After I login CAS, it cannot redirect me to the application -- please help
Ole Ersoy
ole.ersoy at gmail.com
Mon Feb 11 20:56:04 EST 2008
Edward,
It looks like you are importing the certificate into the certificate store used by your 1.5.0_06 jvm installation, but you are running Tomcat with your 1.6.0_03 installation (What JAVA_HOME points to, and Tomcat uses this on startup).
You probably pointed Tomcat to the right .keystore file in the configuration, however it talks to the JVM, so https is working. But when Tomcat goes and looks in the JVM's certificate store during the application to server handshake, it can't find it, so you are getting errors.
You did this:
C:\Program Files\Java\jre1.5.0_06\bin>keytool -import -file server.crt
I think you should be doing this:
C:\Program Files\Java\jre1.6.0_03\bin>keytool -import -file server.crt
And that should fix it.
Cheers,
- Ole
Edward Chen wrote:
> Here is
>
>
> C:\>echo %Java_home%
> C:\Program Files\Java\jre1.6.0_03
>
> C:\>echo %CATALINA_HOME%
> C:\Program Files\Apache Software Foundation\Tomcat 5.5
>
> C:\>
>
>
> Scott Battaglia wrote:
>> Is that your JAVA_HOME?
>>
>> If you type "set" at a command prompt, what does it say your JAVA_HOME is?
>>
>> On Feb 11, 2008 5:16 PM, Edward Chen <edwardc at wolfram.com
>> <mailto:edwardc at wolfram.com>> wrote:
>>
>> Hi, I got it with the following
>>
>> C:\Program Files\Java\jre1.5.0_06\bin>keytool -import -file server.crt
>> -keypass
>> changeit -keystore ..\lib\security\cacerts
>> Enter keystore password: changeit
>> Owner: CN=edwardscwin.wri.wolfram.com
>> <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI, L=Champaign,
>> ST=IL, C=US
>> Issuer: CN=edwardscwin.wri.wolfram.com
>> <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI, L=Champaign,
>> ST=IL, C=US
>> Serial number: 47b0b802
>> Valid from: Mon Feb 11 15:02:58 CST 2008 until: Sun May 11
>> 16:02:58 CDT 2008
>> Certificate fingerprints:
>> MD5: 45:25:94:AB:52:2B:F2:92:68:8F:F0:39:19:80:59:82
>> SHA1:
>> 08:88:37:A1:1C:52:A5:33:0F:51:68:34:81:F9:DF:83:05:41:65:B6
>> Trust this certificate? [no]: yes
>> Certificate was added to keystore
>>
>> C:\Program Files\Java\jre1.5.0_06\bin>
>>
>> But, I still have the same error message when I input "uday"
>> "uday" and
>> cannot redirect to "Hello World"
>>
>> Please continue to help
>>
>>
>> Scott Battaglia wrote:
>> > You need add the certificate to your keystore (which is where it
>> > failed). Find the JVM that you use to start up Tomcat and
>> follow the
>> > keystore instructions. The path should be something like
>> > %JAVA_HOME%\jre\lib\security\cacerts
>> >
>> > -Scott
>> >
>> > On Feb 11, 2008 4:34 PM, Edward Chen <edwardc at wolfram.com
>> <mailto:edwardc at wolfram.com>
>> > <mailto:edwardc at wolfram.com <mailto:edwardc at wolfram.com>>> wrote:
>> >
>> > Hi,
>> >
>> > I am using XP and tomcat 5.5 to do the CAS
>> >
>> > Please help me trouble shoot/fix this. It's urgent.
>> >
>> > I follow the demo to install CAS demo from the following website
>> >
>> > http://www.ja-sig.org/wiki/display/CASUM/Demo
>> >
>> >
>> > Step 1: Install JDK Version
>> >
>> > I am Ok with step 1
>> >
>> >
>> > Step 2: Used keytool to self-author a server certificate
>> for DEMO
>> >
>> >
>> > I have the follwoing error
>> >
>> > .......
>> > .......
>> > C:\Program Files\Java\jre1.5.0_06\bin>keytool -export -alias
>> tomcat
>> > -keypass cha
>> > ngeit -file server.crt
>> > Enter keystore password: changeit
>> > Certificate stored in file <server.crt>
>> >
>> > C:\Program Files\Java\jre1.5.0_06\bin>keytool -import -file
>> server.crt
>> > -keypass
>> > changeit -keystore ..\jre\lib\security\cacerts
>> > Enter keystore password: changeit
>> > Owner: CN=edwardscwin.wri.wolfram.com
>> <http://edwardscwin.wri.wolfram.com>
>> > <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI,
>> L=Champaign,
>> > ST=IL, C=US
>> > Issuer: CN=edwardscwin.wri.wolfram.com
>> <http://edwardscwin.wri.wolfram.com>
>> > <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI,
>> L=Champaign,
>> > ST=IL, C=US
>> > Serial number: 47b0b802
>> > Valid from: Mon Feb 11 15:02:58 CST 2008 until: Sun May 11
>> > 16:02:58 CDT
>> > 2008
>> > Certificate fingerprints:
>> > MD5: 45:25:94:AB:52:2B:F2:92:68:8F:F0:39:19:80:59:82
>> > SHA1:
>> > 08:88:37:A1:1C:52:A5:33:0F:51:68:34:81:F9:DF:83:05:41:65:B6
>> > Trust this certificate? [no]: yes
>> > Certificate was added to keystore
>> > keytool error: java.io.FileNotFoundException:
>> > ..\jre\lib\security\cacerts (The s
>> > ystem cannot find the path specified)
>> >
>> > C:\Program Files\Java\jre1.5.0_06\bin>
>> >
>> >
>> > Step 3: Install Tomcat
>> >
>> > I am ok with step 3
>> >
>> >
>> > Step 4: Configure Tomcat server.xml
>> >
>> > I modify it with the following
>> >
>> > <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
>> > <Connector port="8443" maxHttpHeaderSize="8192"
>> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> > enableLookups="false" disableUploadTimeout="true"
>> > acceptCount="100" scheme="https" secure="true"
>> > clientAuth="false" sslProtocol="TLS"
>> > keystoreFile="C:/Documents and Settings/edwardc.WRI/.keystore"
>> > keystorePass="changeit"
>> > truststoreFile="C:/Program
>> > Files/Java/jre1.6.0_03/lib/security/cacerts" />
>> >
>> >
>> > Step 5: CASify HelloWorld Servlet
>> >
>> > I modify as the following
>> >
>> > <filter>
>> > <filter-name>CAS Filter</filter-name>
>> >
>> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>> > <init-param>
>> >
>> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>> >
>> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/login</param-value>
>> >
>> > </init-param>
>> > <init-param>
>> >
>> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>> >
>> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate</param-value>
>> >
>> > </init-param>
>> > <init-param>
>> >
>> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>> > <param-value>edwardscwin.wri.wolfram.com:8080
>> <http://edwardscwin.wri.wolfram.com:8080>
>> > <http://edwardscwin.wri.wolfram.com:8080></param-value>
>> > </init-param>
>> > </filter>
>> >
>> > <filter-mapping>
>> > <filter-name>CAS Filter</filter-name>
>> > <url-pattern>/servlet/HelloWorldExample</url-pattern>
>> > </filter-mapping>
>> >
>> > Do I need to change/modify anything about ?
>> > edu.yale.its.tp.cas.client.filter
>> >
>> >
>> > Step 6: Drop CAS Client jar into the servlets-examples
>> context
>> >
>> > I am ok with it
>> >
>> >
>> > Step 7: Download and Deploy CAS
>> >
>> > I am ok. I can see the CAS login page and use uday to login
>> with no
>> > problem.
>> >
>> >
>> > Step 8. Clean start
>> >
>> > OK
>> >
>> >
>> > step 9. TRY IT
>> >
>> > * Use fresh browser session to access
>> >
>> >
>> http://edwardscwin.wri.wolfram.com:8080/servlets-examples/servlet/HelloWorldExample^
>> >
>> >
>> <http://compA:8080/servlets-examples/servlet/HelloWorldExample>
>> > * Get past all browser alerts/warnings to CAS login page
>> OK to
>> > see this login page
>> > * Log in as uday/uday (or any username=password string) OK
>> > * Again see all sorts of alerts/warnings
>> > * See Hello World...success. No, I don't see "Hello
>> Wolrd". With the
>> > following error
>> >
>> >
>> > HTTP Status 500 -
>> >
>> >
>> ------------------------------------------------------------------------
>> >
>> > *type* Exception report
>> >
>> > *message*
>> >
>> > *description* _The server encountered an internal error () that
>> > prevented it from fulfilling this request._
>> >
>> > *exception*
>> >
>> > javax.servlet.ServletException: Unable to validate
>> > ProxyTicketValidator
>> > [[edu.yale.its.tp.cas.client.ProxyTicketValidator
>> proxyList=[null]
>> > [edu.yale.its.tp.cas.client.ServiceTicketValidator
>> >
>> casValidateUrl=[https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
>> > ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
>> >
>> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
>> > renew=false]]]
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
>> >
>> >
>> > *root cause*
>> >
>> > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
>> > validate ProxyTicketValidator
>> > [[edu.yale.its.tp.cas.client.ProxyTicketValidator
>> proxyList=[null]
>> > [edu.yale.its.tp.cas.client.ServiceTicketValidator
>> >
>> casValidateUrl=[https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
>> > ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
>> >
>> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
>> > renew=false]]]
>> >
>> >
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>> >
>> >
>> > *root cause*
>> >
>> > javax.net.ssl.SSLHandshakeException:
>> > sun.security.validator.ValidatorException: PKIX path
>> building failed:
>> > sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to
>> > find valid certification path to requested target
>> >
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
>> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
>> Source)
>> > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
>> Source)
>> > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
>> Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> > Source)
>> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>> >
>> >
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
>> > Source)
>> >
>> >
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
>> > Source)
>> >
>> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>> >
>> >
>> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>> >
>> >
>> > *root cause*
>> >
>> > sun.security.validator.ValidatorException: PKIX path
>> building failed:
>> > sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to
>> > find valid certification path to requested target
>> > sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>> >
>> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>> > sun.security.validator.Validator.validate(Unknown Source)
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> > Source)
>> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>> >
>> >
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
>> > Source)
>> >
>> >
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
>> > Source)
>> >
>> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>> >
>> >
>> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>> >
>> >
>> > *root cause*
>> >
>> > sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to
>> > find valid certification path to requested target
>> >
>> >
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>> > Source)
>> > java.security.cert.CertPathBuilder.build(Unknown Source)
>> > sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>> >
>> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>> > sun.security.validator.Validator.validate(Unknown Source)
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
>> >
>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> > Source)
>> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> > Source)
>> >
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>> >
>> >
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
>> > Source)
>> >
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
>> > Source)
>> >
>> >
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
>> > Source)
>> >
>> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>> >
>> >
>> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>> >
>> >
>> >
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>> >
>> >
>> > *note* _The full stack trace of the root cause is available
>> in the
>> > Apache Tomcat/5.5.25 logs._
>> >
>> >
>> ------------------------------------------------------------------------
>> >
>> >
>> > Apache Tomcat/5.5.25
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Yale CAS mailing list
>> > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>> <mailto:cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>>
>> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>> >
>> >
>> >
>> > --
>> > -Scott Battaglia
>> > PGP Public Key Id: 0x383733AA
>> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
>> >
>> ------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > Yale CAS mailing list
>> > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>>
>> --
>> -Scott Battaglia
>> PGP Public Key Id: 0x383733AA
>> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
More information about the cas
mailing list