After I login CAS, it cannot redirect me to the application -- please help
Scott Battaglia
scott.battaglia at gmail.com
Mon Feb 11 16:48:42 EST 2008
You need add the certificate to your keystore (which is where it failed).
Find the JVM that you use to start up Tomcat and follow the keystore
instructions. The path should be something like
%JAVA_HOME%\jre\lib\security\cacerts
-Scott
On Feb 11, 2008 4:34 PM, Edward Chen <edwardc at wolfram.com> wrote:
> Hi,
>
> I am using XP and tomcat 5.5 to do the CAS
>
> Please help me trouble shoot/fix this. It's urgent.
>
> I follow the demo to install CAS demo from the following website
>
> http://www.ja-sig.org/wiki/display/CASUM/Demo
>
>
> Step 1: Install JDK Version
>
> I am Ok with step 1
>
>
> Step 2: Used keytool to self-author a server certificate for DEMO
>
>
> I have the follwoing error
>
> .......
> .......
> C:\Program Files\Java\jre1.5.0_06\bin>keytool -export -alias tomcat
> -keypass cha
> ngeit -file server.crt
> Enter keystore password: changeit
> Certificate stored in file <server.crt>
>
> C:\Program Files\Java\jre1.5.0_06\bin>keytool -import -file server.crt
> -keypass
> changeit -keystore ..\jre\lib\security\cacerts
> Enter keystore password: changeit
> Owner: CN=edwardscwin.wri.wolfram.com, OU=R&D, O=WRI, L=Champaign,
> ST=IL, C=US
> Issuer: CN=edwardscwin.wri.wolfram.com, OU=R&D, O=WRI, L=Champaign,
> ST=IL, C=US
> Serial number: 47b0b802
> Valid from: Mon Feb 11 15:02:58 CST 2008 until: Sun May 11 16:02:58 CDT
> 2008
> Certificate fingerprints:
> MD5: 45:25:94:AB:52:2B:F2:92:68:8F:F0:39:19:80:59:82
> SHA1: 08:88:37:A1:1C:52:A5:33:0F:51:68:34:81:F9:DF:83:05:41:65:B6
> Trust this certificate? [no]: yes
> Certificate was added to keystore
> keytool error: java.io.FileNotFoundException:
> ..\jre\lib\security\cacerts (The s
> ystem cannot find the path specified)
>
> C:\Program Files\Java\jre1.5.0_06\bin>
>
>
> Step 3: Install Tomcat
>
> I am ok with step 3
>
>
> Step 4: Configure Tomcat server.xml
>
> I modify it with the following
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="C:/Documents and Settings/edwardc.WRI/.keystore"
> keystorePass="changeit"
> truststoreFile="C:/Program Files/Java/jre1.6.0_03/lib/security/cacerts" />
>
>
> Step 5: CASify HelloWorld Servlet
>
> I modify as the following
>
> <filter>
> <filter-name>CAS Filter</filter-name>
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/login
> </param-value>
>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate
> </param-value>
>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
> <param-value>edwardscwin.wri.wolfram.com:8080</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Filter</filter-name>
> <url-pattern>/servlet/HelloWorldExample</url-pattern>
> </filter-mapping>
>
> Do I need to change/modify anything about ?
> edu.yale.its.tp.cas.client.filter
>
>
> Step 6: Drop CAS Client jar into the servlets-examples context
>
> I am ok with it
>
>
> Step 7: Download and Deploy CAS
>
> I am ok. I can see the CAS login page and use uday to login with no
> problem.
>
>
> Step 8. Clean start
>
> OK
>
>
> step 9. TRY IT
>
> * Use fresh browser session to access
>
>
> http://edwardscwin.wri.wolfram.com:8080/servlets-examples/servlet/HelloWorldExample
> ^
>
> <http://compA:8080/servlets-examples/servlet/HelloWorldExample>
> * Get past all browser alerts/warnings to CAS login page OK to
> see this login page
> * Log in as uday/uday (or any username=password string) OK
> * Again see all sorts of alerts/warnings
> * See Hello World...success. No, I don't see "Hello Wolrd". With the
> following error
>
>
> HTTP Status 500 -
>
> ------------------------------------------------------------------------
>
> *type* Exception report
>
> *message*
>
> *description* _The server encountered an internal error () that
> prevented it from fulfilling this request._
>
> *exception*
>
> javax.servlet.ServletException: Unable to validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[
> https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
> ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
>
> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
> renew=false]]]
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
> :381)
>
>
> *root cause*
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[
> https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
> ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
>
> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
> renew=false]]]
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:455)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
> :378)
>
>
> *root cause*
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
> (Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
> (Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> ServiceTicketValidator.java:212)
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:455)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
> :378)
>
>
> *root cause*
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> sun.security.validator.Validator.validate(Unknown Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
> (Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
> (Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> ServiceTicketValidator.java:212)
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:455)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
> :378)
>
>
> *root cause*
>
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> java.security.cert.CertPathBuilder.build(Unknown Source)
> sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> sun.security.validator.Validator.validate(Unknown Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> (Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
> (Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
> (Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> ServiceTicketValidator.java:212)
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:455)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
> :378)
>
>
> *note* _The full stack trace of the root cause is available in the
> Apache Tomcat/5.5.25 logs._
>
> ------------------------------------------------------------------------
>
>
> Apache Tomcat/5.5.25
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080211/97fabd19/attachment.html
More information about the cas
mailing list