Skip to main content Skip to navigation




I get errors from SSOClient's OAuthService with "certificate_expired"

This usually happens when it is an application running in SSO Old mode whose keystore certificate has expired. You can check it by running:

keytool -keystore -alias -list -v

Where is replaced with whatever your domain is. The keystore password is in your sso-config file.

If you scroll up to the top and look for the bit that looks like this:

Certificate chain length: 3                                                                                 
Owner:, OU=Information Technology Services, O=The University of Warwick, L=Coventry, ST=West Midlands, C=GB
Issuer: CN=Cybertrust Educational CA, OU=Educational CA, O=Cybertrust, C=BE                                                        
Serial number: 10000000001175a8035b1                                                                                               
Valid from: Tue Jan 08 17:43:47 GMT 2008 until: Sat Jan 08 17:43:47 GMT 2011

If the valid from until date is in the past, the certificate has expired. You'll need to generate a new keystore (and possibly a new certificate) - talk to Mat or Nick.

I get signature_invalid errors

This is usually because your SSO config is passing the requested URL as a query parameter (usually requestedUrl=...) - you need to pass it by header (otherwise it will try and sign this parameter in your OAuth message).

There is information about this in this JIRA: SSO-770. An example Apache vhost configuration above your rewrite rules is:

## SBTWO-3262: Populate request header X-Requested-URI with requested URI (including query string)                        
# If query string is empty, don't add a question mark                                                                     
RewriteCond %{QUERY_STRING} ^$                                                                                            
RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}]                                                                            
RewriteCond %{QUERY_STRING} !^$                                                                                           
RewriteRule .? - [E=REQ_URI:%{ENV:SCRIPT_URI}?%{QUERY_STRING}]                                                            
RequestHeader set X-Requested-URI "%{REQ_URI}e" env=!no-requested-uri                                                     

You then need to remove the ?requestedUrl=ENV:SCRIPT_URI part from your rewrites.

I get "no user found" errors

The user needs to be logged in for authorising, so your authorisation servlet needs to be behind both SSOClientFilter and ForceLoginFilter