[cas-dev] Unable to validate ProxyTicketValidator

Jennifer Yang jyoonyang at gmail.com
Thu Jul 27 00:07:54 EDT 2006 

Hi Scott,

Thanks for your reply.  The problem was due to not storing in the JVM's
keystore as you have pointed out.  But what threw me off was that when
Tomcat was starting up, it was looking into keystore in user's home
directory (for windows this would be c:/Documents and Settings/<username>).
As I was saying, when I remove Tomcat's certicate from this keystore, Tomcat
would spit out exceptions during startup.  I am still confused why Tomcat
uses this keystore during startup, but JVM's key store when processing https
request.  Also, why issuing https from the browser worked...  But I guess
these are Tomcat issue.

Thank you very much for all your replies.  As you can tell, I am a newbie
trying to setup CAS for our environement.  :-)

BTW, I had another question from the other post (CAS logout), regarding
single sign off callbacks.  Do you have any answers to those?

Thank you so much.
--Jennifer



On 7/26/06, Scott Battaglia <scott_battaglia at rutgers.edu> wrote:
>
> Jennifer,
>
> Did you add this certificate to the JVM's keystore?
>
> i.e. %JAVA_HOME%\jre\lib\security\cacerts ?
>
> This page should be able to help you:
> http://www.ja-sig.org/products/cas/server/ssl/index.html
>
> -Scott
>
> Jennifer Yang wrote:
> > Hello,
> >
> > I got my CAS server and webapps working under same Tomcat container
> > using localhost.  When I tried using my domain name instead of
> > localhost, I am getting "Unable to validate ProxyTicketValidator"
> > error after authentication completes.  I saw other posts indicating
> > that it has to do with digital certificates.  Since I am running
> > everything under the same host and same container, I don't understand
> > how this would be an issue of CAS not trusting the certificate.
> >
> > Here is my key generation.
> > d:\java_tools\jdk150_04\bin\keytool -genkey -alias tomcat -k
> > eyalg RSA
> > Enter keystore password:  changeit
> > What is your first and last name?
> >   [Unknown]:  jenyangt43
> > What is the name of your organizational unit?
> >   [Unknown]:  jenyangt43
> > What is the name of your organization?
> >   [Unknown]:  jenyangt43
> > What is the name of your City or Locality?
> >   [Unknown]:  la
> > What is the name of your State or Province?
> >   [Unknown]:  ca
> > What is the two-letter country code for this unit?
> >   [Unknown]:  us
> > Is CN=jenyangt43, OU=jenyangt43, O=jenyangt43, L=la, ST=ca, C=us
> correct?
> >   [no]:  y
> >
> > Enter key password for <tomcat>
> >         (RETURN if same as keystore password):  changeit
> >
> > d:\java_tools\jdk150_04\bin\keytool -list -alias tomcat
> > Enter keystore password:  changeit
> > tomcat, Jul 26, 2006, keyEntry,
> > Certificate fingerprint (MD5):
> > 1D:46:D2:E3:2B:76:9D:E7:47:74:0A:44:92:13:60:6D
> >
> > I think Tomcat is using this keyout because when I deleted this key
> > and ran Tomcat, I was getting an error from Tomcat about missing key
> > to enable SSL.
> >
> > I am able to get Tomcat index page by entering https://jenyangt43:8443/
> >
> > Here is the error in stdout.
> > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable
> > to validate ProxyTicketValidator [[edu.yale.its.tp
> > <http://edu.yale.its.tp>
> > .cas.client.ProxyTicketValidator proxyList=[null]
> > [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[htt
> > ps://jenyangt43:8443/cas/proxyValidate]
> > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
> > service=[http%3A%2F%2Fjenya
> > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic-arithmetic.jsp]
> > renew=false]]]
> > Jul 26, 2006 5:43:07 PM edu.yale.its.tp.cas.client.filter.CASFilter
> > doFilter
> > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException : Unable
> > to validate ProxyTicketValidator [[edu.yale.its.tp
> > <http://edu.yale.its.tp>
> > .cas.client.ProxyTicketValidator proxyList=[null]
> > [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[htt
> > ps://jenyangt43:8443/cas/proxyValidate]
> > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
> > service=[http%3A%2F%2Fjenya
> > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic-arithmetic.jsp]
> > renew=false]]]
> >
> > Thanks so much for your help!
> > --Jennifer
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060726/921da159/attachment.html

More information about the cas-dev mailing list