Beiträge von zchris

zchris · 27. Februar 2014

Wenn ich das mit einem Server teste bekomme ich die sourceID aus dem SAML Artifact (wie von Ihnen beschrieben).

Sobald ich jedoch zwei Server hinter den Reverse Proxy haenge habe ich folgendes Verhalten:

node 1:

Code

[27/Feb/2014:15:59:11 +0100] "POST /moa-id-auth/VerifyIdentityLink?MOASessionID=-8633405189193979490 HTTP/1.1" 307 9460

node 2:

Code

[27/Feb/2014:15:59:20 +0100] "POST /moa-id-auth/VerifyAuthBlock?MOASessionID=-8633405189193979490 HTTP/1.1" 404 1011

Fehler im MOA Log bei Node 2:

Code

ERROR | 27 15:59:20,780 | http-apr-8080-exec-3 | MOASessionID ist unbekannt (MOASessionID=-8633405189193979490)

Der Reverse Proxy sollte den zweiten Request wohl zur gleichen Node weiterleiten - aber woran kann ich das erkennen? Ich finde hier keine sourceID.

zchris · 24. Februar 2014

OK, danke fuer die Information!

zchris · 20. Februar 2014

Danke fuer die rasche Antwort! Ich habe die Zertifikate nochmals installiert (im Trustprofile war es zumindest schon vorhanden), leider bleibt die Fehlermeldung aber gleich.

Wenn ich zum Testen

Code

<cfg:EnableChecking>false</cfg:EnableChecking>

setze funktioniert alles (aber eben ohne CRL check).

zchris · 20. Februar 2014

Da sich unser Server hinter einem Proxy befindet der kein CRL erlaubt haben wir RevocationChecking auf OCSP gesetzt:

Code

<cfg:RevocationChecking>
        <cfg:EnableChecking>true</cfg:EnableChecking>
        <cfg:MaxRevocationAge>0</cfg:MaxRevocationAge>
        <cfg:ServiceOrder>
          <cfg:Service>OCSP</cfg:Service>
        </cfg:ServiceOrder>
        [..]
      </cfg:RevocationChecking>

Lt. log sagt er auch "MSG=OCSP response successfully received", am Ende kommt dann aber "OCSP response not trusted thus setting revocation status to unknown".

Wo kann der Fehler liegen?

Auszug aus dem Log:

Code

INFO | 07 09:19:01,400 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Registering IAIK as security provider
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Registering IAIK-ECC as security provider
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Registering LDAP protocol handler
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Registered protocol handlers: iaik.pki|org.apache.axis.transport|
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Initializing IXSIL
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Configuring pki module
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up the certstore(s)
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up the cert info store(s)
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up the archive
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up the revocation source store
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Archiving disabled
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up certificate status checking module
DEBUG | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=Setting up certificate path validation module
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=IaikConfigurator NID=<null> MSG=PKI module successfully configured
 INFO | 07 09:19:01,415 | http-bio-8080-exec-5 | TID=startup NID=<null> MSG=MOA SP/SS Konfiguration erfolgreich geladen
DEBUG | 07 09:19:01,462 | http-bio-8080-exec-5 | >>> parsing the following content:
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID136577061891311670" IssueInstant="2013-04-12T14:43:38+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0">
---REMOVED---
</saml:Assertion>
DEBUG | 07 09:19:01,478 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=resolveEntity: p=null s=file:///resources/schemas/cs-sstc-schema-assertion-01.xsd
DEBUG | 07 09:19:01,494 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=resolveEntity: p=null s=file:///resources/schemas/PersonData_20_en_moaWID.xsd
DEBUG | 07 09:19:01,509 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=resolveEntity: p=null s=file:///resources/schemas/ECDSAKeyValue.xsd
DEBUG | 07 09:19:01,525 | http-bio-8080-exec-5 | <<< parsed
DEBUG | 07 09:19:01,572 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=File uris allowed: false
DEBUG | 07 09:19:01,634 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signer certificate chain: [Version: 3
Serial number: 469474
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Wed Jul 28 13:36:43 CEST 2010
      not after: Tue Jul 28 13:36:43 CEST 2015
Subject: EMAIL=dsk@dsk.gv.at,serialNumber=325928323998,CN=Signaturservice Datenschutzkommission,OU=Stammzahlregisterbehoerde,O=Datenschutzkommission,C=AT
Sun RSA public key, 2048 bits
  modulus: 28228571472454126468124436806957295157143716699614265907698482773777886784505475495711862158944231845901906624933911404258318534994833542446817197473411192411047747204271732495750869476848340675208016893997271801472682257349381991688028673865438188916805075860989442611482704525599666844927174912231143382307513870695360001766469780246375412696390975229327072689875536044839614355223208155866700922610200157300797014481257879629645197861736050144013076837211976908527659475536442363319191732040528144541564375887902967232699897438502602140981325527460077864201849599283808430631757257147018427247677133868550774778163
  public exponent: 65537
Certificate Fingerprint (MD5)  : D3:85:F0:B5:B5:2D:77:E2:2F:CD:9D:BF:79:EA:35:30
Certificate Fingerprint (SHA-1): A2:F1:38:CD:16:AD:04:BC:3F:14:5E:37:80:BF:A1:69:BF:DA:26:3B


Extensions: 10
]
DEBUG | 07 09:19:01,650 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Could not resolve URI using supplements:
DEBUG | 07 09:19:02,150 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Calculated hash value.
DEBUG | 07 09:19:02,165 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Could not resolve URI using supplements: #manifest
DEBUG | 07 09:19:02,244 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Calculated hash value.
 INFO | 07 09:19:02,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=No signed properties included in signature.
DEBUG | 07 09:19:02,322 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Verified signature value.
DEBUG | 07 09:19:02,337 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Could not resolve URI using supplements: #manifest
DEBUG | 07 09:19:02,384 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Could not resolve URI using supplements:
DEBUG | 07 09:19:02,759 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Calculated hash value.
DEBUG | 07 09:19:02,775 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=EE cert key usage checked disabled
DEBUG | 07 09:19:02,775 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Setting internal DirectoryNameFormatter.CacheSize parameter: 10
DEBUG | 07 09:19:02,775 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=Setting internal DirectoryNameFormatter.InMemoryCacheSize parameter: 0
DEBUG | 07 09:19:02,775 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=storing cert "EMAIL=dsk@dsk.gv.at,serialNumber=325928323998,CN=Signaturservice Datenschutzkommission,OU=Stammzahlregisterbehoerde,O=Datenschutzkommission,C=AT" to: c:	omcatmoa-spsscertstore3C025917C3C938FEB856E5440D28E4A568C311DC
 INFO | 07 09:19:02,775 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=c:	omcatmoa-spsscertstore3C025917C3C938FEB856E5440D28E4A568C311DCA2F138CD16AD04BC3F145E3780BFA169BFDA263B
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 1
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching certstores: false
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 1
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching certstores: true
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= Searching for certificate CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT in CertStores
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=# of CertStores to search for: 1
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Type of CertSelector for CertStore # 0:iaik.pki.store.certstore.directory.DirectoryCertSelector -- CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking for new certificates to be added
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Trying to get certificate from directory cert store
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching 1 certificates
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Found 1 certificates in the directory cert store
DEBUG | 07 09:19:02,806 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= # of certificates found in CertStores: 1
DEBUG | 07 09:19:02,822 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Using authority info access
DEBUG | 07 09:19:02,822 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Retrieving certificate from AuthorityInfoAccess
DEBUG | 07 09:19:02,822 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Trying to retrieve:http://www.a-trust.at/certs/a-sign-corporate-light-02a.crt
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate already in cache
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 2
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=found 1 chains
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Validating chain number 1:
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=cert 1: srlNr: 469474, subjectDN: EMAIL=dsk@dsk.gv.at,serialNumber=325928323998,CN=Signaturservice Datenschutzkommission,OU=Stammzahlregisterbehoerde,O=Datenschutzkommission,C=AT
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=cert 2: srlNr: 58536, subjectDN: CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:02,900 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Validator configured successfully
DEBUG | 07 09:19:02,931 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signature date: Fri Apr 12 15:43:38 CEST 2013
DEBUG | 07 09:19:02,931 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=chain.size(): 2
DEBUG | 07 09:19:02,931 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=trust anchor Version: 3
Serial number: 58536
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=A-Trust-Qual-02,OU=A-Trust-Qual-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Wed Dec 15 00:00:00 CET 2004
      not after: Sun Dec 14 00:00:00 CET 2014
Subject: CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Sun RSA public key, 2048 bits
  modulus: 18638627717728127183529693706031995220967849325514314636921450981432722904817956110351962497330315197923049194130348767011429342226566732087506538776148005240789185027722216416436240189734705801878388833437851767464291767268650328406941540076296589563459561977592599385272006722196019746361310731109090005024507734307168900021049757894782371249015445620420850576639803739283420102941050383695089275173461831581916410023141108588620488987902612574363233139314281709363034995389514581416105769022522871023180289417004532832144183116302094834742275304344347287015239370658612351116139285143797201785159776114260102873399
  public exponent: 65537
Certificate Fingerprint (MD5)  : 3A:E7:F3:26:6C:D7:EA:E8:2E:2B:E5:FA:D1:19:8D:39
Certificate Fingerprint (SHA-1): 4D:52:37:30:50:1A:DB:80:A7:6B:0B:47:3A:4D:21:C7:D8:6F:83:74


Extensions: 5


DEBUG | 07 09:19:02,931 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Using chaining mode: pkix
DEBUG | 07 09:19:02,947 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=current certificate: Version: 3
Serial number: 469474
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Wed Jul 28 13:36:43 CEST 2010
      not after: Tue Jul 28 13:36:43 CEST 2015
Subject: EMAIL=dsk@dsk.gv.at,serialNumber=325928323998,CN=Signaturservice Datenschutzkommission,OU=Stammzahlregisterbehoerde,O=Datenschutzkommission,C=AT
Sun RSA public key, 2048 bits
  modulus: 28228571472454126468124436806957295157143716699614265907698482773777886784505475495711862158944231845901906624933911404258318534994833542446817197473411192411047747204271732495750869476848340675208016893997271801472682257349381991688028673865438188916805075860989442611482704525599666844927174912231143382307513870695360001766469780246375412696390975229327072689875536044839614355223208155866700922610200157300797014481257879629645197861736050144013076837211976908527659475536442363319191732040528144541564375887902967232699897438502602140981325527460077864201849599283808430631757257147018427247677133868550774778163
  public exponent: 65537
Certificate Fingerprint (MD5)  : D3:85:F0:B5:B5:2D:77:E2:2F:CD:9D:BF:79:EA:35:30
Certificate Fingerprint (SHA-1): A2:F1:38:CD:16:AD:04:BC:3F:14:5E:37:80:BF:A1:69:BF:DA:26:3B


Extensions: 10


DEBUG | 07 09:19:02,947 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=selfIssued: false
DEBUG | 07 09:19:02,947 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking certificate validity at Fri Apr 12 15:43:38 CEST 2013
DEBUG | 07 09:19:02,947 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Verifying the signature with the issuer: Version: 3
Serial number: 58536
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=A-Trust-Qual-02,OU=A-Trust-Qual-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Wed Dec 15 00:00:00 CET 2004
      not after: Sun Dec 14 00:00:00 CET 2014
Subject: CN=a-sign-corporate-light-02,OU=a-sign-corporate-light-02,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Sun RSA public key, 2048 bits
  modulus: 18638627717728127183529693706031995220967849325514314636921450981432722904817956110351962497330315197923049194130348767011429342226566732087506538776148005240789185027722216416436240189734705801878388833437851767464291767268650328406941540076296589563459561977592599385272006722196019746361310731109090005024507734307168900021049757894782371249015445620420850576639803739283420102941050383695089275173461831581916410023141108588620488987902612574363233139314281709363034995389514581416105769022522871023180289417004532832144183116302094834742275304344347287015239370658612351116139285143797201785159776114260102873399
  public exponent: 65537
Certificate Fingerprint (MD5)  : 3A:E7:F3:26:6C:D7:EA:E8:2E:2B:E5:FA:D1:19:8D:39
Certificate Fingerprint (SHA-1): 4D:52:37:30:50:1A:DB:80:A7:6B:0B:47:3A:4D:21:C7:D8:6F:83:74


Extensions: 5


DEBUG | 07 09:19:02,947 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking key id
DEBUG | 07 09:19:02,962 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signature successfully verified
DEBUG | 07 09:19:02,962 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=new working key: Sun RSA public key, 2048 bits
  modulus: 28228571472454126468124436806957295157143716699614265907698482773777886784505475495711862158944231845901906624933911404258318534994833542446817197473411192411047747204271732495750869476848340675208016893997271801472682257349381991688028673865438188916805075860989442611482704525599666844927174912231143382307513870695360001766469780246375412696390975229327072689875536044839614355223208155866700922610200157300797014481257879629645197861736050144013076837211976908527659475536442363319191732040528144541564375887902967232699897438502602140981325527460077864201849599283808430631757257147018427247677133868550774778163
  public exponent: 65537
DEBUG | 07 09:19:02,962 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Found OCSP URL:http://ocsp.a-trust.at/ocsp
DEBUG | 07 09:19:02,994 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Caching for ocsp disabled
 INFO | 07 09:19:02,994 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Sending ocsp request to: http://ocsp.a-trust.at/ocsp
DEBUG | 07 09:19:02,994 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=(ocsp request: Version: 1
request 0: {
  reqCert: {
    certID:{
      hashAlgorithm: SHA (1.3.14.3.2.26)
      issuerNameHash: AC:1B:67:D7:D5:A3:00:76:7C:09:44:AC:E8:45:8D:D4:99:60:F1:BD
      issuerKeyHash: 00:19:67:CB:5F:1E:A0:51:4E:77:A8:A5:09:1C:58:3A:4F:E8:0D:03
      serialNumber: 469474
    }
  }
}
Extension 1:     not critical    Nonce
04:10:5D:33:08:A7:C9:1D:C5:EF:56:31:3B:64:25:28:B3:D1
)
 INFO | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=OCSP response successfully received
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Archive Cutoff date included in OCSP response: Sat Jan 01 01:00:00 CET 2000.
 INFO | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Archiving disabled.
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking if OCSP responder is trusted
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Nonce check OK
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Chaining mode is "pkix", using OCSP download time (Fri Feb 07 09:19:03 CET 2014) for checking OCSP issuer trust.
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=3 ocsp issuer candidate(s) included in response
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=OCSP signing extended key usage included in OCSP signer certificate.
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=EE cert key usage checked disabled
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=<null> NID=<null> MSG=storing cert "serialNumber=896929130327,givenName=OCSP,SN=Responder 03-1,CN=OCSP Responder 03-1,C=AT" to: c:	omcatmoa-spsscertstoreE47BA33321A8A919414A123C91F5D253766AB078
 INFO | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=c:	omcatmoa-spsscertstoreE47BA33321A8A919414A123C91F5D253766AB078698563ECEE29232C5304487D972310F86650C3A6
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 1
DEBUG | 07 09:19:03,197 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching certstores: false
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 1
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching certstores: true
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= Searching for certificate CN=a-sign-SSL-03,OU=a-sign-SSL-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT in CertStores
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=# of CertStores to search for: 1
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Type of CertSelector for CertStore # 0:iaik.pki.store.certstore.directory.DirectoryCertSelector -- CN=a-sign-SSL-03,OU=a-sign-SSL-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking for new certificates to be added
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Trying to get certificate from directory cert store
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching 1 certificates
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Found 1 certificates in the directory cert store
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= # of certificates found in CertStores: 1
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Using authority info access
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Retrieving certificate from AuthorityInfoAccess
DEBUG | 07 09:19:03,212 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Trying to retrieve:http://www.a-trust.at/certs/a-sign-ssl-03.crt
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate already in cache
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 2
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching certstores: true
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= Searching for certificate CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT in CertStores
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=# of CertStores to search for: 1
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Type of CertSelector for CertStore # 0:iaik.pki.store.certstore.directory.DirectoryCertSelector -- CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking for new certificates to be added
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Trying to get certificate from directory cert store
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Searching 1 certificates
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Found 1 certificates in the directory cert store
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG= # of certificates found in CertStores: 1
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Using authority info access
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Constructing chain, current size 3
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=found 1 chains
DEBUG | 07 09:19:03,259 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Validating chain number 1:
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=cert 1: srlNr: 1026306, subjectDN: serialNumber=896929130327,givenName=OCSP,SN=Responder 03-1,CN=OCSP Responder 03-1,C=AT
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=cert 2: srlNr: 156984, subjectDN: CN=a-sign-SSL-03,OU=a-sign-SSL-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=cert 3: srlNr: 93214, subjectDN: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Validator configured successfully
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signature date: Fri Feb 07 09:19:03 CET 2014
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=chain.size(): 3
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=trust anchor Version: 3
Serial number: 93214
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Thu Aug 18 00:00:00 CEST 2005
      not after: Tue Aug 18 00:00:00 CEST 2015
Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Sun RSA public key, 2048 bits
  modulus: 21869494653668008918844416385089536007956225270862081298487263355890560226700562804915764272717665176511808263470151370737245936376007321228910776135206539382049322015441321107832811170624147336576247878439205936313185834711100345804543985910563482404766787381448703074157514940925242577844532069792114520939247642141653120918631594775695648736927917049560150588183939350534202927535627888832431971627873035096068204585072738119223276433034861222809063050004964113769382281608944412757800218655912063926459139096991397100458852994391712594476052252831557719562192501721507019517112894869843669179964120175312781185203
  public exponent: 65537
Certificate Fingerprint (MD5)  : 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
Certificate Fingerprint (SHA-1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2


Extensions: 3


DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Using chaining mode: pkix
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=current certificate: Version: 3
Serial number: 156984
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Thu Aug 17 00:00:00 CEST 2006
      not after: Wed Aug 17 00:00:00 CEST 2016
Subject: CN=a-sign-SSL-03,OU=a-sign-SSL-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Sun RSA public key, 2048 bits
  modulus: 25822119301571569388552575661185325199001052732593736766820966724796615738017137271162510156834027510806219653882732570870991983095330332807143005476393668312821422185853800527818394191697879670137001245318817050519495679704226451727669480268214164912233873796281136094619435468481940184326998110104036669153301940395401839965660002848419682833799600610675211997542687171285593046298039737462232288054642678636030613229660674098467339213936756525601761322919440652764652330042665384336256014152191116797972591298079180232707529530708503732213892540511146699969215180502298424460895756960961732868801272689438776527023
  public exponent: 65537
Certificate Fingerprint (MD5)  : C3:67:02:7F:E4:8F:0D:F3:28:02:4B:17:06:D9:05:55
Certificate Fingerprint (SHA-1): FE:4F:09:F5:D1:A4:AA:DE:92:32:D9:E2:D6:B9:A2:55:2B:C4:8A:22


Extensions: 5


DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=selfIssued: false
DEBUG | 07 09:19:03,275 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking certificate validity at Fri Feb 07 09:19:03 CET 2014
DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Verifying the signature with the issuer: Version: 3
Serial number: 93214
Signature algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
Issuer: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Valid not before: Thu Aug 18 00:00:00 CEST 2005
      not after: Tue Aug 18 00:00:00 CEST 2015
Subject: CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Sun RSA public key, 2048 bits
  modulus: 21869494653668008918844416385089536007956225270862081298487263355890560226700562804915764272717665176511808263470151370737245936376007321228910776135206539382049322015441321107832811170624147336576247878439205936313185834711100345804543985910563482404766787381448703074157514940925242577844532069792114520939247642141653120918631594775695648736927917049560150588183939350534202927535627888832431971627873035096068204585072738119223276433034861222809063050004964113769382281608944412757800218655912063926459139096991397100458852994391712594476052252831557719562192501721507019517112894869843669179964120175312781185203
  public exponent: 65537
Certificate Fingerprint (MD5)  : 49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
Certificate Fingerprint (SHA-1): D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2


Extensions: 3


DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking key id
DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signature successfully verified
DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=new working key: Sun RSA public key, 2048 bits
  modulus: 25822119301571569388552575661185325199001052732593736766820966724796615738017137271162510156834027510806219653882732570870991983095330332807143005476393668312821422185853800527818394191697879670137001245318817050519495679704226451727669480268214164912233873796281136094619435468481940184326998110104036669153301940395401839965660002848419682833799600610675211997542687171285593046298039737462232288054642678636030613229660674098467339213936756525601761322919440652764652330042665384336256014152191116797972591298079180232707529530708503732213892540511146699969215180502298424460895756960961732868801272689438776527023
  public exponent: 65537
DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate status: Unknown at Fri Feb 07 09:19:03 CET 2014
 INFO | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate revocation check failed Unknown
DEBUG | 07 09:19:03,290 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Checking key id
DEBUG | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Signature successfully verified
DEBUG | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Chain validation failed: REVOCATION error
 INFO | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate validation failed
 WARN | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=OCSP response not trusted thus setting revocation status to unknown
DEBUG | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate status: Unknown at Fri Apr 12 15:43:38 CEST 2013
 INFO | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate revocation check failed Unknown
DEBUG | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Chain validation failed: REVOCATION error
 INFO | 07 09:19:03,306 | http-bio-8080-exec-5 | TID=http-bio-8080-exec-5 NID=<null> MSG=Certificate validation failed
ERROR | 07 09:19:03,337 | http-bio-8080-exec-5 | Das Zertifikat der Personenbindung ist ungültig.<br>Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauenswürdigen Wurzelzertifikat konnte konstruiert werden. Für alle Zertifikate dieser Kette fällt der Prüfzeitpunkt in das jeweilige Gültigkeitsintervall. Für zumindest ein Zertifikat konnte der Zertifikatstatus nicht festgestellt werden.
at.gv.egovernment.moa.id.auth.validator.ValidateException: Das Zertifikat der Personenbindung ist ungültig.<br>Eine formal korrekte Zertifikatskette vom Signatorzertifikat zu einem vertrauenswürdigen Wurzelzertifikat konnte konstruiert werden. Für alle Zertifikate dieser Kette fällt der Prüfzeitpunkt in das jeweilige Gültigkeitsintervall. Für zumindest ein Zertifikat konnte der Zertifikatstatus nicht festgestellt werden.
  at at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator.validate(VerifyXMLSignatureResponseValidator.java:105)
  at at.gv.egovernment.moa.id.auth.AuthenticationServer.verifyIdentityLink(AuthenticationServer.java:565)
  at at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet.doPost(VerifyIdentityLinkServlet.java:138)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
  at java.lang.Thread.run(Thread.java:744)

Alles anzeigen

zchris · 10. Februar 2014

In der MOA-ID history steht:

Zitat

- MOA-ID erlaubt ab sofort Load-Balancing. Dies wird durch die Konfigurations-
möglichkeit der Source-ID für das SAML-Artifact gewährleistet. Das Border-
Gateway kann dann anhand dieser Kennung an den zuständigen Server zur Abholung
der SAML-Assertion weiterleiten. Über den Konfigurationsparameter
<GenericConfiguration name="AuthenticationServer.SourceID" value="Cluster-A"/>
kann die authURL bei der Kodierung des SAML-Artifakts durch eine fix
definierte URI (z.B. "Cluster-A") ersetzt werden.

Alles anzeigen

Gibt es evt. eine kurze Beschreibung zur Verwendung dieser Funktionalitaet in Verbindung mit der Handy-Signatur?

Ich habe den Parameter gesetzt. Beim Redirect zurueck zur OA haette ich die sourceID erwartet - dort bekomme ich aber weiterhin nur den SAMLArtifact.

zchris · 20. Januar 2014

Danke, funktioniert!

zchris · 17. Januar 2014

Danke, funktioniert jetzt. (Editor hat Whitespace entfernt)

zchris · 16. Januar 2014

Das File habe ich angepasst, den Redirect macht aber bereits https://www.handy-signatur.at/…equest/response.aspx?sid=... bevor er noch zum PDF-AS kommt.

Bei MOA-ID konnte man diesen Redirect per template_handyBKU.html abschalten.

zchris · 16. Januar 2014

Zitat

Um die Assertion zu prüfen, muss diese aus der MOA-ID Antwort entnommen werden und als eigene Datei via pruefung.signatur.rtr.at geprüft werden.

OK, aber welcher Teil?

Ich bekomme von MOA-ID (gekuerzt):

XML

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope ...>
  <soapenv:Body>
    <samlp:Response ...>
      <samlp:Status>
        ...
      </samlp:Status>
      <saml:Assertion AssertionID="-5980938025559818919" ...>
        <saml:AttributeStatement>
          <saml:Subject>
            <saml:NameIdentifier ...>
            <saml:SubjectConfirmation>
              <saml:ConfirmationMethod>http://reference.e-government.gv.at/namespace/moa/20020822#cm</saml:ConfirmationMethod>
              <saml:SubjectConfirmationData>
                <saml:Assertion AssertionID="any" IssueInstant="2014-01-15T15:29:55" ...>

Alles anzeigen

Ich habe schon versucht verschiedene Teile (wie saml:Assertion) in ein eigenes XML zu geben (ohne die Formatierung zu aendern), der Test ist aber immer negativ.

Gibt es evt. ein Sample XML?

zchris · 16. Januar 2014

Ich versuche die von MOA-ID erzeugte saml:Assertion auf https://pruefung.signatur.rtr.at/ zu prüfen.

Das Service erkennt die Zertifikate, gibt mir aber immer folgenden Fehler:

Zitat

Bei der Überprüfung des Hash-Werts zumindest einer Referenz der Signatur ist ein Fehler aufgetreten. Der Wert der Signatur wurde nicht überprüft.

Das XML wird 1:1 von MOA-ID uebernommen. Was kann die Ursache sein?

zchris · 16. Januar 2014

Wir wollen das Signieren von PDFs via Handy-Signatur in unserer Webapp ermöglichen.

Der Prozess funktioniert, nur wird am Ende von

Code

https://www.handy-signatur.at/mobile/https-security-layer-request/response.aspx?sid=...

ein Redirect auf _top durchgefuehrt (die iframe wird dadurch verlassen).

Beim Login kann man das mit dem redirecttarget Parameter in template_handyBKU.html umgehen (damit die Single Page Application im Browser nicht verlassen wird).

Wie kann man diesen Parameter in PDF-AS definieren?

zchris · 4. Januar 2014

OK, danke fuer die Information!

Ist es korrekt dass ich fuer den Test auch ein SSL Certificate benoetige?

Ich habe es inzwischen (ueber http auf einer Cloud VM) installiert, bekomme aber wieder den gleichen Fehler.

zchris · 2. Januar 2014

Ist es moeglich moa-id auf http://localhost:8080 zu testen?

Da wir derzeit keinen tomcat im web rennen haben wollte ich die Konfiguration lokal testen.

Lt. log startet es:

Code

INFO | 02 14:54:14,267 |          moa.id.auth |       main | MOA ID Authentisierung wurde erfolgreich gestartet

Wenn ich aber mit "HANDY" das Login starte (http://localhost:8080/moa-id-auth/index.html) bekomme ich nach Tel/Pwd folgenden Fehler:

XML

<?xml version=&#39;1.0&#39; encoding=&#39;UTF-8&#39;?> <sl:ErrorResponse xmlns:sl=&#39;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&#39;> 
<sl:ErrorCode>4126</sl:ErrorCode><sl:Info>Response of this command to user browser not allowed.</sl:Info></sl:ErrorResponse>

Der Fehler 4126 ist leider nicht dokumentiert: http://www.buergerkarte.at/kon…rrorcodes/errorcodes.html

Beiträge von zchris

MOA-ID im Cluster

MOASPSS: Certificate status: Unknown

MOASPSS: Certificate status: Unknown

MOASPSS: Certificate status: Unknown

MOA-ID im Cluster

PDF-AS mit Handy-Signatur - Redirect _top

MOA-ID Signatur prüfen

PDF-AS mit Handy-Signatur - Redirect _top

MOA-ID Signatur prüfen

MOA-ID Signatur prüfen

PDF-AS mit Handy-Signatur - Redirect _top

MOA-Template auf localhost testen?

MOA-Template auf localhost testen?