I have upgraded my Java installation from Java 7u17 to Java 7u25. After that when I try to login to the web client, its giving the error "Signature validation failed". After uninstalling the update, its working fine. What can be the reason behind it?
Can you provide more details?
- version of the Web Client
- what is your setup
- what do you see in vsphere_client_virgo.log regarding this error (or attach the whole log).
Cannot resolve element with ID [some id goes here] at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown Source)"
Thanks for the info. We have an SSO issue with Java 7u25, so for now stick with 7u17. I don't know when the issue will be resolved.
Is thare any update in this topic? One thing is it is not possible to update to newer java (where new versions fix security issues), and second thing is that it will not be possible to use Java 8 when such issue exists, and Java 8 according to latest info will be released in march as final.
It should work with the latest JDK 1.7, like 7u45. But you still need to compile with option -target 1.6.
Hi,
I will quote one source https://stackoverflow.com/questions/17168184/java-7-language-backwards-compatibility'
"
You cant compile source with Java 7 features into Java 6 .class because this
javac -source 1.7 -target 1.6 Test.java
produces source release 1.7 requires target release 1.7
error. This is because some of the 1.7 features can work only with Java 7 classes. Eg try-with-resources
usesThrowable.addSuppressed
method available only since 1.7
"
I have checked this with our maven and gradle based project and that's true, we can't compile with target 1.6 using source 1.7.
Fact that we can't use latest JDK with this SDK is a major ussue!
you need to use both -source 1.6 -target 1.6. This is fine since your source is not using 1.7 specific features/
My source is using java 7 specific features.
So what I understand there are two options:
1. Use jdk 7, max update 21
2. Use jdk 7, with update > 21 or jdk 8, but only with java 6 features (source and target 1.6).
So I have to chose to use JDK without security fixes (u21) or downgrade to Java 6 features??
In this release you have no choice but compile with -source 1.6 -target 1.6 for your java plugin because some of our libraries are still using Java 1.6.
You should remove the Java 1.7 specific features from your plugin source but still use the latest JDK 1.7.
Remember that the java plugin running on the Web Client server should be very lightweight, it is just a pass-through to connect to vCenter or your back-end server (see docs/FAQ.html). All the business logic must run on your own server where you can use any Java version you want.
Oh, sorry. It seems that when looking for help I have I landed on wrong forum with exactly the same symptoms. I get "Signature validation failed" when using VCO sdk with new JDKs
"
Caused by: com.vmware.vim.sso.client.exception.InvalidTokenException: Signature validation failed
at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:528)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateAndPopulate(SamlTokenImpl.java:450)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:213)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:264)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:37)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:62)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:122)
at com.vmware.o11n.sdk.rest.client.impl.SsoTokenServiceAdaptor.acquireHokToken(SsoTokenServiceAdaptor.java:54)
... 53 more"
I also need some help regarding this issue. I've followed as per the other comments in this thread the suggestion of using jdk1.6 and even started the serenity client cmd line and confirmed that 1.6 is being used:
/backup/software/vmware/serenity-client/server/bin/dmk.sh start
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
When I go to the browser and try to login I am receiving a:
"Signature validation failed"
I have the client.properties file with:
ls.url=https://192.168.1.142:7444/lookupservice/sdk
ls.thumbprint=CD:FA:A2:B3:FF:D5:75:3F:76:EF:AE:F1:AD:D0:B5:68:89:CF:7F:B3
Log Exception:
[2014-01-24 10:12:43.072] INFO [INFO ] http-bio-9443-exec-2 FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.util.i18n.I18nFilter The preferred locale for session FA1103EB7D4D8DCCE7113D21BDB4A3AE is set to: en_US
[2014-01-24 10:12:43.076] INFO [INFO ] http-bio-9443-exec-2 FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.security.DefaultAuthenticationProvider Authenticating user: root using authentication handler: com.sun.proxy.$Proxy359
[2014-01-24 10:12:43.079] INFO [INFO ] http-bio-9443-exec-2 FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.vim.security.sso.impl.SsoUtilInternal Acquiring a SAML token for user root from https://192.168.1.142:7444/ims/STSService
[2014-01-24 10:12:43.369] INFO [INFO ] http-bio-9443-exec-2 FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vim.sso.client.impl.SoapBindingImpl Overriding host name verifier as the STS is contacted by IP address
[2014-01-24 10:12:43.746] ERROR [ERROR] http-bio-9443-exec-2 FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vim.sso.client.impl.SamlTokenImpl Signature validation failed javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:412)
at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:371)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:265)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:522)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateAndPopulate(SamlTokenImpl.java:450)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:213)
at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:264)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:37)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:62)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:122)
at com.vmware.vise.vim.security.sso.impl.SsoUtilInternal.acquireToken(SsoUtilInternal.java:403)
at com.vmware.vise.vim.security.sso.impl.SsoServiceImpl.acquireToken(SsoServiceImpl.java:182)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)
at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.osgi.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy221.acquireToken(Unknown Source)
at com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler.authenticate(SsoAuthenticationHandler.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)
at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.osgi.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy359.authenticate(Unknown Source)
at com.vmware.vise.security.DefaultAuthenticationProvider.authenticate(DefaultAuthenticationProvider.java:145)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:97)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.vmware.vise.security.FlexLoginFilter.doFilterInternal(FlexLoginFilter.java:45)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.vmware.vise.util.i18n.I18nFilter.doFilterInternal(I18nFilter.java:43)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.vmware.vise.security.SessionManagementFilter.doFilterInternal(SessionManagementFilter.java:30)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:43)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:695)
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:124)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:404)
... 98 common frames omitted
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141
at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:90)
at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:283)
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)
... 99 common frames omitted
When using Java 1.6 you also need to install this jce_policy files to your SDK for SSO to work:
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6
Really appreciate the response.
In my local serenity client box (mac) I've replaced the original two files:
local_policy.jar Unlimited strength local policy file
US_export_policy.jar Unlimited strength US export policy file
with the downloaded ones. Still after restarting the serenity client server via the IDE and CMD line I still receive the same exception.
I still have the client.properties file with the two entries under server/config because the UI barks if it doesn't find it. Can you think of anything that can still be causing this?
Thanks in advance for all the help, really appreciate it.
Details shown below:
New java security files:
ls -ltr /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security
total 72
lrwxr-xr-x 1 root wheel 87 Jan 23 21:16 trusted.libraries -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/trusted.libraries
-rw-r--r-- 1 root wheel 347 Jan 23 21:16 sunpkcs11-macosx.cfg
-rw-r--r-- 1 root wheel 13458 Jan 23 21:16 java.security
-rw-r--r-- 1 root wheel 3443 Jan 23 21:16 java.policy
lrwxr-xr-x 1 root wheel 81 Jan 23 21:16 cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
lrwxr-xr-x 1 root wheel 79 Jan 23 21:16 blacklist -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/blacklist
-rw-r--r-- 1 root wheel 2469 Jan 24 12:04 US_export_policy.jar.orig
-rw-r--r-- 1 root wheel 2486 Jan 24 12:04 local_policy.jar.orig
-rw-r--r--@ 1 root wheel 2465 Jan 24 12:05 US_export_policy.jar
-rw-r--r--@ 1 root wheel 2481 Jan 24 12:05 local_policy.jar
Exception:
Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _cc2b77fc-5d81-4390-8c7b-27b460dac151
at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:124)
at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:404)
... 98 common frames omitted
Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _cc2b77fc-5d81-4390-8c7b-27b460dac151
I was finally able to resolve this issue. Below are the steps I took for mac:
1. Go to https://developer.apple.com/downloads
2. I searched in the filter box for all possible finds for "Java for OS X"
3. I took a guess after a friend mentioned he had the same dev environment working for _45 and downloaded:
javadeveloper_for_os_x_2012006__11m3909.dmg
4. Installed it.
5. export JAVA_HOME="/Library/Java/JavaVirtualMachines/1.6.0_37-b06-434.jdk/Contents/Home/"
6. sh /backup/software/vmware/serenity-client/server/bin/dmk.sh start clean
7. If running from the IDE, just make sure you configure in your preferences and under the Virgo Settings to point to that version or similar.
Laurent thanks for all the help and responding, really appreciate you pointing me in the right direction.
Regards.
Alfredo
No problem, thanks for posting your solution!
Hi,
I've just re-installed the vSphere WebClient what solved the problem for me.
Best regards, Viktor
Do anyone know the same for windows version. I am using J7u21. Please advice.