ACEGI, proxyValidate and PGTIOU

Bill Bailey Bill.Bailey at northlandchurch.net
Tue Jun 19 10:52:51 EDT 2007 

Hi Scott,

 

Thanks again. I am getting a clearer picture, but I still can't get it
to work. I've  seen a lot of other people discussing SSL/Certificate
issues on this list so I guess it is my turn to feel the pain.

 

Here are the steps I did ... I deleted the old keystore I was using for
Tomcat and started from scratch.

 

keytool -genkey -alias tomcat -keypass changeit -keystore
C:\keystore\.keystore

 

I then set keystoreFile=C:\keystore\.keystore in both the Tomcat 6.0 and
Tomcat 5.5 server.xml files.

 

Basic SSL works fine after doing the above two steps ...

 

keytool -export -alias tomcat -file tomcat.crt -keystore
C:\keystore\.keystore

 

Certificate file tomcat.crt exports without any errors or warnings ...

 

keytool -import -file tomcat.crt -alias tomcat -keystore "C:\Program
Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"

 

Certificate imports without any errors or warnings ...

 

keytool -list -keystore "C:\Program
Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"

 

Lists 44 entries including the certificate just added under the tomcat
alias

 

Still gets the same error as before ...

 

I did notice that doing keytool -list without a -keystore parameter
returned an empty list so I wondered if there was another keystore at
play here. So I tried adding the certificate to the 'default' keystore
using the following command.

 

keytool -import -file tomcat.crt -alias tomcat

 

Certificate imports without any errors or warnings ...

 

keytool -list

 

Lists 1 entry ... the new certificate with the tomcat alias I just added

 

Still get the same error.

 

I am losing my mind here. What am I still not doing?


Thanks in advance for any suggestions.


Bill

 

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:56 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU

 

Bill,

That's not the JVM's list of certificates.  That's Tomcat's keystore.
The JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts

You would need to insert your certificate using a command such as the
following: 

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts

(assuming you've exported the container's certificate to server.crt).


-Scott

On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:

Thanks, Scott.

 

However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect
via SSL to both Tomcat instances. Is there a problem with what I am
doing from a CAS perspecive? Is there another keystore beyond the ones
configured in server.xml that I need to be populating?

 

Bill

 

 

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:40 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU

 

CAS's JVM does not trust your client application's certificate.

If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.

If you haven't added the certificate, you need to do so :-) 

-Scott

On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:

Hi,

 

I am using CAS with ACEGI security and I have the basics working. But
when I try to add the proxyCallbackUrl to the CasProxyTicketValidator
(see below), it only partly works. I am able to still authenticate
through CAS, but the resulting authentication token does not have the
PGTIOU set ... it is an empty string.

 

I have checked the log files on the Tomcat instance hosting the CAS
server and I find the following exceptions which seem to relate to the
proxy callback URL. Any idea what is wrong?

 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn
own Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.verifyHostname(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.createSocket(StrictSSLProtocolSocketFactory.java:223) 

            at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
6)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon
nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:170)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica
tionHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194) 

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor > 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor > 

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)

            ... 22 more


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/091f91bd/attachment-0001.html

More information about the cas mailing list