如何设置消息有效性

tag-icon tag-icon ssl
如何设置消息有效性

我在用希博莱斯对于单用户身份验证,它需要一个 ssl 配置来促进用户身份验证过程。之前一切正常,但现在我面临着SSL 握手失败错误并且安全连接被忽略。

错误日志:

这是 Shibbolet 错误日志:

2012-09-20 15:14:59 DEBUG Shibboleth.Listener [17]: dispatching message (default/SAML/POST)
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: validating input
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1POST [17]: decoded SAML response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2012-09-20T13:10:43.494Z" MajorVersion="1" MinorVersion="1" Recipient="https://inami-riziv.dokeosnet.com/Shibboleth.sso/SAML/POST" ResponseID="_faf482981786daacf938e158e87d75f8"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_faf482981786daacf938e158e87d75f8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>qgvrV2yDB88HKXStzqT3sFrpLlo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ifKK73UUbsOxqpsnfGcloErG5Vsrklckv/xpbsMAWDzrTm8ZvWjaLru0d7smEYmKFXdkJ/JayAXW
cM5aAKAwazWM7tj5YYvY3bTFlq4k/qI3GR46Kr5apGKkTEtDR9DkZDJ6N2+/vqOvdIxwefdFvaPs
FzsrZeGkt+IAcKmgCFZ78/2tbfckYd4sFGko0Lw3nIl9/dac03OJUsUVuScsiEVd6f/DjzedHgkk
3DD0xR2HFIY5MQzDdztz1f4PyuGFdXiyauUtm2bF+7XULQ8XwfGd+K0qIMOKBykTQuq0ijL+PpgZ
jRr3G2ylqSsJ1/NIwT6pRG79gJlcw55RB25XzA==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIE0DCCA7igAwIBAgILAQAAAAABMu4tWh8wDQYJKoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCQkUx
FjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMTAwHhcNMTExMDEwMTUwMTMyWhcN
MTMwMTEwMTUwMTMyWjCBrTEcMBoGA1UEAxMTQ0JFPTA4MDkzOTQ0MjcsIElBTTELMAkGA1UEBhMC
QkUxDDAKBgNVBAsTA0lBTTEXMBUGA1UECxMOQ0JFPTA4MDkzOTQ0MjcxGTAXBgNVBAsTEEVIRUFM
VEgtUExBVEZPUk0xITAfBgNVBAsTGGVIZWFsdGgtcGxhdGZvcm0gQmVsZ2l1bTEbMBkGA1UEChMS
RmVkZXJhbCBHb3Zlcm5tZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgdTZNoR
CU7urB0+tdDDlVfrplxwcEwp+QoMJpiznNjMHZLxzwzl6PSMc8V7Gd2OGSGSHZJqrDz0643Djo6o
t59Tai2itHy9ZIQle3wmREi9ek86ousZuP6sZDw019xzztFLCaqO1Jfs28sBAeZovZZou7dDuD7w
86lkxvPssdJWZ0MO9FTwsseRoUowfWUfxp8E+3PpYdEy6BxGo5hh13lm2RphbcW0v0ouvR9yqVRh
cYhonol4Yj7nEm6tTc6NmCf2zEaX+F3e2hbj7bzgWJ1wKuhiMuQItLgN/XKhb6/jy44wjLj6IWIS
DH8LVPYITm+ImidDKI7WcGzJhu0IowIDAQABo4IBZzCCAWMwHwYDVR0jBBgwFoAUQZbOhaflXugW
WT0K8YTd8/K7TokwbgYIKwYBBQUHAQEEYjBgMDYGCCsGAQUFBzAChipodHRwOi8vY2VydHMucGtp
LmJlbGdpdW0uYmUvYmVsZ2l1bXJzMi5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnBraS5i
ZWxnaXVtLmJlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgdgOAkBAQMDMC4wLAYIKwYBBQUHAgEW
IGh0dHA6Ly9yZXBvc2l0b3J5LnBraS5iZWxnaXVtLmJlMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
Ly9jcmwucGtpLmJlbGdpdW0uYmUvZ292ZXJubWVudDIwMTAuY3JsMA4GA1UdDwEB/wQEAwIE8DAR
BglghkgBhvhCAQEEBAMCBLAwHQYDVR0OBBYEFGtvDxQis8EQNHkujqvXW0CGhSbnMA0GCSqGSIb3
DQEBBQUAA4IBAQCDfqrhNJeB+tiesyXiAfuIwz2rJiVANb71VptyPGh96qMHBfU/w9fKdN87cF2J
IHg23ll0MEUo7I8oA2F5Dv0Jw/sB7GovOsosC6QcYzEo/D24vSYKI7Clw3SkKPUcqv3u68IPs8wF
L/Nowmxy6HGAvDlt1fQBpwePVKifGOygUcz0KWHMqNV7IJzyXrF2nbvg3TUJKaDR0zV4CjzLpaCI
IY1wY6e2/08mxf/Q5D7YO3sTxmjixkjRqCKXBCJa0CjXxT3/8Pfg5lHGNr7onIL84SMCZREur5I0
3u64HiqHBtSZaDWrw7d4CcjY/NoPfHO8hmAXEBMTm4zEhG4Nw0+2
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_56927407beba7fd1762d43bb15f71303" IssueInstant="2012-09-20T13:10:43.494Z" Issuer="http://idp.smals-mvm.be/shibboleth" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2012-09-20T13:10:43.494Z" NotOnOrAfter="2012-09-20T13:15:43.494Z"><AudienceRestrictionCondition><Audience>https://inami-riziv.dokeosnet.com/shibboleth</Audience><Audience>urn:be:fgov:ehealth:trust:partners</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2012-09-20T13:10:43.494Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="http://idp.smals-mvm.be/shibboleth">_99e6f544a77e9b878ff54a1091c2c603</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality IPAddress="193.191.246.82"></SubjectLocality></AuthenticationStatement></Assertion></Response>

2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: extracting issuer from SAML 1.x Response
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: response from (http://idp.smals-mvm.be/shibboleth)
2012-09-20 15:14:59 DEBUG OpenSAML.MessageDecoder.SAML1 [17]: searching metadata for response issuer...
2012-09-20 15:14:59 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [17]: evaluating message flow policy (replay checking on, expiration 60)
2012-09-20 15:14:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [17]: rejected expired message, timestamp (1348146643), oldest allowed (1348146659)
2012-09-20 15:19:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 15:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default::getHeaders::Application)
2012-09-20 15:42:06 DEBUG Shibboleth.Listener [18]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 15:42:06 DEBUG XMLTooling.StorageService [18]: inserted record (9699add17fc90926f21c8fa06efec1e1) in context (RelayState) with expiration (1348149126)
2012-09-20 16:04:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 16:19:53 INFO XMLTooling.StorageService : purged 2 expired record(s) from storage
2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default::getHeaders::Application)
2012-09-20 16:20:21 DEBUG Shibboleth.Listener [21]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 16:20:21 DEBUG XMLTooling.StorageService [21]: inserted record (5bfae2fab27dfd8026a14e253696bc3a) in context (RelayState) with expiration (1348151421)
2012-09-20 16:34:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default::getHeaders::Application)
2012-09-20 16:39:19 DEBUG Shibboleth.Listener [22]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 16:39:19 DEBUG XMLTooling.StorageService [22]: inserted record (fbf6b65fc660ed134500345faef56f0a) in context (RelayState) with expiration (1348152559)
2012-09-20 16:43:29 INFO Shibboleth.Listener [15]: detected socket closure, shutting down worker thread
2012-09-20 16:49:53 INFO XMLTooling.StorageService : purged 1 expired record(s) from storage
2012-09-20 17:20:55 INFO Shibboleth.Listener [19]: detected socket closure, shutting down worker thread
2012-09-20 17:31:10 INFO Shibboleth.Listener [21]: detected socket closure, shutting down worker thread
2012-09-20 18:21:09 INFO Shibboleth.Listener [18]: detected socket closure, shutting down worker thread
2012-09-20 18:28:29 INFO Shibboleth.Listener [17]: detected socket closure, shutting down worker thread
2012-09-20 18:28:31 INFO Shibboleth.Listener [20]: detected socket closure, shutting down worker thread
2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default::getHeaders::Application)
2012-09-20 18:48:23 DEBUG Shibboleth.Listener [23]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:48:23 DEBUG XMLTooling.StorageService [23]: inserted record (0b316ef6e5acf1da562899feb0b84ec1) in context (RelayState) with expiration (1348160303)
2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default::getHeaders::Application)
2012-09-20 18:52:26 DEBUG Shibboleth.Listener [24]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:52:26 DEBUG XMLTooling.StorageService [24]: inserted record (b89fbe4deecae876148bd470e7aa6f85) in context (RelayState) with expiration (1348160546)
2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default::getHeaders::Application)
2012-09-20 18:52:38 DEBUG Shibboleth.Listener [25]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:52:38 DEBUG XMLTooling.StorageService [25]: inserted record (b76b99286d06dd0ce84da39c9947e344) in context (RelayState) with expiration (1348160558)
2012-09-20 18:53:03 INFO Shibboleth.Listener [16]: detected socket closure, shutting down worker thread
2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default::getHeaders::Application)
2012-09-20 18:53:27 DEBUG Shibboleth.Listener [26]: dispatching message (default/Login::run::Shib1SI)
2012-09-20 18:53:27 DEBUG XMLTooling.StorageService [26]: inserted record (59fc5fa8d1589ffc94077f4e0e079f38) in context (RelayState) with expiration (1348160607)
2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default::getHeaders::Application)
2012-09-20 19:00:41 DEBUG Shibboleth.Listener [27]: dispatching message (default/Login::run::Shib1SI)
                                                                                                                              3865,1        99%

我从错误日志中了解到的内容:

消息到达目的地时即将过期,因为消息有效期为 5 分钟,而我位于时区 2+。

我的问题: 如何设置消息有效性,以便消息保持有效且不会过期?

答案1

确保两台主机的时钟同步。我建议使用ntp.时区不应该是问题,您只需要确保时钟同步即可。

相关内容