Unable to validate ProxyTicketValidator
Uday Kari
ukari at pdc.org
Fri Apr 13 23:15:50 EDT 2007
RESOLVED.
This may be useful for other folks since I see this ProxyTicketValidator
error a lot on CAS message boards.
Basically, started fresh with on a Windows XP professional computer with
no JDK/JRE or Tomcat.
Using Microsoft Internet Explorer Version 7.0.5730.11. Possible sources
of error are highlighted in RED.
Step 1: Install JDK Version 1.5.0_11
a. Downloaded jdk-1_5_0_11-windows-i586-p.exe
b. Conducted a typical installation, doing next, next, next
c. set JAVA_HOME system environment variable to C:\Program
Files\Java\jdk1.5.0_11
Step 2: Used keytool to self-author certificate for DEMO
Reference: http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
Entire Command Prompt Dialog is below...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\ukari>cd program*
The filename, directory name, or volume label syntax is incorrect.
C:\Documents and Settings\ukari>cd\
C:\>cd program*
C:\Program Files>cd java
C:\Program Files\Java>cd jdk*
C:\Program Files\Java\jdk1.5.0_11>cd bin
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat
-keypass changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost (this is critical...must be accurate server
name)
What is the name of your organizational unit?
[Unknown]: Information Systems
What is the name of your organization?
[Unknown]: Pacific Disaster Center
What is the name of your City or Locality?
[Unknown]: Kihei
What is the name of your State or Province?
[Unknown]: HI
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center,
L=Kihei, ST=HI, C=US correct?
[no]: yes
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat
-keypass changeit -file server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt
-keypass changeit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center,
L=Kihei,
ST=HI, C=US
Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center,
L=Kihei
, ST=HI, C=US
Serial number: 462030d8
Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST
2007
Certificate fingerprints:
MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D5:98:CB:2E:3B:0A:AD
SHA1:
A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\Program Files\Java\jdk1.5.0_11\bin>
At this stage we have a .keystore file created in C:\Documents and
Settings\<user> and the %JAVA_HOME%\jre\lib\security\cacerts file with
the corresponding certificate.
Step 3: Install Tomcat
a. Selected the Windows Installer version at
http://tomcat.apache.org/download-55.cgi#5.5.23
b. When prompted for directory, changed default it to C:\tomcat5.5.23
c. When prompted for applications, I added all examples, webapps etc.
the next step was probably very critical (god only knows what my
previous tomcat was pointing to)
d. When prompted for JRE, changed default to %JAVA_HOME%/jre (home of
new cacerts)
e. Clicked finish and verified tomcat running as a service, also by
doing http://localhost:8080
and finally the logs look very clean as well.
Step 4: Configure Tomcat server.xml
a. Uncommented connector element for port 8443
b. added the parameters for keystoreFile, keystorePass, truststoreFile
c. bounced tomcat
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/ukari/.keystore"
keystorePass="changeit"
truststoreFile="C:/Program
Files/Java/jdk1.5.0_11/jre/lib/security/cacerts" />
Step 5: CASify HelloWorld Servlet within the standard examples
a. verified that
http://localhost:8080/servlets-examples/servlet/HelloWorldExample works.
b. added the following to web.xml of the servlets-examples context.
Reference: http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
</filter-mapping>
Step 6: Drop CAS Client jar into the servlets-examples context
URL: http://www.ibiblio.org/maven/cas/jars/
a. created the lib directory under servlets-examples/WEB-INF
b. Download that casclient-2.1.1.zip
from the URL http://www.ibiblio.org/maven/cas/jars/
into C:\Tomcat5.5.23\webapps\servlets-examples\WEB-INF\lib
c. RENAME the zip file to jar file.
Step 7: Download and Deploy CAS
URL: http://www.ja-sig.org/products/cas/downloads/index.html
a. Download the cas-server-3.0.7.zip file.
b. Extract it all to c:\cas-server-3.0.7 directory.
c. copy cas.war
from C:\cas-server-3.0.7\cas-server-3.0.7\target
to C:\Tomcat5.5.23\webapps
(this deploys cas if tomcat is running...but just to be sure...step
8)
Step 8. Clean start
a. Stop tomcat, clear all logs, start tomcat
b. Examine logs
stdout_20070413.log (looks "normal"):
2007-04-13 16:32:02,082 INFO
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] - <No PasswordEncoder set. Using default:
org.jasig.cas.authentication.handler.PlainTextPasswordEncoder>
2007-04-13 16:32:02,082 INFO
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] - <No Class to Support set. Using default:
org.jasig.cas.authentication.principal.UsernamePasswordCredentials>
2007-04-13 16:32:02,082 WARN
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] -
<org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler is only to be used in a testing environment.
NEVER enable this in a production environment.>
2007-04-13 16:32:02,129 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <No
UniqueTicketIdGenerator specified for
org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using
org.jasig.cas.util.DefaultUniqueTicketIdGenerator>
2007-04-13 16:32:04,316 INFO
[org.jasig.cas.web.ServiceValidateController] - <No successView
specified. Using default of casServiceSuccessView>
2007-04-13 16:32:04,316 INFO
[org.jasig.cas.web.ServiceValidateController] - <No failureView
specified. Using default of casServiceFailureView>
2007-04-13 16:32:04,363 INFO
[org.jasig.cas.web.ServiceValidateController] - <No authentication
specification class set. Defaulting to
org.jasig.cas.validation.Cas20ProtocolValidationSpecification>
2007-04-13 16:32:04,363 INFO
[org.jasig.cas.web.ServiceValidateController] - <No successView
specified. Using default of casServiceSuccessView>
2007-04-13 16:32:04,363 INFO
[org.jasig.cas.web.ServiceValidateController] - <No failureView
specified. Using default of casServiceFailureView>
2007-04-13 16:32:04,473 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - <FormObjectClass
not set. Using default class of
org.jasig.cas.authentication.principal.UsernamePasswordCredentials with
formObjectName credentials and validator
org.jasig.cas.validation.UsernamePasswordCredentialsValidator.>
2007-04-13 16:32:22,223 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Starting cleaning of expired tickets from ticket registry at [Fri Apr
13 16:32:22 HST 2007]>
2007-04-13 16:32:22,223 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed. Removing now.>
2007-04-13 16:32:22,223 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished cleaning of expired tickets from ticket registry at [Fri Apr
13 16:32:22 HST 2007]>
catalina.2007-04-13.log (looks "normal"):
Apr 13, 2007 4:31:56 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
C:\Tomcat5.5.23\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32
;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI
Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL
Apr 13, 2007 4:31:57 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Apr 13, 2007 4:31:58 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Apr 13, 2007 4:31:58 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2859 ms
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Apr 13, 2007 4:32:00 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
Apr 13, 2007 4:32:06 PM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8080
Apr 13, 2007 4:32:07 PM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8443
Apr 13, 2007 4:32:07 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Apr 13, 2007 4:32:07 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/47 config=null
Apr 13, 2007 4:32:07 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Apr 13, 2007 4:32:07 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8891 ms
localhost.2007-04-13.log (looks "normal"):
Apr 13, 2007 4:32:04 PM org.apache.catalina.core.ApplicationContext log
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain:
[org.apache.webapp.balancer.RuleChain:
[org.apache.webapp.balancer.rules.URLStringMatchRule: Target string:
News / Redirect URL: http://www.cnn.com],
[org.apache.webapp.balancer.rules.RequestParameterRule: Target param
name: paramName / Target param value: paramValue / Redirect URL:
http://www.yahoo.com],
[org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL:
http://jakarta.apache.org]]
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
All other log files stderr, admin, host-manager, jakarta_service,
manager are of size 0K.
Checked stderr to make sure!!
step 9. TRY IT
a. Use fresh browser session to access
http://localhost:8080/servlets-examples/servlet/HelloWorldExample
b. Get past all browser alerts/warnings to CAS login page
c. Logged in as uday/uday
d. Again all sorts of alerts/warnings
e. See Hello World...success.
Logs
stdout_20070413.log (three new records):
2007-04-13 16:39:01,238 INFO
[org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - <Setting
ContextPath for cookies to: /cas>
2007-04-13 16:39:18,271 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: uday>
2007-04-13 16:39:18,286 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-V03EdNba1e3cMxeoEbEHwXfoefftIeeRxuO-20] for service
[http://localhost:8080/servlets-examples/servlet/HelloWorldExample] for
user [uday]>
localhost.2007-04-13.log (new records):
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener:
sessionCreated('6ED4CFE9A5D7BA592372A3E67DF7D6E8')
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener:
attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8',
'edu.yale.its.tp.cas.client.filter.didGateway', 'true')
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter,
filterClass=filters.ExampleFilter]): 31 milliseconds
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener:
attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8',
'edu.yale.its.tp.cas.client.filter.user', 'uday')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener:
attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8',
'edu.yale.its.tp.cas.client.filter.receipt',
'[edu.yale.its.tp.cas.client.CASReceipt userName=[uday]
casValidateUrl=[https://localhost:8443/cas/serviceValidate]
proxyCallbackUrl=[null] pgtIou=[null]
casValidateUrl=[https://localhost:8443/cas/serviceValidate]
proxyList=[[]]]')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener:
attributeRemoved('6ED4CFE9A5D7BA592372A3E67DF7D6E8',
'edu.yale.its.tp.cas.client.filter.didGateway', 'true')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter,
filterClass=filters.ExampleFilter]): 860 milliseconds
All other logs unchanged.
Done (Success). Well sorta. At least no ProxyTicketValidator
exceptions this time!
Still need to CAS-ify some other application and see if it works between
two applications on separate machines.
TGIF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070413/fc9bac6b/attachment.html
More information about the cas
mailing list