ACEGI, proxyValidate and PGTIOU
Bill Bailey
Bill.Bailey at northlandchurch.net
Tue Jun 19 13:05:58 EDT 2007
Scott,
I thought that might be the case. I did unprotect it now ... but it
didn't fix the problem unfortunately. I can now go directly to the
/casProxy/receptor URL without being redirected, but the CAS server is
still unable to verify my certificate for some reason. Same error as
before.
Bill
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 12:55 PM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU
Bill,
You're going to want to unprotect that page. Acegi should not be
forcing it to redirect.
-Scott
On 6/19/07, Bill Bailey < Bill.Bailey at northlandchurch.net
<mailto:Bill.Bailey at northlandchurch.net> > wrote:
I have now exported both certificates from the two keystores ...
tomcat.crt from C:\keystore\.keystore ... and jvm.crt from C:\Program
Files\Java\jdk1.6.0_01\jre\lib\security\cacerts ... and I've compared
them and they are identical. And I have tried connecting to
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor using a
browser and although it redirects me to CAS to log in first, once I log
in it forwards me to the URL with no complaint from the browser ... and
when I view the certificate the browser received from Tomcat, it look
like I would expect (i.e. CN=nacdnws002l.northlandcc.net, same org, org
unit, dates of expiration, etc.). Unless I'm completely not
understanding how SSL works (which looks more and more like a
possibility to me), I can't see any reason I should be getting an error.
I have no idea what to try next. I'm hoping someone else has some other
ideas to troubleshoot this further. Even if you don't see anything I'm
doing wrong, I would be interested in hearing that. Because I am
starting to doubt my own sanity. :-)
Bill Bailey
________________________________
From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu
<mailto:cas-bounces at tp.its.yale.edu> ] On Behalf Of Bill Bailey
Sent: Tuesday, June 19, 2007 11:20 AM
To: Yale CAS mailing list
Subject: RE: ACEGI, proxyValidate and PGTIOU
A few more tidbits in case it helps any.
The 'default' keystore appears to be in C:\Documents and
Settings\bbailey\.keystore so I don't see how that keystore could be
relevant ... neither Tomcat nor the JVM should be using this by default
I think.
I have double checked the certificate and the hostname in it is
nacdnws002l.northlandcc.net ... just like the fully qualified host and
domain used in the proxyCallbackUrl.
Is there any way to get the JVM to tell you what exactly it is that it
doesn't like about the certificate? For example, hostname mismatch? Not
found in keystore? In keystore but not trusted? Or whatever?
I fell like I'm just taking stabs in the dark right now.
Bill
________________________________
From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu
<mailto:cas-bounces at tp.its.yale.edu> ] On Behalf Of Bill Bailey
Sent: Tuesday, June 19, 2007 10:59 AM
To: Yale CAS mailing list
Subject: RE: ACEGI, proxyValidate and PGTIOU
Scott,
I should add a couple things just in case they come up as questions.
1) I did select to trust the certificate when I imported it into
cacerts ... the default was no, but I enter yes ... and the tomcat
certificate is listed as trusted when I do a keytool -list.
2) I have verified that both tomcats are using the 1.6.0_01 JVM
... there are other Java versions installed on this machine, but it does
not appear Tomcat is using any of them
Bill
________________________________
From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu
<mailto:cas-bounces at tp.its.yale.edu> ] On Behalf Of Bill Bailey
Sent: Tuesday, June 19, 2007 10:53 AM
To: Yale CAS mailing list
Subject: RE: ACEGI, proxyValidate and PGTIOU
Hi Scott,
Thanks again. I am getting a clearer picture, but I still can't get it
to work. I've seen a lot of other people discussing SSL/Certificate
issues on this list so I guess it is my turn to feel the pain.
Here are the steps I did ... I deleted the old keystore I was using for
Tomcat and started from scratch.
keytool -genkey -alias tomcat -keypass changeit -keystore
C:\keystore\.keystore
I then set keystoreFile=C:\keystore\.keystore in both the Tomcat 6.0 and
Tomcat 5.5 server.xml files.
Basic SSL works fine after doing the above two steps ...
keytool -export -alias tomcat -file tomcat.crt -keystore
C:\keystore\.keystore
Certificate file tomcat.crt exports without any errors or warnings ...
keytool -import -file tomcat.crt -alias tomcat -keystore "C:\Program
Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"
Certificate imports without any errors or warnings ...
keytool -list -keystore "C:\Program
Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"
Lists 44 entries including the certificate just added under the tomcat
alias
Still gets the same error as before ...
I did notice that doing keytool -list without a -keystore parameter
returned an empty list so I wondered if there was another keystore at
play here. So I tried adding the certificate to the 'default' keystore
using the following command.
keytool -import -file tomcat.crt -alias tomcat
Certificate imports without any errors or warnings ...
keytool -list
Lists 1 entry ... the new certificate with the tomcat alias I just added
Still get the same error.
I am losing my mind here. What am I still not doing?
Thanks in advance for any suggestions.
Bill
________________________________
From: cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu
<mailto:cas-bounces at tp.its.yale.edu> ] On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:56 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU
Bill,
That's not the JVM's list of certificates. That's Tomcat's keystore.
The JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts
You would need to insert your certificate using a command such as the
following:
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
(assuming you've exported the container's certificate to server.crt).
-Scott
On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:
Thanks, Scott.
However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect
via SSL to both Tomcat instances. Is there a problem with what I am
doing from a CAS perspecive? Is there another keystore beyond the ones
configured in server.xml that I need to be populating?
Bill
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:40 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU
CAS's JVM does not trust your client application's certificate.
If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.
If you haven't added the certificate, you need to do so :-)
-Scott
On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net > wrote:
Hi,
I am using CAS with ACEGI security and I have the basics working. But
when I try to add the proxyCallbackUrl to the CasProxyTicketValidator
(see below), it only partly works. I am able to still authenticate
through CAS, but the resulting authentication token does not have the
PGTIOU set ... it is an empty string.
I have checked the log files on the Tomcat instance hosting the CAS
server and I find the following exceptions which seem to relate to the
proxy callback URL. Any idea what is wrong?
2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn
own Source)
at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.verifyHostname(StrictSSLProtocolSocketFactory.java:280)
at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.createSocket(StrictSSLProtocolSocketFactory.java:223)
at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
6)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon
nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:386)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:170)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)
at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica
tionHandler.java:75)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:79)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
at java.lang.Thread.run(Unknown Source)
2007-06-19 09:25:58,812 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor >
2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor >
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:215)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)
at java.lang.Thread.run(Unknown Source)
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:105)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)
... 22 more
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/4bcdb571/attachment.html
More information about the cas
mailing list