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials 26.02.2015 14:14:35.455 *INFO* [74.202.85.210 [1424978075454] GET /content/test/en_US/saml-testing/test1.html HTTP/1.1] servletengine Servlet threw exception: java.lang.RuntimeException: Error reading private key at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:123) at com.adobe.granite.auth.saml.configuration.SpConfiguration.getDecryptionKey(SpConfiguration.java:79) at com.adobe.granite.auth.saml.SamlAuthenticationHandler.requestCredentials(SamlAuthenticationHandler.java:367) at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doRequestCredentials(AuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.requestCredentials(AbstractAuthenticationHandlerHolder.java:83) at org.apache.sling.auth.core.impl.SlingAuthenticator.login(SlingAuthenticator.java:527) at org.apache.sling.auth.core.impl.SlingAuthenticator.doLogin(SlingAuthenticator.java:1032) at org.apache.sling.auth.core.impl.SlingAuthenticator.getAnonymousResolver(SlingAuthenticator.java:872) at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:478) at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:438) at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:148) at org.apache.felix.http.base.internal.context.ServletContextImpl.handleSecurity(ServletContextImpl.java:272) at org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletHandler.java:91) at org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:79) at org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletPipeline.java:42) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:49) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:127) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:55) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.security.impl.ReferrerFilter.doFilter(ReferrerFilter.java:263) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.wink.osgi.JaxRsFilter.doFilter(JaxRsFilter.java:80) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at com.adobe.granite.license.impl.LicenseCheckFilter.doFilter(LicenseCheckFilter.java:179) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:78) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:75) at org.apache.felix.http.base.internal.handler.FilterHandler.doHandle(FilterHandler.java:88) at org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:76) at org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(InvocationFilterChain.java:47) at org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFilterChain.java:33) at org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterPipeline.java:48) at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:39) at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:250) at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:321) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:340) at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:383) at com.day.j2ee.servletengine.ServletHandlerImpl.process(ServletHandlerImpl.java:335) at com.day.j2ee.servletengine.HttpListener$Worker.run(HttpListener.java:644) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.spec.InvalidKeySpecException: Invalid RSA private key encoding. at com.rsa.cryptoj.o.n.b(Unknown Source) at com.rsa.cryptoj.o.n.engineGeneratePrivate(Unknown Source) at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) at com.adobe.granite.auth.saml.impl.SlingKeyProvider.getDecryptionKey(SlingKeyProvider.java:115) ... 60 more
Please let me know if I am missing anything or this is a bug.
Solved! Go to Solution.
Views
Replies
Total Likes
Not seen issue with openjdk. Please note open jdk is not supported with AEM so you need to switch.
Views
Replies
Total Likes
There are couple of causes like
keyfactory RSA
)5.6.1 should not have such issue may be some fp like mutual ssl could have caused. This needs to be investigated imo before concluding as a bug. Can you file a daycare ticket with logs, jre version, & output of http://host:port/crx/packmgr/service.jsp?cmd=ls . If possible the certificate.
Views
Replies
Total Likes
Hi Sham,
The JDK used is OpenJDK Runtime Environment(build 1.7.0_75-mockbuild_2015_01_08_20_32-b00). I have also verified the certificate and it looks fine. Is this a issue with using OpenJDK
Views
Replies
Total Likes
Not seen issue with openjdk. Please note open jdk is not supported with AEM so you need to switch.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies