 |
 |
We're a new member of the UK federation, with three registered SPs, two operational, all using the same GlobalSign cert for attribute requests. The cert is valid through June of 2009; the Subject CN matches the KeyName for all three SPs in the federation metadata; and the CN is also the domain name for one of the two operational SPs. For both operational SPs, attribute requests fail with "unsupported certificate" errors, with at least three different IdPs. No successful attribute requests for any IdPs. (Both operational SPs work successfully with IdPs from other federations. The test SP also works successfully with the ProtectNetwork IdP when we include only the UK federation MetadataProvider in shibboleth.xml - however, no attribute request is made in the case of ProtectNetwork.) Relevant section from shibd.log for one of the failed attribute requests follows. Any idea as to what might be the problem, with our cert or otherwise? Thanks, Norman Kenney ------------------------------------------------------ 2008-07-31 08:09:34 INFO shibtarget.SessionCache : deleting 0 old items. 2008-07-31 08:10:34 INFO shibtarget.SessionCache : deleting 0 old items. 2008-07-31 08:11:07 INFO Shibboleth.ReloadableXMLFileImpl [505] sessionNew: Loaded and parsed XML file (E:/opt/shibboleth-sp/etc/shibboleth/InCommon-metadata.xml) 2008-07-31 08:11:08 INFO Shibboleth.ReloadableXMLFileImpl [505] sessionNew: Loaded and parsed XML file (E:/opt/shibboleth-sp/etc/shibboleth/ukfederation-metadata.xml) 2008-07-31 08:11:08 INFO Shibboleth.Trust.Shibboleth [505] sessionNew: signature verified with key inside signature, attempting certificate validation... 2008-07-31 08:11:08 INFO Shibboleth.Trust.Shibboleth [505] sessionNew: certificate subject: CN=shibbolethidp.bham.ac.uk,OU=IT Services,O=The University of Birmingham,L=Birmingham,ST=West Midlands,C=GB 2008-07-31 08:11:08 INFO Shibboleth.Trust.Shibboleth [505] sessionNew: matched DNS/URI subjectAltName to a key name (shibbolethidp.bham.ac.uk) 2008-07-31 08:11:08 INFO Shibboleth.Trust.Shibboleth [505] sessionNew: successfully validated certificate chain 2008-07-31 08:11:08 INFO shibtarget.Listener [505] sessionNew: creating new session 2008-07-31 08:11:08 INFO shibtarget.SessionCache [505] sessionNew: new session created with session ID (_95af9df7811b8454d65d0e7b137024d3) 2008-07-31 08:11:08 INFO shibtarget.SessionCache [506] sessionGet: trying to get new attributes for session (ID=_95af9df7811b8454d65d0e7b137024d3) 2008-07-31 08:11:08 INFO SAML.SAMLSOAPHTTPBinding [506] sessionGet: sending SOAP message to https://shibbolethidp.bham.ac.uk:8443/shibboleth-idp/AA 2008-07-31 08:11:09 INFO Shibboleth.Trust.Shibboleth [506] sessionGet: successfully validated certificate chain 2008-07-31 08:11:09 ERROR SAML.SAMLSOAPHTTPBinding [506] sessionGet: failed while contacting SAML responder: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate 2008-07-31 08:11:09 ERROR shibtarget.SessionCache [506] sessionGet: caught SAML exception during SAML attribute query: SOAPHTTPBindingProvider::send() failed while contacting SAML responder: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate 2008-07-31 08:11:09 ERROR shibtarget.SessionCache [506] sessionGet: no response obtained 2008-07-31 08:11:34 INFO shibtarget.SessionCache : deleting 0 old items. 2008-07-31 08:12:34 INFO shibtarget.SessionCache : deleting 1 old items. 2008-07-31 08:13:34 INFO shibtarget.SessionCache : deleting 0 old items.