ACEGI, proxyValidate and PGTIOU
Scott Battaglia
scott.battaglia at gmail.com
Tue Jun 19 09:56:03 EDT 2007
Bill,
That's not the JVM's list of certificates. That's Tomcat's keystore. The
JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts
You would need to insert your certificate using a command such as the
following:
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
(assuming you've exported the container's certificate to server.crt).
-Scott
On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:
>
> Thanks, Scott.
>
>
>
> However, I guess I am still a little confused. I have Tomcat 6.0 and
> Tomcat 5.5 running on the same machine (my development machine). I ran
> into some issues earlier with Tomcat finding the right keystore with my
> certificates so I added keystoreFile=C:\keystore\.keystore to the
> server.xml in both versions of Tomcat. So I thought both JVM's would be
> using the same keystore file. This works fine for allowing me to connect via
> SSL to both Tomcat instances. Is there a problem with what I am doing from a
> CAS perspecive? Is there another keystore beyond the ones configured in
> server.xml that I need to be populating?
>
>
>
> Bill
>
>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Tuesday, June 19, 2007 9:40 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: ACEGI, proxyValidate and PGTIOU
>
>
>
> CAS's JVM does not trust your client application's certificate.
>
> If you've added the certificate to CAS's JVM, that most likely means the
> hostname does not match the cn.
>
> If you haven't added the certificate, you need to do so :-)
>
> -Scott
>
> On 6/19/07, *Bill Bailey* <Bill.Bailey at northlandchurch.net> wrote:
>
> Hi,
>
>
>
> I am using CAS with ACEGI security and I have the basics working. But when
> I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
> below), it only partly works. I am able to still authenticate through CAS,
> but the resulting authentication token does not have the PGTIOU set … it is
> an empty string.
>
>
>
> I have checked the log files on the Tomcat instance hosting the CAS server
> and I find the following exceptions which seem to relate to the proxy
> callback URL. Any idea what is wrong?
>
>
>
> 2007-06-19 09:25:58,812 ERROR [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
> - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:280)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
> (StrictSSLProtocolSocketFactory.java:223)
>
> at org.apache.commons.httpclient.HttpConnection.open(
> HttpConnection.java:706)
>
> at
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
> (MultiThreadedHttpConnectionManager.java:1321)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
> HttpMethodDirector.java:386)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> HttpMethodDirector.java:170)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:396)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:324)
>
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:75)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> 2007-06-19 09:25:58,812 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
> - <TicketException generating ticket for:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:215)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: error.authentication.credentials.bad
>
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:105)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> ... 22 more
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/94b71d96/attachment.html
More information about the cas
mailing list