[cas-dev] Unable to validate ProxyTicketValidator

Scott Battaglia scott.battaglia at gmail.com
Thu Aug 24 19:37:18 EDT 2006 

Jennifer,

When specifying the certificate for the CAS server, the CN (First Name/Last
Name) should be the same as your hostname. So if you are accessing it as
"localhost" it should be "localhost"  If you access your machine as "jenspc"
it should be "jenspc".  IP Addresses will not work.

This needs to be done because CAS (and Java) will take the name and compare
it to the hostname you attempted to access and only work if they match.

-Scott

On 8/24/06, Jennifer Yang <jyoonyang at gmail.com> wrote:
>
> Hi Scott,
>
> I was going through setting up CAS again to document.  I ran into
> trouble again with SSL.  Same old ProxyTicketValidator error.
>
> This time it seems that when generating the key, I should specify my
> CAS server's hostname as first and last name of the owner.
>
> Does this sound right?  Is there significance to alias, first/last
> name when CAS validates certificate?
>
> Thanks,
> Jennifer
>
>
>
> On 7/26/06, Scott Battaglia <scott_battaglia at rutgers.edu> wrote:
> > Jennifer,
> >
> > I believe in Tomcat you can specify what keystore to use (the default,
> > however, as you figured out, is in your home directory).  When you
> > removed the certificate, Tomcat most likely threw an exception as it had
> > no certificate to return to process an HTTPS request.
> >
> > The certificate needs to be in any JVM cacerts file that will be acting
> > as a client to the CAS server so that when the CAS client does an HTTPS
> > call and the SSL handshake occurs, the cacerts file will be checked to
> > make sure it trusts the certificate.
> >
> > Note that two different things are using the keystores.  Tomcat is using
> > a keystore to retrieve the certificate it will return.  This keystore is
> > independent of the JVMs.  The JVM has a keystore of certificates it
> > trusts for when it needs to perform an SSL handshake.    The JVM has no
> > knowledge of Tomcat's keystore.
> >
> > The reason the browser works is because Tomcat sends a certificate when
> > an SSL call is made.  The browser doesn't inherently trust the
> > certificate as it was self-signed, but prompts you to tell it whether to
> > trust the certificate it or not.  This is analogous to placing a
> > certificate in the cacerts file as its basically saying "I trust this
> > certificate"
> >
> > I believe I answered your callback question in another email :-)
> >
> > -Scott
> >
> >
> >
> > Jennifer Yang wrote:
> > > Hi Scott,
> > >
> > > Thanks for your reply.  The problem was due to not storing in the
> > > JVM's keystore as you have pointed out.  But what threw me off was
> > > that when Tomcat was starting up, it was looking into keystore in
> > > user's home directory (for windows this would be c:/Documents and
> > > Settings/<username>).  As I was saying, when I remove Tomcat's
> > > certicate from this keystore, Tomcat would spit out exceptions during
> > > startup.  I am still confused why Tomcat uses this keystore during
> > > startup, but JVM's key store when processing https request.  Also, why
> > > issuing https from the browser worked...  But I guess these are Tomcat
> > > issue.
> > >
> > > Thank you very much for all your replies.  As you can tell, I am a
> > > newbie trying to setup CAS for our environement.  :-)
> > >
> > > BTW, I had another question from the other post (CAS logout),
> > > regarding single sign off callbacks.  Do you have any answers to
> those?
> > >
> > > Thank you so much.
> > > --Jennifer
> > >
> > >
> > >
> > > On 7/26/06, *Scott Battaglia* <scott_battaglia at rutgers.edu
> > > <mailto:scott_battaglia at rutgers.edu>> wrote:
> > >
> > >     Jennifer,
> > >
> > >     Did you add this certificate to the JVM's keystore?
> > >
> > >     i.e. %JAVA_HOME%\jre\lib\security\cacerts ?
> > >
> > >     This page should be able to help you:
> > >     http://www.ja-sig.org/products/cas/server/ssl/index.html
> > >
> > >     -Scott
> > >
> > >     Jennifer Yang wrote:
> > >     > Hello,
> > >     >
> > >     > I got my CAS server and webapps working under same Tomcat
> container
> > >     > using localhost.  When I tried using my domain name instead of
> > >     > localhost, I am getting "Unable to validate
> ProxyTicketValidator"
> > >     > error after authentication completes.  I saw other posts
> indicating
> > >     > that it has to do with digital certificates.  Since I am running
> > >     > everything under the same host and same container, I don't
> > >     understand
> > >     > how this would be an issue of CAS not trusting the certificate.
> > >     >
> > >     > Here is my key generation.
> > >     > d:\java_tools\jdk150_04\bin\keytool -genkey -alias tomcat -k
> > >     > eyalg RSA
> > >     > Enter keystore password:  changeit
> > >     > What is your first and last name?
> > >     >   [Unknown]:  jenyangt43
> > >     > What is the name of your organizational unit?
> > >     >   [Unknown]:  jenyangt43
> > >     > What is the name of your organization?
> > >     >   [Unknown]:  jenyangt43
> > >     > What is the name of your City or Locality?
> > >     >   [Unknown]:  la
> > >     > What is the name of your State or Province?
> > >     >   [Unknown]:  ca
> > >     > What is the two-letter country code for this unit?
> > >     >   [Unknown]:  us
> > >     > Is CN=jenyangt43, OU=jenyangt43, O=jenyangt43, L=la, ST=ca, C=us
> > >     correct?
> > >     >   [no]:  y
> > >     >
> > >     > Enter key password for <tomcat>
> > >     >         (RETURN if same as keystore password):  changeit
> > >     >
> > >     > d:\java_tools\jdk150_04\bin\keytool -list -alias tomcat
> > >     > Enter keystore password:  changeit
> > >     > tomcat, Jul 26, 2006, keyEntry,
> > >     > Certificate fingerprint (MD5):
> > >     > 1D:46:D2:E3:2B:76:9D:E7:47:74:0A:44:92:13:60:6D
> > >     >
> > >     > I think Tomcat is using this keyout because when I deleted this
> key
> > >     > and ran Tomcat, I was getting an error from Tomcat about missing
> key
> > >     > to enable SSL.
> > >     >
> > >     > I am able to get Tomcat index page by entering
> > >     https://jenyangt43:8443/
> > >     >
> > >     > Here is the error in stdout.
> > >     > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
> > >     Unable
> > >     > to validate ProxyTicketValidator [[ edu.yale.its.tp
> > >     <http://edu.yale.its.tp>
> > >     > <http://edu.yale.its.tp>
> > >     > .cas.client.ProxyTicketValidator proxyList=[null]
> > >     > [edu.yale.its.tp.cas.client.ServiceTicketValidator
> > >     casValidateUrl=[htt
> > >     > ps://jenyangt43:8443/cas/proxyValidate]
> > >     > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
> > >     > service=[http%3A%2F%2Fjenya
> > >     > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic- arithmetic.jsp]
> > >     > renew=false]]]
> > >     > Jul 26, 2006 5:43:07 PM
> edu.yale.its.tp.cas.client.filter.CASFilter
> > >     > doFilter
> > >     > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException :
> > >     Unable
> > >     > to validate ProxyTicketValidator [[ edu.yale.its.tp
> > >     <http://edu.yale.its.tp>
> > >     > <http://edu.yale.its.tp>
> > >     > .cas.client.ProxyTicketValidator proxyList=[null]
> > >     > [edu.yale.its.tp.cas.client.ServiceTicketValidator
> > >     casValidateUrl=[htt
> > >     > ps://jenyangt43:8443/cas/proxyValidate]
> > >     > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
> > >     > service=[http%3A%2F%2Fjenya
> > >     > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic- arithmetic.jsp]
> > >     > renew=false]]]
> > >     >
> > >     > Thanks so much for your help!
> > >     > --Jennifer
> > >     >
> > >
> > ------------------------------------------------------------------------
> > >     >
> > >     > _______________________________________________
> > >     > cas-dev mailing list
> > >     > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
> > >     > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >     >
> > >
> > >     _______________________________________________
> > >     cas-dev mailing list
> > >     cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
> > >     http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> >
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060824/0e061546/attachment-0001.html

More information about the cas-dev mailing list