[cas-dev] Unable to validate ProxyTicketValidator

Scott Battaglia scott_battaglia at rutgers.edu
Thu Jul 27 00:20:44 EDT 2006 

Jennifer,

I believe in Tomcat you can specify what keystore to use (the default, 
however, as you figured out, is in your home directory).  When you 
removed the certificate, Tomcat most likely threw an exception as it had 
no certificate to return to process an HTTPS request.

The certificate needs to be in any JVM cacerts file that will be acting 
as a client to the CAS server so that when the CAS client does an HTTPS 
call and the SSL handshake occurs, the cacerts file will be checked to 
make sure it trusts the certificate.

Note that two different things are using the keystores.  Tomcat is using 
a keystore to retrieve the certificate it will return.  This keystore is 
independent of the JVMs.  The JVM has a keystore of certificates it 
trusts for when it needs to perform an SSL handshake.    The JVM has no 
knowledge of Tomcat's keystore.

The reason the browser works is because Tomcat sends a certificate when 
an SSL call is made.  The browser doesn't inherently trust the 
certificate as it was self-signed, but prompts you to tell it whether to 
trust the certificate it or not.  This is analogous to placing a 
certificate in the cacerts file as its basically saying "I trust this 
certificate"

I believe I answered your callback question in another email :-)

-Scott



Jennifer Yang wrote:
> Hi Scott,
>
> Thanks for your reply.  The problem was due to not storing in the 
> JVM's keystore as you have pointed out.  But what threw me off was 
> that when Tomcat was starting up, it was looking into keystore in 
> user's home directory (for windows this would be c:/Documents and 
> Settings/<username>).  As I was saying, when I remove Tomcat's 
> certicate from this keystore, Tomcat would spit out exceptions during 
> startup.  I am still confused why Tomcat uses this keystore during 
> startup, but JVM's key store when processing https request.  Also, why 
> issuing https from the browser worked...  But I guess these are Tomcat 
> issue.
>
> Thank you very much for all your replies.  As you can tell, I am a 
> newbie trying to setup CAS for our environement.  :-)
>
> BTW, I had another question from the other post (CAS logout), 
> regarding single sign off callbacks.  Do you have any answers to those?
>
> Thank you so much.
> --Jennifer
>
>
>
> On 7/26/06, *Scott Battaglia* <scott_battaglia at rutgers.edu 
> <mailto:scott_battaglia at rutgers.edu>> wrote:
>
>     Jennifer,
>
>     Did you add this certificate to the JVM's keystore?
>
>     i.e. %JAVA_HOME%\jre\lib\security\cacerts ?
>
>     This page should be able to help you:
>     http://www.ja-sig.org/products/cas/server/ssl/index.html
>
>     -Scott
>
>     Jennifer Yang wrote:
>     > Hello,
>     >
>     > I got my CAS server and webapps working under same Tomcat container
>     > using localhost.  When I tried using my domain name instead of
>     > localhost, I am getting "Unable to validate ProxyTicketValidator"
>     > error after authentication completes.  I saw other posts indicating
>     > that it has to do with digital certificates.  Since I am running
>     > everything under the same host and same container, I don't
>     understand
>     > how this would be an issue of CAS not trusting the certificate.
>     >
>     > Here is my key generation.
>     > d:\java_tools\jdk150_04\bin\keytool -genkey -alias tomcat -k
>     > eyalg RSA
>     > Enter keystore password:  changeit
>     > What is your first and last name?
>     >   [Unknown]:  jenyangt43
>     > What is the name of your organizational unit?
>     >   [Unknown]:  jenyangt43
>     > What is the name of your organization?
>     >   [Unknown]:  jenyangt43
>     > What is the name of your City or Locality?
>     >   [Unknown]:  la
>     > What is the name of your State or Province?
>     >   [Unknown]:  ca
>     > What is the two-letter country code for this unit?
>     >   [Unknown]:  us
>     > Is CN=jenyangt43, OU=jenyangt43, O=jenyangt43, L=la, ST=ca, C=us
>     correct?
>     >   [no]:  y
>     >
>     > Enter key password for <tomcat>
>     >         (RETURN if same as keystore password):  changeit
>     >
>     > d:\java_tools\jdk150_04\bin\keytool -list -alias tomcat
>     > Enter keystore password:  changeit
>     > tomcat, Jul 26, 2006, keyEntry,
>     > Certificate fingerprint (MD5):
>     > 1D:46:D2:E3:2B:76:9D:E7:47:74:0A:44:92:13:60:6D
>     >
>     > I think Tomcat is using this keyout because when I deleted this key
>     > and ran Tomcat, I was getting an error from Tomcat about missing key
>     > to enable SSL.
>     >
>     > I am able to get Tomcat index page by entering
>     https://jenyangt43:8443/
>     >
>     > Here is the error in stdout.
>     > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
>     Unable
>     > to validate ProxyTicketValidator [[ edu.yale.its.tp
>     <http://edu.yale.its.tp>
>     > <http://edu.yale.its.tp>
>     > .cas.client.ProxyTicketValidator proxyList=[null]
>     > [edu.yale.its.tp.cas.client.ServiceTicketValidator
>     casValidateUrl=[htt
>     > ps://jenyangt43:8443/cas/proxyValidate]
>     > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
>     > service=[http%3A%2F%2Fjenya
>     > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic- arithmetic.jsp]
>     > renew=false]]]
>     > Jul 26, 2006 5:43:07 PM edu.yale.its.tp.cas.client.filter.CASFilter
>     > doFilter
>     > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException :
>     Unable
>     > to validate ProxyTicketValidator [[ edu.yale.its.tp
>     <http://edu.yale.its.tp>
>     > <http://edu.yale.its.tp>
>     > .cas.client.ProxyTicketValidator proxyList=[null]
>     > [edu.yale.its.tp.cas.client.ServiceTicketValidator
>     casValidateUrl=[htt
>     > ps://jenyangt43:8443/cas/proxyValidate]
>     > ticket=[ST-2-fkDbX0nmt14TIDaNubebidOybmHHL2nnmBi-20]
>     > service=[http%3A%2F%2Fjenya
>     > ngt43%3A8080%2Fjsp-examples%2Fjsp2%2Fel%2Fbasic- arithmetic.jsp]
>     > renew=false]]]
>     >
>     > Thanks so much for your help!
>     > --Jennifer
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > cas-dev mailing list
>     > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     > http://tp.its.yale.edu/mailman/listinfo/cas-dev
>     >
>
>     _______________________________________________
>     cas-dev mailing list
>     cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>

More information about the cas-dev mailing list