Web server on different machine to CAS server

Scott Battaglia scott.battaglia at gmail.com
Wed Feb 28 11:17:13 EST 2007 

Are you adding it to your JVMs cacerts file?  If you have multiple JVMs make
sure its in the correct one (I've seen it placed in the wrong one
accidentally a lot).

-Scott

On 2/28/07, Mike Crawford <mike.crawford at gmail.com> wrote:
>
> Adding the key didn't work.
>
> Cheers,
>
> Mike
>
> On 2/28/07, Mike Crawford <mike.crawford at gmail.com > wrote:
> >
> > Hi again,
> >
> > I'm pretty sure the problem is caused by 'webserver1' not being in the
> > keystore, because it works fine if the web application is on the same server
> > as the authentication server.  In my keystore on the authentication server I
> > have a key entry for the authentication server with alias 'tomcat'.  I was
> > going to try adding another key for webserver1, but can I just call it
> > 'webserver1' and add it into my store?
> >
> > Thanks,
> >
> > Mike
> >
> > On 2/28/07, Mike Crawford < mike.crawford at gmail.com> wrote:
> > >
> > > Hi Scott,
> > >
> > > I think this is the problem (from the tomcat log): Caused by:
> > > javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path building failed:
> > > sun.security.provider.certpath.SunCertPathBuilderException : unable to
> > > find valid certification path to requested target
> > >
> > > Here is the full paste with the servers and webapp name changed:
> > >
> > > SEVERE: Servlet.service() for servlet default threw exception
> > > edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to
> > > validate ProxyTicketValidator [[
> > > edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [
> > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://authenticationserver.com/cas/serviceValidate]
> > > ticket=[ST-2-RN7yyvC4XXMKUEED6VOlfsnT40SOzMu7o42-20]
> > > service=[http%3A%2F%2Fwebserver1.com%3A8080%2Fmywebapp%2F] renew=false]]]
> > >     at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (
> > > CASReceipt.java:52)
> > >     at
> > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> > > CASFilter.java:455)
> > >     at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(
> > > CASFilter.java:378)
> > >     at
> > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (
> > > ApplicationFilterChain.java:202)
> > >     at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> > > ApplicationFilterChain.java:173)
> > >     at org.apache.catalina.core.StandardWrapperValve.invoke(
> > > StandardWrapperValve.java :213)
> > >     at org.apache.catalina.core.StandardContextValve.invoke(
> > > StandardContextValve.java:178)
> > >     at org.apache.catalina.core.StandardHostValve.invoke(
> > > StandardHostValve.java:126)
> > >     at org.apache.catalina.valves.ErrorReportValve.invoke (
> > > ErrorReportValve.java:105)
> > >     at org.apache.catalina.core.StandardEngineValve.invoke(
> > > StandardEngineValve.java:107)
> > >     at org.apache.catalina.connector.CoyoteAdapter.service(
> > > CoyoteAdapter.java:148)
> > >     at org.apache.coyote.http11.Http11Processor.process (
> > > Http11Processor.java:869)
> > >     at
> > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> > > (Http11BaseProtocol.java:664)
> > >     at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> > > PoolTcpEndpoint.java :527)
> > >     at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > > LeaderFollowerWorkerThread.java:80)
> > >     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > > ThreadPool.java:684)
> > >     at java.lang.Thread.run (Thread.java:619)
> > > Caused by: javax.net.ssl.SSLHandshakeException:
> > > sun.security.validator.ValidatorException: PKIX path building failed:
> > > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > > find valid certification path to requested target
> > >     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java
> > > :174)
> > >     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(
> > > SSLSocketImpl.java:1520)
> > >     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (
> > > Handshaker.java:182)
> > >     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java
> > > :176)
> > >     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate
> > > (ClientHandshaker.java:975)
> > >     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (
> > > ClientHandshaker.java:123)
> > >     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(
> > > Handshaker.java:511)
> > >     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(
> > > Handshaker.java:449)
> > >     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (
> > > SSLSocketImpl.java:817)
> > >     at
> > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
> > > SSLSocketImpl.java:1029)
> > >     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(
> > > SSLSocketImpl.java:1056)
> > >     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(
> > > SSLSocketImpl.java:1040)
> > >     at sun.net.www.protocol.https.HttpsClient.afterConnect(
> > > HttpsClient.java:405)
> > >     at
> > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> > > AbstractDelegateHttpsURLConnection.java:170)
> > >     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> > > HttpURLConnection.java:981)
> > >     at
> > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
> > > HttpsURLConnectionImpl.java :234)
> > >     at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
> > >     at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> > > ServiceTicketValidator.java:212)
> > >     at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (
> > > CASReceipt.java:50)
> > >     ... 16 more
> > > Caused by: sun.security.validator.ValidatorException: PKIX path
> > > building failed:
> > > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > > find valid certification path to requested target
> > >     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java
> > > :285)
> > >     at sun.security.validator.PKIXValidator.engineValidate(
> > > PKIXValidator.java:191)
> > >     at sun.security.validator.Validator.validate(Validator.java :218)
> > >     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(
> > > X509TrustManagerImpl.java:126)
> > >     at
> > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
> > > X509TrustManagerImpl.java:209)
> > >     at
> > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
> > > X509TrustManagerImpl.java:249)
> > >     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate
> > > (ClientHandshaker.java:954)
> > >     ... 30 more
> > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > > unable to find valid certification path to requested target
> > >     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
> > > SunCertPathBuilder.java :174)
> > >     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java
> > > :238)
> > >     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java
> > > :280)
> > >     ... 36 more
> > >
> > >
> > >
> > > Thanks,
> > >
> > > Mike
> > >
> > > On 2/28/07, Scott Battaglia <scott.battaglia at gmail.com > wrote:
> > > >
> > > > Mike,
> > > >
> > > > Is there any other messages in the log file?  Exceptions, etc.?
> > > >
> > > > Thanks
> > > > -Scott
> > > >
> > > > On 2/26/07, Mike Crawford < mike.crawford at gmail.com> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I am trying to run a web server on one machine which redirects to
> > > > > a CAS server running on another machine.  When I try to
> > > > > change the client.filter.serverName to redirect back to the web
> > > > > server I get a 'Unable to validate ProxyTicketValidator' message.  Does this
> > > > > have something to do with proxyList?
> > > > >
> > > > > I've pasted an excerpt from client.filter.CASFilter with what I'm
> > > > > trying to achieve.  Ultimately there will be many web servers pointing to
> > > > > the same authentication server.
> > > > >
> > > > > Thanks for your help,
> > > > >
> > > > > Mike Crawford
> > > > >
> > > > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl
> > > > > </param-name>
> > > > >                    <param-value>https://authenticationserver.com/cas/login
> > > > > </param-value>
> > > > >             </init-param>
> > > > >             <init-param>
> > > > >                    <param-name>
> > > > > edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
> > > > >                    <param-value>
> > > > > https://authenticationserver.com/cas/serviceValidate</param-value>
> > > > >             </init-param>
> > > > >             <init-param>
> > > > >                    <param-name>
> > > > > edu.yale.its.tp.cas.client.filter.serverName</param-name>
> > > > >                    <param-value>webserver1.com:8080 </param-value>
> > > > >             </init-param>
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070228/12ff0312/attachment.html

More information about the cas mailing list