I have generated a keystore file in JKS format from the input pfx file. While using the keystore file in the tomcat web application, facing an exception, kindly help if anyone faced the same problem.
The exception:
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) ~[spring-beans-4.1.7.RELEASE.jar:4.1.7.RELEASE]
... 124 common frames omitted
Caused by: org.opensaml.common.SAMLRuntimeException: Can't obtain SP signing key
at org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:193) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
at org.springframework.security.saml.key.JKSKeyManager.getDefaultCredential(JKSKeyManager.java:205) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.initializeDelegate(TLSProtocolSocketFactory.java:113) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.<init>(TLSProtocolSocketFactory.java:77) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
at org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer.afterPropertiesSet(TLSProtocolConfigurer.java:50) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1633) ~[spring-beans-4.1.7.RELEASE.jar:4.1.7.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1570) ~[spring-beans-4.1.7.RELEASE.jar:4.1.7.RELEASE]
... 131 common frames omitted
Caused by: org.opensaml.xml.security.SecurityException: Could not retrieve entry from keystore
at org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:136) ~[xmltooling-1.4.4.jar:na]
The exception states that openSAML cannot find your (SP) private key to sign the SAML message.
The following SAML configuration should exist (e.g. in spring-security.xml)
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg type="org.springframework.core.io.Resource" value="file:/path/to/keystore/jks"/>
<constructor-arg type="java.lang.String" value="<keystorePassword>"/>
<constructor-arg>
<map>
<entry key="<keyAlias>" value="<privateKeyPassphrase>"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="<defaultKeyAlias>"/>
</bean>
If you already have the above configuration, then check your JKS if it contains the private/public keypair with the alias name .