Better documenting "Unable to validate ProxyTicketValidator" in CASwiki
Uday Kari
ukari at pdc.org
Sat Apr 14 17:33:03 EDT 2007
Hi Andrew,
Thanks for compliments. I figured I owed you guys at least that much after wasting your time on what was probably a wild goose chase. I actually started that write-up to report that that error in the cleanest way possible but in doing so, I got CAS working.
Now (for eyes of DEV group), the best way to explain the ProxyTicketValidator exception is to actually catch it (!) and redirect the user to a detailed help page which explains everything in detail in the context of which this exception is thrown (which can be due to quite a few permutations of a screwed-up environment). For starters, I would sniff out the JAVA_HOME/cacerts being used, the contents of the certificate (especially the common name), all the stuff that can be gleaned from the request header and make some easy diagnostics to provide the user with some context sensitive help. I know this is a lot of work (and probably not as challenging as adding new features), but I liken this to my hobby of windsurfing...if we make gear that only experts can use, then our market will be quite small...however if/when you start making gear for beginners (especially kids) and breakdown the barriers of entry, we have a healthy business and industry.
That said, a generic help page may indeed belong in a proposed wiki. But when I do not believe wiki should be explaining exceptions (that is the programmers job, sorry). An exception like "Unable to validate ProxyTicketValidator" is basically unnerving and essentially meaningless to someone who knows little about SSL certifications (and almost nothing about how CAS uses them via tomcat). What really belongs in the wiki is the data flow of how CAS works with certifications, the best exposition of which (that I know of anyway) is still in the DEV list:
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html
If someone can point me to how I may add to thsi wiki, I would be glad to...
Regards,
Uday Kari
________________________________
From: cas-bounces at tp.its.yale.edu on behalf of Andrew Petro
Sent: Fri 4/13/2007 7:15 PM
To: Yale CAS mailing list
Subject: Better documenting "Unable to validate ProxyTicketValidator" in CASwiki
Uday,
Thanks for your quality writeups of the problems you've been experiencing and of this step by step resolution.
As you note, this question of proxy ticket validation failing ultimately stemming from SSL certificate issues is one that repeatedly inconveniences new (and old) CAS deployers.
I wonder if there's a way you could incorporate your findings and writeup into the wiki content documenting this matter to lay a better foundation for the next round of this problem? Crystallizing the documentation there is probably even better than thorough list posts...
Andrew
RESOLVED.
This may be useful for other folks since I see this ProxyTicketValidator error a lot on CAS message boards.
Basically, started fresh with on a Windows XP professional computer with no JDK/JRE or Tomcat.
Using Microsoft Internet Explorer Version 7.0.5730.11. Possible sources of error are highlighted in RED.
Step 1: Install JDK Version 1.5.0_11
a. Downloaded jdk-1_5_0_11-windows-i586-p.exe
b. Conducted a typical installation, doing next, next, next
c. set JAVA_HOME system environment variable to C:\Program Files\Java\jdk1.5.0_11
Step 2: Used keytool to self-author certificate for DEMO
Reference: http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
Entire Command Prompt Dialog is below...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\ukari>cd program*
The filename, directory name, or volume label syntax is incorrect.
C:\Documents and Settings\ukari>cd\
C:\>cd program*
C:\Program Files>cd java
C:\Program Files\Java>cd jdk*
C:\Program Files\Java\jdk1.5.0_11>cd bin
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost (this is critical...must be accurate server name)
What is the name of your organizational unit?
[Unknown]: Information Systems
What is the name of your organization?
[Unknown]: Pacific Disaster Center
What is the name of your City or Locality?
[Unknown]: Kihei
What is the name of your State or Province?
[Unknown]: HI
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei, ST=HI, C=US correct?
[no]: yes
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat -keypass changeit -file server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei,
ST=HI, C=US
Issuer: CN=localhost, OU=Information Systems, O=Pacific Disaster Center, L=Kihei
, ST=HI, C=US
Serial number: 462030d8
Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007
Certificate fingerprints:
MD5: CC:3B:FB:FB:AE:12:AD:FB:3E:D5:98:CB:2E:3B:0A:AD
SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CE
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\Program Files\Java\jdk1.5.0_11\bin>
At this stage we have a .keystore file created in C:\Documents and Settings\<user> and the %JAVA_HOME%\jre\lib\security\cacerts file with the corresponding certificate.
Step 3: Install Tomcat
a. Selected the Windows Installer version at http://tomcat.apache.org/download-55.cgi#5.5.23
b. When prompted for directory, changed default it to C:\tomcat5.5.23
c. When prompted for applications, I added all examples, webapps etc.
the next step was probably very critical (god only knows what my previous tomcat was pointing to)
d. When prompted for JRE, changed default to %JAVA_HOME%/jre (home of new cacerts)
e. Clicked finish and verified tomcat running as a service, also by doing http://localhost:8080 <http://localhost:8080/>
and finally the logs look very clean as well.
Step 4: Configure Tomcat server.xml
a. Uncommented connector element for port 8443
b. added the parameters for keystoreFile, keystorePass, truststoreFile
c. bounced tomcat
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/ukari/.keystore"
keystorePass="changeit"
truststoreFile="C:/Program Files/Java/jdk1.5.0_11/jre/lib/security/cacerts" />
Step 5: CASify HelloWorld Servlet within the standard examples
a. verified that http://localhost:8080/servlets-examples/servlet/HelloWorldExample works.
b. added the following to web.xml of the servlets-examples context.
Reference: http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
</filter-mapping>
Step 6: Drop CAS Client jar into the servlets-examples context
URL: http://www.ibiblio.org/maven/cas/jars/
a. created the lib directory under servlets-examples/WEB-INF
b. Download that casclient-2.1.1.zip
from the URL http://www.ibiblio.org/maven/cas/jars/
into C:\Tomcat5.5.23\webapps\servlets-examples\WEB-INF\lib
c. RENAME the zip file to jar file.
Step 7: Download and Deploy CAS
URL: http://www.ja-sig.org/products/cas/downloads/index.html
a. Download the cas-server-3.0.7.zip file.
b. Extract it all to c:\cas-server-3.0.7 directory.
c. copy cas.war
from C:\cas-server-3.0.7\cas-server-3.0.7\target
to C:\Tomcat5.5.23\webapps
(this deploys cas if tomcat is running...but just to be sure...step 8)
Step 8. Clean start
a. Stop tomcat, clear all logs, start tomcat
b. Examine logs
stdout_20070413.log (looks "normal"):
2007-04-13 16:32:02,082 INFO [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <No PasswordEncoder set. Using default: org.jasig.cas.authentication.handler.PlainTextPasswordEncoder>
2007-04-13 16:32:02,082 INFO [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <No Class to Support set. Using default: org.jasig.cas.authentication.principal.UsernamePasswordCredentials>
2007-04-13 16:32:02,082 WARN [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler is only to be used in a testing environment. NEVER enable this in a production environment.>
2007-04-13 16:32:02,129 INFO [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <No UniqueTicketIdGenerator specified for org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using org.jasig.cas.util.DefaultUniqueTicketIdGenerator>
2007-04-13 16:32:04,316 INFO [org.jasig.cas.web.ServiceValidateController] - <No successView specified. Using default of casServiceSuccessView>
2007-04-13 16:32:04,316 INFO [org.jasig.cas.web.ServiceValidateController] - <No failureView specified. Using default of casServiceFailureView>
2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No authentication specification class set. Defaulting to org.jasig.cas.validation.Cas20ProtocolValidationSpecification>
2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No successView specified. Using default of casServiceSuccessView>
2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No failureView specified. Using default of casServiceFailureView>
2007-04-13 16:32:04,473 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <FormObjectClass not set. Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.>
2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting cleaning of expired tickets from ticket registry at [Fri Apr 13 16:32:22 HST 2007]>
2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found to be removed. Removing now.>
2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished cleaning of expired tickets from ticket registry at [Fri Apr 13 16:32:22 HST 2007]>
catalina.2007-04-13.log (looks "normal"):
Apr 13, 2007 4:31:56 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Tomcat5.5.23\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL
Apr 13, 2007 4:31:57 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Apr 13, 2007 4:31:58 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Apr 13, 2007 4:31:58 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2859 ms
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Apr 13, 2007 4:32:00 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
Apr 13, 2007 4:32:06 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Apr 13, 2007 4:32:07 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Apr 13, 2007 4:32:07 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Apr 13, 2007 4:32:07 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/47 config=null
Apr 13, 2007 4:32:07 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Apr 13, 2007 4:32:07 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8891 ms
localhost.2007-04-13.log (looks "normal"):
Apr 13, 2007 4:32:04 PM org.apache.catalina.core.ApplicationContext log
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com <http://www.cnn.com/> ], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com <http://www.yahoo.com/> ], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org <http://jakarta.apache.org/> ]]
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
All other log files stderr, admin, host-manager, jakarta_service, manager are of size 0K.
Checked stderr to make sure!!
step 9. TRY IT
a. Use fresh browser session to access
http://localhost:8080/servlets-examples/servlet/HelloWorldExample
b. Get past all browser alerts/warnings to CAS login page
c. Logged in as uday/uday
d. Again all sorts of alerts/warnings
e. See Hello World...success.
Logs
stdout_20070413.log (three new records):
2007-04-13 16:39:01,238 INFO [org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - <Setting ContextPath for cookies to: /cas>
2007-04-13 16:39:18,271 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: uday>
2007-04-13 16:39:18,286 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-V03EdNba1e3cMxeoEbEHwXfoefftIeeRxuO-20] for service [http://localhost:8080/servlets-examples/servlet/HelloWorldExample] for user [uday]>
localhost.2007-04-13.log (new records):
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: sessionCreated('6ED4CFE9A5D7BA592372A3E67DF7D6E8')
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.didGateway', 'true')
Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext log
INFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, filterClass=filters.ExampleFilter]): 31 milliseconds
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.user', 'uday')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.receipt', '[edu.yale.its.tp.cas.client.CASReceipt userName=[uday] casValidateUrl=[https://localhost:8443/cas/serviceValidate] proxyCallbackUrl=[null] pgtIou=[null] casValidateUrl=[https://localhost:8443/cas/serviceValidate] proxyList=[[]]]')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: attributeRemoved('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.didGateway', 'true')
Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext log
INFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, filterClass=filters.ExampleFilter]): 860 milliseconds
All other logs unchanged.
Done (Success). Well sorta. At least no ProxyTicketValidator exceptions this time!
Still need to CAS-ify some other application and see if it works between two applications on separate machines.
TGIF
________________________________
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 35992 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070414/d1287753/attachment.bin
More information about the cas
mailing list