FW: cas cannot find the certificates for proxy
Faris Ahmed
Faris.Ahmed at infor.com
Wed Jul 9 06:20:28 EDT 2008
Hi Allan,
Thank you for your fast response. My problem is a little bit different from yours; in fact it is even easier!
I don’t have any CAS clients, I only have a CAS server e.g. https://MyCas:8446/cas/
On the same CAS server I use a proxyTicketReceptor like https://MyCas:8446/cas/proxyTicketReceptor/save.
Both applications works fine.
The problem is when I send a serviceValidate to MyCas and give the second URL as pgtUrl the cas server does not send any PGTIOU\PGT to the receptor! I think the reason is that CAS server does not trust the receptor! but how can this be? the receptor is on the same CAS server!
I only know of two keystores 1) keystore locate din the root of may apache-tomcat-5.5.26 folder 2) cacerts in the jre\lib\security.
Are there any other keystores?
Mit freundlichen Grüßen / Kind regards
Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:faris.ahmed at infor.com
Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter
________________________________
From: Allen Chen [mailto:chqh at scut.edu.cn]
Sent: Wednesday, July 09, 2008 4:17 AM
To: Faris Ahmed; cas
Subject: Re: FW: cas cannot find the certificates for proxy
Yes, I have already resolve the problem.
The web server where the cas client deploy must be configured to enable https. And you have also to add the client certificate to the cas server's truststore, so that the cas server trust the proxy client and send the pgt back to the proxy. The way I mentioned above can solve the " PKIX path building failed" exception.
<javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
For further infomation you can refer to the following url, it would tell you how to import the certs.
http://blogs.sun.com/andreas/entry/no_more_unable_to_find
If the problem other than the "PKIX path building failed" or "bad credentials" turns up, there may be something wrong with the cas itself.
Hope that it can help . Good luck!
________________________________
Allen Chen
2008-07-09
________________________________
发件人: Faris Ahmed
发送时间: 2008-07-09 00:10:33
收件人: chqh at scut.edu.cn
抄送:
主题: FW: cas cannot find the certificates for proxy
Dear Allan,
I am wondering if you solved the SSL problem? I am working with CAS and have a similar problem. My CAS server does not the proxy callback URL, although the PGT URL is on the same CAS server!
Any ideas?
Mit freundlichen Grüßen / Kind regards
Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:faris.ahmed at infor.com
Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] On Behalf Of Allen Chen
Sent: Tuesday, May 20, 2008 12:31 PM
To: cas
Subject: cas cannot find the certificates for proxy
I have two machine: rnd1.allen.com and rnd2.allen.com
rnd1.allen.com runs cas server, and all ok!
rnd2.allen.com runs the cas client, also ok when validate user and ssl is enabled at 8443 port.
But when I enable the proxy for cas, the follow error I found turns up in cas server:
2008-05-20 17:40:17,493 DEBUG [org.springframework.web.servlet.view.RedirectView] - <Rendering view with name 'null' with model {} and static attributes {}>
2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://rnd2.allen.com:7000/stest/>
2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,215 ERROR [org.jasig.cas.util.HttpClient] - <javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
....
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 44 more
2008-05-20 17:40:18,217 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,217 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://rnd2.allen.com:8443/stest/proxyCallback>
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad
at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:284)
....
at java.lang.Thread.run(Thread.java:595)
Caused by: error.authentication.credentials.bad
at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113)
at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:256)
... 26 more
I know the error "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target " means that cas server cannot find the ca store, while I have already set the -Djavax.net.ssl.trustStore in the tomcat startup.sh
JAVA_OPTS="-Djavax.net.ssl.trustStore=/export/home/ism/mycacerts $JAVA_OPTS"
export JAVA_OPTS
Why I do that? Because that if I don't point out the javax.net.ssl.trustStore in startup.sh, there is no way to get into the service management of cas server.
And I had also import the certificates from server.crt of rnd2.allen.com into the ca certs "mycacerts" with another alias like "rnd2".
So I don't know why the cas cannot find the cerficates.
Any tips? Thank you ahead.
________________________________
Allen Chen
2008-05-20
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080709/ca13b1b4/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1662 bytes
Desc: image001.gif
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080709/ca13b1b4/attachment.gif
More information about the cas
mailing list