Hi Steve, Have you tried changing the pem file: The latter 'GlobalSignCertificateChain.pem' file contains the following certificates, in this order: GlobalSign Root CA GlobalSign Primary Secure Server CA GlobalSign Server Sign CA To: GlobalSign Server Sign CA GlobalSign Primary Secure Server CA GlobalSign Root CA Regards Patrick Patrick Maginn Technical Specialist, Salford Software Ltd, Lancastrian Office Centre Talbot Road, Old Trafford Manchester, M32 0FP Tel: +44 (0) 161 906 1002 Fax: +44 (0) 161 906 1003 www.salfordsoftware.co.uk The leader in Identity Management Solutions -------------------------------------------------------------------------------------------------------------- Important Information This email is confidential and may contain privileged material. If you are not the intended recipient then you must not copy it, forward it, use it for any purpose, or disclose it to another person. Instead please return it to the sender immediately. Please then delete your copy from your system. Please also note that the author of this email cannot conclude any contract on behalf of Salford Software Ltd by email. Company Registered in England No. 2252625. VAT Reg. No. 519613442 Academic Enterprises. University of Salford, Salford. M5 4WT ________________________________________ From: Discussion list for Shibboleth developments [[log in to unmask]] On Behalf Of Steve Holden [[log in to unmask]] Sent: 29 October 2009 16:51 To: [log in to unmask] Subject: Certificate sequence issues with JSTOR Hi, folks We've been trying to permit access to JSTOR via our Shib 1.3 IdPs for some time now (on and, mostly, off) but appear to be falling foul of their certificate checking - which seems to be stricter about the sequence of links in the certificate chain than that in other SPs As JSTOR have now suggested I ask other .ac.uk folk, I've taken the liberty of including a section of their latest email below which explains the issue in more detail, and which seems rather similar to this post by their lead developer to the Shib Users list: http://groups.google.com/group/shibboleth-users/browse_thread/thread/dba 8e03a3ce1670b?pli=1 Our idp.xml config contains the following stanza: <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="ukfederationCredentials"> <Key> <Path>file:/etc/pki/tls/private/idp.brighton.ac.uk.pem</Path> </Key> <Certificate> <Path>file:/etc/pki/tls/certs/idp.brighton.ac.uk.pem</Path> <CAPath>file:/etc/pki/tls/certs/GlobalSignServerSignCA.pem</CAPath> <CAPath>file:/etc/pki/tls/certs/GlobalSignPrimarySecureServerCA.pem</CAP ath> <CAPath>file:/etc/pki/tls/certs/GlobalSignRootCA.pem</CAPath> </Certificate> </FileResolver> </Credentials> I've tried various permutations of the Path and CAPath lines, but to no avail. I'm assuming that idp.xml is the relevant file here - rather than the Apache config. But here's our standard certificate stanza from the Apache config: SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/pki/tls/certs/idp.brighton.ac.uk.pem SSLCertificateKeyFile /etc/pki/tls/private/idp.brighton.ac.uk.pem SSLCertificateChainFile /etc/pki/tls/certs/GlobalSignCertificateChain.pem SSLVerifyClient none SSLVerifyDepth 10 The latter 'GlobalSignCertificateChain.pem' file contains the following certificates, in this order: GlobalSign Root CA GlobalSign Primary Secure Server CA GlobalSign Server Sign CA Has anyone else experienced a similar problem? If so, could you post the appropriate lines from you JSTOR-compliant config? I've double-checked the Federation and Shib guides and JSTOR's own Shib page: http://www.ukfederation.org.uk/content/Documents/Setup1p3IdP https://spaces.internet2.edu/display/SHIB/IdPPKIConfig http://www.jstor.org/page/info/resources/librarians/tech.jsp#shibboleth Apologies if I'm missing something obvious. This is the first SP with whom we've experienced this problem, and it's a little awkward to debug. BTW, am posting here rather than UK Federation Discuss, as this list seems more widely used these days. Kind regards, Steve Holden Principal Systems Officer Network Services University of Brighton Date: 28 Oct 2009 Department: JSTOR Tech Support We are still seeing a certificate chaining error in our SSL activity logs. Here's the chain from our logs: 2009-10-21 05:55:27,618 *** Certificate chain 2009-10-21 05:55:27,619 chain [0] = [ 2009-10-21 05:55:27,619 Subject: [log in to unmask], CN=idp.brighton.ac.uk, O=University of Brighton, C=GB 2009-10-21 05:55:27,619 Issuer: CN=GlobalSign ServerSign CA, OU=ServerSign CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,620 chain [1] = [ 2009-10-21 05:55:27,620 Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,620 Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,621 chain [2] = [ 2009-10-21 05:55:27,621 Subject: CN=GlobalSign Primary Secure Server CA, OU=Primary Secure Server CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,621 Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,622 chain [3] = [ 2009-10-21 05:55:27,622 Subject: CN=GlobalSign ServerSign CA, OU=ServerSign CA, O=GlobalSign nv-sa, C=BE 2009-10-21 05:55:27,622 Issuer: CN=GlobalSign Primary Secure Server CA, OU=Primary Secure Server CA, O=GlobalSign nv-sa, C=BE Thus, chain[0] is your cert. It should be signed by chain[1], and so on, so that the signing order is chain[3] -> chain[2] -> chain[1] -> chain[0] but instead, the signing order is chain[1] -> chain[2] -> chain[3] -> chain[0] In order for this to work, the certificates need to be in the following order. Subject: [log in to unmask], CN=idp.brighton.ac.uk, O=University of Brighton, C=GB Subject: CN=GlobalSign ServerSign CA, OU=ServerSign CA, O=GlobalSign nv-sa, C=BE Subject: CN=GlobalSign Primary Secure Server CA, OU=Primary Secure Server CA, O=GlobalSign nv-sa, C=BE Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE We do appreciate that other Shibboleth Service Providers do not consider an out of order chain to be an error. This "pickiness" is a result of our particular Java SSL implementation which requires that the chain order is strictly adhered to. I am afraid that there is nothing we can do about this in the short term, but we do recognize the problems caused for institutions such as yourselves, and so we are working with our platform developers, and consulting with the wider Shibboleth community to find a workable solution to this issue. I do know that other UK Federation IdPs have run into this same cert chaining issue with JSTOR and have been able to resolve the issue, so hopefully you should be able to get some help from the Uk Federation or other UK University.