JISCMail - JISC-SHIBBOLETH Archives

Hi Steve,

Have you tried changing the pem file:


The latter 'GlobalSignCertificateChain.pem' file contains the following
certificates, in this order:
GlobalSign Root CA
GlobalSign Primary Secure Server CA
GlobalSign Server Sign CA

To:
GlobalSign Server Sign CA
GlobalSign Primary Secure Server CA
GlobalSign Root CA


Regards

Patrick

Patrick Maginn
Technical Specialist,

Salford Software Ltd,
Lancastrian Office Centre
Talbot Road, Old Trafford
Manchester, M32 0FP
Tel: +44 (0) 161 906 1002
Fax: +44 (0) 161 906 1003

www.salfordsoftware.co.uk
The leader in Identity Management Solutions
--------------------------------------------------------------------------------------------------------------
Important Information

This email is confidential and may contain privileged material. If you are not the intended recipient then you must not copy it, forward it, use it for any purpose, or disclose it to another person. Instead please return it to the sender immediately. Please then delete your copy from your system.

Please also note that the author of this email cannot conclude any contract on behalf of Salford Software Ltd by email.

Company Registered in England No. 2252625. VAT Reg. No. 519613442
Academic Enterprises. University of Salford, Salford. M5 4WT
________________________________________
From: Discussion list for Shibboleth developments [[log in to unmask]] On Behalf Of Steve Holden [[log in to unmask]]
Sent: 29 October 2009 16:51
To: [log in to unmask]
Subject: Certificate sequence issues with JSTOR

Hi, folks

We've been trying to permit access to JSTOR via our Shib 1.3 IdPs
for some time now (on and, mostly, off) but appear to be falling
foul of their certificate checking - which seems to be stricter about
the sequence of links in the certificate chain than that in other SPs

As JSTOR have now suggested I ask other .ac.uk folk, I've taken
the liberty of including a section of their latest email below
which explains the issue in more detail, and which seems rather
similar to this post by their lead developer to the Shib Users list:
http://groups.google.com/group/shibboleth-users/browse_thread/thread/dba
8e03a3ce1670b?pli=1


Our idp.xml config contains the following stanza:

<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
  <FileResolver Id="ukfederationCredentials">
    <Key>
      <Path>file:/etc/pki/tls/private/idp.brighton.ac.uk.pem</Path>
    </Key>
    <Certificate>
      <Path>file:/etc/pki/tls/certs/idp.brighton.ac.uk.pem</Path>

<CAPath>file:/etc/pki/tls/certs/GlobalSignServerSignCA.pem</CAPath>

<CAPath>file:/etc/pki/tls/certs/GlobalSignPrimarySecureServerCA.pem</CAP
ath>
      <CAPath>file:/etc/pki/tls/certs/GlobalSignRootCA.pem</CAPath>
    </Certificate>
  </FileResolver>
</Credentials>

I've tried various permutations of the Path and CAPath lines, but to no
avail.


I'm assuming that idp.xml is the relevant file here - rather than the
Apache config.
But here's our standard certificate stanza from the Apache config:

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile  /etc/pki/tls/certs/idp.brighton.ac.uk.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.brighton.ac.uk.pem
SSLCertificateChainFile
/etc/pki/tls/certs/GlobalSignCertificateChain.pem
SSLVerifyClient none
SSLVerifyDepth  10

The latter 'GlobalSignCertificateChain.pem' file contains the following
certificates, in this order:

GlobalSign Root CA
GlobalSign Primary Secure Server CA
GlobalSign Server Sign CA


Has anyone else experienced a similar problem?
If so, could you post the appropriate lines from you JSTOR-compliant
config?


I've double-checked the Federation and Shib guides and JSTOR's own Shib
page:
http://www.ukfederation.org.uk/content/Documents/Setup1p3IdP
https://spaces.internet2.edu/display/SHIB/IdPPKIConfig
http://www.jstor.org/page/info/resources/librarians/tech.jsp#shibboleth

Apologies if I'm missing something obvious.
This is the first SP with whom we've experienced this problem, and it's
a little awkward to debug.

BTW, am posting here rather than UK Federation Discuss, as this list
seems
more widely used these days.

Kind regards,
Steve Holden
Principal Systems Officer
Network Services
University of Brighton


Date: 28 Oct 2009
Department: JSTOR Tech Support

We are still seeing a certificate chaining error in our SSL activity
logs.  Here's the chain from our logs:

2009-10-21 05:55:27,618 *** Certificate chain
2009-10-21 05:55:27,619 chain [0] = [
2009-10-21 05:55:27,619 Subject:
[log in to unmask], CN=idp.brighton.ac.uk,
O=University of Brighton, C=GB
2009-10-21 05:55:27,619 Issuer: CN=GlobalSign ServerSign CA,
OU=ServerSign CA, O=GlobalSign nv-sa, C=BE

2009-10-21 05:55:27,620 chain [1] = [
2009-10-21 05:55:27,620 Subject: CN=GlobalSign Root CA, OU=Root CA,
O=GlobalSign nv-sa, C=BE
2009-10-21 05:55:27,620 Issuer: CN=GlobalSign Root CA, OU=Root CA,
O=GlobalSign nv-sa, C=BE

2009-10-21 05:55:27,621 chain [2] = [
2009-10-21 05:55:27,621 Subject: CN=GlobalSign Primary Secure Server CA,
OU=Primary Secure Server CA, O=GlobalSign nv-sa, C=BE
2009-10-21 05:55:27,621 Issuer: CN=GlobalSign Root CA, OU=Root CA,
O=GlobalSign nv-sa, C=BE

2009-10-21 05:55:27,622 chain [3] = [
2009-10-21 05:55:27,622 Subject: CN=GlobalSign ServerSign CA,
OU=ServerSign CA, O=GlobalSign nv-sa, C=BE
2009-10-21 05:55:27,622 Issuer: CN=GlobalSign Primary Secure Server CA,
OU=Primary Secure Server CA, O=GlobalSign nv-sa, C=BE

Thus, chain[0] is your cert. It should be signed by chain[1], and so on,
so that the signing order is

chain[3] -> chain[2] -> chain[1] -> chain[0]

but instead, the signing order is

chain[1] -> chain[2] -> chain[3] -> chain[0]
In order for this to work, the certificates need to be in the following
order.

Subject: [log in to unmask],
CN=idp.brighton.ac.uk, O=University of Brighton, C=GB
Subject: CN=GlobalSign ServerSign CA, OU=ServerSign CA, O=GlobalSign
nv-sa, C=BE
Subject: CN=GlobalSign Primary Secure Server CA, OU=Primary Secure
Server CA, O=GlobalSign nv-sa, C=BE
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE


We do appreciate that other Shibboleth Service Providers do not consider
an out of order chain to be an error. This "pickiness" is a result of
our particular Java SSL implementation which requires that the chain
order is strictly adhered to. I am afraid that there is nothing we can
do about this in the short term, but we do recognize the problems caused
for institutions such as yourselves, and so we are working with our
platform developers, and consulting with the wider Shibboleth community
to find a workable solution to this issue.

I do know that other UK Federation IdPs have run into this same cert
chaining issue with JSTOR and have been able to resolve the issue, so
hopefully you should be able to get some help from the Uk Federation or
other UK University.