Unable to validate ProxyTicketValidator

Chris Roffler croffler at earthlink.net
Fri Apr 13 16:03:55 EDT 2007 

You need to create the certificate with a real dns name, you can't use localhost !


----- Original Message ----- 
From: Uday Kari 
To: cas at tp.its.yale.edu
Sent: 4/13/2007 9:52:37 PM 
Subject: Unable to validate ProxyTicketValidator


Thanks, Andrew.  As recommended moved this thread from dev list to here.  
 
Basically, struggling to get the CAS demo going here using just plain old tomcat 5.5.20 and jdk1.5.0_06 getting the same error Unable to validate ProxyTicketValidator.  Please let me know if I can provide additional information.  
 
I did seem to make an incremental improvement though.  The Microsoft Internet Explorer (Version 7.0.5730.11) browser still complains as before but I no longer get the message “The security certificate presented by this website was issued for a different website's address.”  This seems to have eliminated by following Andrew ‘s note below (paraphrasing/translating) whereby he seems to be saying that I should be create the certificate with the name localhost (right?).  
 
Specifically, when executing the following command 
 
C:\jdk1.5.0_06\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  is
What is the name of your organization?
  [Unknown]:  pdc
What is the name of your City or Locality?
  [Unknown]:  kihei
What is the name of your State or Province?
  [Unknown]:  hi
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=localhost:8443, OU=is, O=pdc, L=kihei, ST=hi, C=US correct?
  [no]:  yes
 
Of course, I import this into the JVM cacerts file as recommended/required in various threads since CAS uses the JVM cacerts file which needs to have the same entry as the tomcat keystore.  For completeness, here is how I imported the about certificate into cacerts:
 
C:\jdk1.5.0_06\bin>keytool -delete -alias tomcat -keypass changeit -keystore ..\
jre\lib\security\cacerts
Enter keystore password:  changeit
 
C:\jdk1.5.0_06\bin>keytool -export -alias tomcat -keypass changeit -file server.
crt
Enter keystore password:  changeit
Certificate stored in file <server.crt>
 
C:\jdk1.5.0_06\bin>keytool -import -file server.crt -alias tomcat -keypass chang
eit -keystore ..\jre\lib\security\cacerts
Enter keystore password:  changeit
Owner: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Serial number: 461fd754
Valid from: Fri Apr 13 09:17:40 HST 2007 until: Thu Jul 12 09:17:40 HST 2007
Certificate fingerprints:
         MD5:  C4:F8:5F:7B:90:1B:32:2E:1B:96:10:01:49:3C:40:A3
         SHA1: F1:2B:1F:0F:4D:DE:61:EE:C8:36:37:D9:20:8C:A8:41:EE:03:F1:A9
Trust this certificate? [no]:  yes
Certificate was added to keystore
 
My server.xml file entry for SSL is as follows:
 
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="C:/Documents and Settings/ukari/.keystore" />
    
 
Again the workflow to get the error is identical to my message below except for the minor browser level improvement noted above by naming the certificate “localhost”



From: cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew Petro
Sent: Thursday, April 12, 2007 5:56 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] Unable to validate ProxyTicketValidator
 
> with the familiar warning about the SSL certificate being named differently than localhost

> casValidateUrl=[https://localhost:8443/cas/proxyValidate]


Here's my hypothesis:

The CAS server SSL cert does not authenticate "localhost", but the CASFilter is configured to validate the ticket against a CAS addressed as "localhost".  Since the cert doesn't match, the client JVM does not see an SSL cert it likes for authenticating the callback.  Since the client JVM didn't see a cert it liked on the callback, the callback fails.  Since the callback failed, the CASFilter (via the ProxyTicketValidator) is unable to validate the service ticket.  Yielding the error you're seeing.

This thread doesn't seem to be about developing CAS server or the CAS client libraries.  It should probably be moved to the cas@ email list.

Andrew
http://support.unicon.net/


Uday Kari wrote: 
Followed the instruction in the following thread and verified that the SSL certification is in JVM cacerts file as required: 
 
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html
 

However, I am still getting the Unable to validate ProxyTicketValidator error when I finish logging in…
 
Specifically:
 
The request https://localhost:8443/ works fine with the familiar warning about the SSL certificate being named differently than localhost.  (so server is up). 
 
https://localhost:8443/app1 leads to the application after the above warning, but immediately redirects to CAS as expected.  
 
I login with the “equal” credentials such as yahoo/yahoo and google/google.  
 
Apparently the ticket generates just fine. 
 
Then on the way back to render the protected (but very simple jsp within the app1 context), I get an HTTP 500 error with the following stack trace on the screen: 
 
exception 
javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
          edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
root cause 
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
          edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
          edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
          edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
 
 
 
Specifically, here are the excerpts from my Catalina.2007-04-12.log for the last two login attempts (user/password = yahoo, google)
 
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
 
 
And, the following from my stdout_20070412.log 
 
2007-04-12 15:56:13,099 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: yahoo>
2007-04-12 15:56:13,099 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] for service [https://localhost:8443/app1/] for user [yahoo]>
2007-04-12 15:57:53,404 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: google>
2007-04-12 15:57:53,404 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] for service [https://localhost:8443/app1/] for user [google]>
 





 
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070413/46851bec/attachment.html

More information about the cas mailing list