You need to get the certificate into whatever keystore Tomcat is using, and it MUST have the alias "tomcat" associated with it. The link I included before:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuration should contain instructions for doing that. Keytool does understand .p12 certificates, so that should be fine. Also, if your certificate requires an intermediate certificate between it and the root certificate (I don't remember if Let's Encrypt certs do or not, if that's what you're using), you'll need to combine the certificates, in the correct order, before you import them into the keystore. I provided instructions for combining certificates in my documentation here: https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-tlsssl-settings.html#importtokeystore But that assumes PEM certificates and a Linux environment with OpenSSL; I don't know the equivalent Windows commands (although if you've got OpenSSL on your Windows server they should be similar; Google should be able to help). --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, Feb 6, 2018 at 6:39 AM, Carlos Eduardo Santos < carlos.santo...@gmail.com> wrote: > Sirs, I was able to create a certificate by the windows server with a > "real" certificate for the "scna-cas.pfx" served, I saw that I can only > change the format for p12. > Now can I give it the nickname of tomcat and add it to the keystore, so > tomcat / cas can use it? > Is this problem not linked to the "thekeystore" configured in > application.properties? > > Attached the cas.log with the complete error. > > Em segunda-feira, 5 de fevereiro de 2018 18:16:44 UTC-2, David Curry > escreveu: >> >> >> > Can you identify with this passage what the problem with the >> certificate really is ? >> >> I'm GUESSING here, but "unable to find valid certification path to >> requested target" suggests to me that the server cannot find one or more of >> the certificates in the chain between the certificate authority and your >> certificate. >> >> If you're using a self-signed certificate, that probably means it can't >> find the certificate itself. (If you were using a "real" certificate from a >> certificate authority, it would probably mean that you haven't loaded one >> or more of the CA's intermediate certificates.) >> >> Did you give the certificate the "tomcat" alias when you installed it in >> your keystore? >> >> You might want to check the directions here: >> >> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuration >> >> >> (Skip over the first blue box that shows an openssl command, and start >> reading at the paragrap beginning "To create a new JKS keystore from >> scratch...") >> >> --Dave >> >> >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • david.cu...@newschool.edu >> >> [image: The New School] >> >> On Mon, Feb 5, 2018 at 2:28 PM, Carlos Eduardo Santos < >> carlos....@gmail.com> wrote: >> >>> I did the procedure that indicated but I still receive the "500: >>> Internal Server Error" I will try now with the Let's Encrypt certificate to >>> see if it works. >>> >>> 2018-02-05 17:02:15,397 ERROR [org.jasig.cas.client.util.CommonUtils] - >>> <sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>> find valid certification path to requested target> >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: >>> PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> ~[?:1.8.0_161] >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) >>> ~[?:1.8.0_161] >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) >>> ~[?:1.8.0_161] >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) >>> ~[?:1.8.0_161] >>> ... >>> >>> Can you identify with this passage what the problem with the certificate >>> really is ? >>> >>> thanks again !! :( >>> >>> >>> Em sexta-feira, 2 de fevereiro de 2018 17:55:14 UTC-2, David Curry >>> escreveu: >>> >>>> >>>> That's not a CAS-specific problem; it looks like something is wrong >>>> with your TLS/SSL certificate or your keystore. >>>> >>>> Does your server certificate have "scna-cas.cna.org.br" as its host >>>> name (CN)? >>>> >>>> Did you include any/all intermediate/root certificates in the >>>> cetificate you imported into the keystore? >>>> >>>> Did you name the certificate "tomcat" in the keystore? >>>> >>>> Did you configure Tomcat's HTTPS connector to use the keystore that >>>> contains your certificate? >>>> >>>> >>>> This is all covered here: https://dacurry-tns.gith >>>> ub.io/deploying-apereo-cas/setup_tomcat_configure-tlsssl-settings.html >>>> >>>> Note that those instructions assume you're going to use a "real" >>>> certificate signed by a certificate authority, not a self-signed >>>> certificate. You can use self-signed certificates if you really want to, >>>> but if you do, you can skip all the steps in the first two sections of the >>>> link above ("Generate a private key..." and "Import the certificate...") >>>> and just do something like this instead: >>>> >>>> # *cd /opt/tomcat* >>>> # *keytool -genkey -alias tomcat -keyalg RSA -validity 365 –keystore >>>> keystore.jks* >>>> Enter keystore password: *changeit* >>>> Re-enter new password: *changeit* >>>> What is your first and last name? >>>> [Unknown]: *scna-cas.cna.org.br <http://scna-cas.cna.org.br>* >>>> *(enter the fully qualified domain name of your server >>>> here)* >>>> What is the name of your organizational unit? >>>> [Unknown]: *Test* >>>> What is the name of your organization? >>>> [Unknown]: *Test* >>>> What is the name of your City or Locality? >>>> [Unknown]: *Test* >>>> What is the name of your State or Province? >>>> [Unknown]: *Test* >>>> What is the two-letter country code for this unit? >>>> [Unknown]: *Test* >>>> Is CN=scna-cas.cna.org.br, OU=Test, O=Test, L=Test, ST=Test, C=Test >>>> correct? >>>> [no]: *yes* >>>> >>>> Enter key password for <tomcat> >>>> (RETURN if same as keystore password): *(press RETURN)* >>>> # >>>> >>>> >>>> Then continue with the "Configure Tomcat server settings" section of >>>> the page linked above. >>>> >>>> If you can't or don't want to purchase a "real" certificate from a >>>> certificate authority, you might also consider using a certificate from >>>> Let's Encrypt, which is free (but must be renewed every 90 days). This will >>>> behave more like a "real" certificate and avoid many of the annoyances that >>>> you'll experience with self-signed certificates. Google "lets encrypt >>>> tomcat 8" for guidance on how to do that. >>>> >>>> >>>> --Dave >>>> >>>> >>>> -- >>>> >>>> DAVID A. CURRY, CISSP >>>> *DIRECTOR OF INFORMATION SECURITY* >>>> INFORMATION TECHNOLOGY >>>> >>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>> >>>> [image: The New School] >>>> >>>> On Fri, Feb 2, 2018 at 2:20 PM, Carlos Eduardo Santos < >>>> carlos....@gmail.com> wrote: >>>> >>>>> I followed the document leaving only the stage of loadbalance, but it >>>>> seems to leave some more things behind. >>>>> now access the page, but look at the error that is presenting on both >>>>> pages. >>>>> >>>>> >>>>> <https://lh3.googleusercontent.com/-nvLZpItYYVE/WnS4cia0GrI/AAAAAAAAYeI/zJvDCms5zQkcmD8H1CEbaf23QJTPWUm7QCLcBGAs/s1600/error%2Bdashboard.jpg> >>>>> >>>>> >>>>> <https://lh3.googleusercontent.com/-saw5lPlffik/WnS4xMasJ5I/AAAAAAAAYeM/F1_fjv23bQkaSTnVOujPOyaZ8Ft00IClwCLcBGAs/s1600/error%2Bcas-management.jpg> >>>>> >>>>> >>>>> Em sexta-feira, 2 de fevereiro de 2018 16:38:35 UTC-2, David Curry >>>>> escreveu: >>>>> >>>>>> Hi Carlos, >>>>>> >>>>>> The document was written to take a "baby steps" approach of getting >>>>>> one feature/function working at a time to make it easier to understand >>>>>> what's going on and to diagnose problems. You've jumped ahead several >>>>>> steps, which you can of course do, but you might want to go back and >>>>>> review >>>>>> earlier sections to make sure you have performed all the configuration >>>>>> steps that the later sections assume have been done. >>>>>> >>>>>> BUT... to try and get what you already have working, I think these >>>>>> steps should get you most of the way there: >>>>>> >>>>>> 1. Open the server firewall to allow TCP connections on Port 443. >>>>>> >>>>>> 2. If you haven't already done so, create/obtain a TLS/SSL >>>>>> certificate and install it in Tomcat's keystore. >>>>>> >>>>>> 3. Adjust cas.properties to contain: >>>>>> >>>>>> cas.server.name = https://scna-cas.cna.org.br:8443 >>>>>> cas.server.prefix = ${cas.server.name}/cas >>>>>> >>>>>> >>>>>> 4. Change the service registry file for the dashboard to contain >>>>>> >>>>>> "serviceId" : "^https://scna-cas.cna.org.br: >>>>>> 8443/cas/status/dashboard(\\z|/.*)", >>>>>> >>>>>> >>>>>> 5. Change the service registry file for the management webapp to >>>>>> contain >>>>>> >>>>>> "serviceId" : "^https://scna-cas.cna.org.br: >>>>>> 8443/cas-management(\\z|/.*)", >>>>>> >>>>>> >>>>>> 6. Direct your web browser (or curl) to >>>>>> >>>>>> https://scna-cas.cna.org.br:8443/cas/status >>>>>> https://scna-cas.cna.org.br:8443/cas/status/dashboard >>>>>> https://scna-cas.cna.org.br:8443/cas-management >>>>>> >>>>>> >>>>>> >>>>>> If that still doesn't work, it honestly might be easier to go back >>>>>> and work step-by-step from the beginning. Instructions (as well as >>>>>> examples >>>>>> you can copy-and-paste to edit) for creating service registry files >>>>>> without >>>>>> the webapp, etc. are all provided. >>>>>> >>>>>> You don't have to set up a load balancer or proxy (although that's >>>>>> the environment the document assumes); you can configure the firewall to >>>>>> forward 443 to 8443 instead with something like >>>>>> >>>>>> firewall-cmd --permanent --add-forward-port=port=443:pr >>>>>> oto=tcp:toport=8443 >>>>>> >>>>>> >>>>>> or you can configure Tomcat to do it. >>>>>> >>>>>> --Dave >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> DAVID A. CURRY, CISSP >>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>> INFORMATION TECHNOLOGY >>>>>> >>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>>>> >>>>>> [image: The New School] >>>>>> >>>>>> On Fri, Feb 2, 2018 at 12:05 PM, Carlos Eduardo Santos < >>>>>> carlos....@gmail.com> wrote: >>>>>> >>>>>>> Yes David, I'm following the steps of your documentation and yes, I >>>>>>> did not do the loadbalance part. >>>>>>> >>>>>>> I could not create other services, these two mentioned would be the >>>>>>> basic for me to try to create others through the web interface. >>>>>>> David, without the loadbalance you say that the services would have >>>>>>> to stay this way? >>>>>>> >>>>>>> { >>>>>>> "@class": "org.apereo.cas.services.RegexRegisteredService", >>>>>>> "serviceId": "^ https: //scna-cas.cna.org.br: 8443 / >>>>>>> cas-management (\\ z | /.*)", >>>>>>> "name": "CAS Services Management", >>>>>>> "id": 1517578442, >>>>>>> "description": "CAS services management webapp", >>>>>>> "evaluationOrder": 5500 >>>>>>> } >>>>>>> >>>>>>> would have to change in cas.properties the server to >>>>>>> cas.server.name = scna-cas.cna.org.br: 8443 >>>>>>> >>>>>>> I tried with the change of service in the way above and it did not >>>>>>> work too. >>>>>>> >>>>>>> below from the netstat command. >>>>>>> >>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address >>>>>>> State PID/Program name >>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* >>>>>>> LISTEN 1193/sshd >>>>>>> tcp 0 0 127.0.0.1:25 0.0.0.0:* >>>>>>> LISTEN 1902/master >>>>>>> tcp6 0 0 :::22 :::* >>>>>>> LISTEN 1193/sshd >>>>>>> tcp6 0 0 ::1:25 :::* >>>>>>> LISTEN 1902/master >>>>>>> tcp6 0 0 :::8443 :::* >>>>>>> LISTEN 19813/jsvc.exec >>>>>>> >>>>>>> Em sexta-feira, 2 de fevereiro de 2018 13:22:23 UTC-2, David Curry >>>>>>> escreveu: >>>>>>>> >>>>>>>> Carlos, >>>>>>>> >>>>>>>> Can you confirm that your CAS server is otherwise working -- you >>>>>>>> can use it to authenticate other services besides the dashboard and >>>>>>>> services management webapp? Or is nothing working? >>>>>>>> >>>>>>>> If you are getting ERR_CONN_REFUSED, then your client (browser or >>>>>>>> whatever) is trying to connect to a host/port where nothing is >>>>>>>> listening. >>>>>>>> What do you see if you run >>>>>>>> >>>>>>>> sudo netstat -plnt >>>>>>>> >>>>>>>> >>>>>>>> on the CAS server? >>>>>>>> >>>>>>>> Based on some of your settings, it looks like perhaps you're >>>>>>>> following the steps in my "Deploying Apereo CAS" documentation. Is >>>>>>>> that the >>>>>>>> case? And if it is, did you follow the document from the beginning, >>>>>>>> including setting up a load balancer in front of the server? >>>>>>>> >>>>>>>> Because by default, Tomcat/CAS listens on port 8443 (not 443). My >>>>>>>> document installs a load balancer in front of multiple CAS servers; the >>>>>>>> load balancer listens on port 443 and connects to a CAS server on port >>>>>>>> 8443. If you skipped over the part about installing a load balancer >>>>>>>> (or a >>>>>>>> proxy) to do the 443->8443 translation, then your CAS server URLs >>>>>>>> should >>>>>>>> start with >>>>>>>> >>>>>>>> https://scna-cas.cna.org.br*:8443*/cas/.... >>>>>>>> >>>>>>>> >>>>>>>> (Or you could change the Tomcat configuration to listen on port 443 >>>>>>>> instead of 8443.) >>>>>>>> >>>>>>>> --Dave >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> DAVID A. CURRY, CISSP >>>>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>>>> INFORMATION TECHNOLOGY >>>>>>>> >>>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>>>>>> >>>>>>>> [image: The New School] >>>>>>>> >>>>>>>> On Fri, Feb 2, 2018 at 9:56 AM, Carlos Eduardo Santos < >>>>>>>> carlos....@gmail.com> wrote: >>>>>>>> >>>>>>>>> I'm using https on all files, as can be seen below >>>>>>>>> Do you have any records that I can see if the service registry is >>>>>>>>> working properly? >>>>>>>>> >>>>>>>>> >>>>>>>>> CASServiceManagement-1517578442.json >>>>>>>>> >>>>>>>>> { >>>>>>>>> "@class" : "org.apereo.cas.services.RegexRegisteredService", >>>>>>>>> "serviceId" : "^https://scna-cas.cna.org.br/ >>>>>>>>> cas-management(\\z|/.*)", >>>>>>>>> "name" : "CAS Services Management", >>>>>>>>> "id" : 1517578442, >>>>>>>>> "description" : "CAS services management webapp", >>>>>>>>> "evaluationOrder" : 5500 >>>>>>>>> } >>>>>>>>> >>>>>>>>> CASAdminDashboard-1517507674.json >>>>>>>>> { >>>>>>>>> "@class" : "org.apereo.cas.services.RegexRegisteredService", >>>>>>>>> "serviceId" : "^https://scna-cas.cna.org.br/ >>>>>>>>> cas/status/dashboard(\\z|/.*)", >>>>>>>>> "name" : "CAS Admin Dashboard", >>>>>>>>> "id" : 1517507674, >>>>>>>>> "description" : "CAS dashboard and administrative endpoints", >>>>>>>>> "evaluationOrder" : 5000 >>>>>>>>> } >>>>>>>>> >>>>>>>>> Em sexta-feira, 2 de fevereiro de 2018 12:37:10 UTC-2, David Curry >>>>>>>>> escreveu: >>>>>>>>>> >>>>>>>>>> The dashboard and cas-management are two completely different >>>>>>>>>> things; I suggest focusing on one at a time. >>>>>>>>>> >>>>>>>>>> If you're getting ERR_CONNECTION_REFUSED, that means there is >>>>>>>>>> nothing listening on the server/port you're trying to connect to. >>>>>>>>>> >>>>>>>>>> Are you using HTTPS or HTTP? >>>>>>>>>> >>>>>>>>>> The config file you posted before had "http", but your service >>>>>>>>>> registry has "https". You need to be using the same thing >>>>>>>>>> everywhere, and >>>>>>>>>> then connecting to the right port. >>>>>>>>>> >>>>>>>>>> --Dave >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> DAVID A. CURRY, CISSP >>>>>>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>>>>>> INFORMATION TECHNOLOGY >>>>>>>>>> >>>>>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>>>>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>>>>>>>> >>>>>>>>>> [image: The New School] >>>>>>>>>> >>>>>>>>>> On Fri, Feb 2, 2018 at 9:32 AM, Carlos Eduardo Santos < >>>>>>>>>> carlos....@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi David, >>>>>>>>>>> I can only have the / status / >>>>>>>>>>> now the dashboard and cas-management are giving error >>>>>>>>>>> "ERR_CONNECTION_REFUSED" I have the firewalld disabled and SELINUX >>>>>>>>>>> tbm so I >>>>>>>>>>> have no problem with that. >>>>>>>>>>> I can not identify where the mistake is. >>>>>>>>>>> - cas-management.log is not registering anything. >>>>>>>>>>> - The admusers.properties file is with the 2 users below. >>>>>>>>>>> gnarls = passwordnotused, ROLE_ADMIN >>>>>>>>>>> carlos.alves = passwordnotused, ROLE_ADMIN >>>>>>>>>>> - The CASAdminDashboard-1517507674.json service is as described >>>>>>>>>>> below. >>>>>>>>>>> "@class": "org.apereo.cas.services.RegexRegisteredService", >>>>>>>>>>> "serviceId": "^ https: //scna-cas.cna.org.br/cas/stat >>>>>>>>>>> us/dashboard (\\ z | /.*)", >>>>>>>>>>> "name": "CAS Admin Dashboard", >>>>>>>>>>> "id": 1517507674, >>>>>>>>>>> "description": "CAS dashboard and administrative endpoints", >>>>>>>>>>> "evaluationOrder": 5000 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Em sexta-feira, 2 de fevereiro de 2018 11:30:27 UTC-2, David >>>>>>>>>>> Curry escreveu: >>>>>>>>>>> >>>>>>>>>>>> Carlos, >>>>>>>>>>>> >>>>>>>>>>>> The only mistake I see here is that on the second line, >>>>>>>>>>>> cas.server.prefix should be getting set to ${cas.server.name >>>>>>>>>>>> }/cas, not ${server.name}/cas. >>>>>>>>>>>> >>>>>>>>>>>> As for the adminPages configuration, based on what you've >>>>>>>>>>>> provided, you should be able to access >>>>>>>>>>>> >>>>>>>>>>>> http[s]://your.cas.server/cas/status >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> from any IP address in 10.1.3.0/24 or from 10.1.0.10, or from >>>>>>>>>>>> 10.1.0.20. You should be able to do this using either a web >>>>>>>>>>>> browser or even >>>>>>>>>>>> just curl, without any further authentication required, and >>>>>>>>>>>> get a small plain-text page back that contains the server status, >>>>>>>>>>>> version, >>>>>>>>>>>> etc. The result should look something like this: >>>>>>>>>>>> >>>>>>>>>>>> % curl https://casdev.newschoool.edu/cas/status >>>>>>>>>>>> >>>>>>>>>>>> Health: OK >>>>>>>>>>>> >>>>>>>>>>>> 1.SessionMonitor: OK - 1 sessions. 0 service tickets. >>>>>>>>>>>> >>>>>>>>>>>> 2.MemoryMonitor: OK - 1452.29MB free (79.77%), 368.32MB used, >>>>>>>>>>>> 1820.61MB total. >>>>>>>>>>>> >>>>>>>>>>>> Host: casdev-srv01 >>>>>>>>>>>> Server: https://casdev.newschool.edu >>>>>>>>>>>> Version: 5.2.2 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Does that part work? If so, move on to the next part. If not, >>>>>>>>>>>> set <Property name="cas.log.level" >*debug*</Property> near >>>>>>>>>>>> the top of log4j2.xml, restart the server, and check cas.log. >>>>>>>>>>>> >>>>>>>>>>>> If the above is working, then you should also be able to access >>>>>>>>>>>> >>>>>>>>>>>> http[s]://your.cas.server/cas/status/dashboard >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> and have the CAS login page appear. Don't forget that in order >>>>>>>>>>>> for this to work, you need to create an entry in the service >>>>>>>>>>>> registry for >>>>>>>>>>>> the dashboard URL: >>>>>>>>>>>> >>>>>>>>>>>> "serviceId" : "^https://your.cas.server/cas/ >>>>>>>>>>>> status/dashboard(\\z|/.*)", >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Does that part work? If so, move on to the next part. If not, >>>>>>>>>>>> it's probably a service registry problem. >>>>>>>>>>>> >>>>>>>>>>>> If the above is working, then you should authenticate to the >>>>>>>>>>>> CAS server as a user you've listed in admusers.properties. >>>>>>>>>>>> This file should have lines like >>>>>>>>>>>> >>>>>>>>>>>> username=passwordnotused,ROLE_ADMIN >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Where username is the user's LDAP user name (sAMAccountName in >>>>>>>>>>>> your setup). The user should use his/her LDAP password. >>>>>>>>>>>> >>>>>>>>>>>> Does that part work? If not, check the debug logs, or report >>>>>>>>>>>> back here with the error message(s) you're seeing. >>>>>>>>>>>> >>>>>>>>>>>> Good luck, >>>>>>>>>>>> --Dave >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> DAVID A. CURRY, CISSP >>>>>>>>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>>>>>>>> INFORMATION TECHNOLOGY >>>>>>>>>>>> >>>>>>>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>>>>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>>>>>>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>>>>>>>>>> >>>>>>>>>>>> [image: The New School] >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 2, 2018 at 7:54 AM, Carlos Eduardo Santos < >>>>>>>>>>>> carlos....@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> / status / dashborad - Page not found. >>>>>>>>>>>>> Hello everyone, I have been trying to configure the CAS server >>>>>>>>>>>>> for a few days (following all the information from "the new >>>>>>>>>>>>> school"). The >>>>>>>>>>>>> information is very clear, but I could not access anything ahead >>>>>>>>>>>>> of / >>>>>>>>>>>>> status /. >>>>>>>>>>>>> To the status page I can visualize the dashboard, for example, >>>>>>>>>>>>> nothing. >>>>>>>>>>>>> Below the configuration of cas.properties >>>>>>>>>>>>> >>>>>>>>>>>>> cas.server.name = http: // xxxxxxxxxxxxxx >>>>>>>>>>>>> cas.server.prefix = $ {server.name} / cas >>>>>>>>>>>>> cas.tgc.secure = true >>>>>>>>>>>>> cas.tgc.encryptionKey = DCETkZ33-A7TETvjgZ24J_o2xQkyQx >>>>>>>>>>>>> c0FCFa725ubnY >>>>>>>>>>>>> cas.tgc.signingKey = 8y-RtN0Ny3VF9DAkNQPvIeXXkHtTet >>>>>>>>>>>>> Fu9bEcG5G7F95ckmSdvE9ZdMSbVCRvBEmwJv_Bbr7wBIfsCrXdo-IytQ >>>>>>>>>>>>> cas.webflow.crypto.signing.key = J4qjH74TlZY5Ic6GTnblZbwKN4Ye1m >>>>>>>>>>>>> BuMEr-a3_DNpakNbmkX0LUmXGQ30oetbf8N_dNXsG_rdjWyXUOen1mEA >>>>>>>>>>>>> cas.webflow.crypto.encryption.key = dE1URfP5K6nvFtnUgBppQw == >>>>>>>>>>>>> cas.authn.accept.users = >>>>>>>>>>>>> logging.config = file: /etc/cas/config/log4j2.xml >>>>>>>>>>>>> cas.serviceRegistry.config.location = file: / etc / cas / >>>>>>>>>>>>> services >>>>>>>>>>>>> cas.authn.accept.users = >>>>>>>>>>>>> cas.authn.ldap [0] .order = 0 >>>>>>>>>>>>> cas.authn.ldap [0] .name = Active Directory >>>>>>>>>>>>> cas.authn.ldap [0] .type = AUTHENTICATED >>>>>>>>>>>>> cas.authn.ldap [0] .ldapUrl = ldap: //10.1.0.48:389 >>>>>>>>>>>>> cas.authn.ldap [0] .userFilter = sAMAccountName = {user} >>>>>>>>>>>>> cas.authn.ldap [0] .useSsl = false >>>>>>>>>>>>> cas.authn.ldap [0] .baseDn = OU = CNANET, DC = cna, DC = org, >>>>>>>>>>>>> DC = br >>>>>>>>>>>>> cas.authn.ldap [0] .dnFormat = uid =% s, ou = people, dc = >>>>>>>>>>>>> example, dc = org >>>>>>>>>>>>> cas.authn.ldap [0] .subtreeSearch = true >>>>>>>>>>>>> cas.authn.ldap [0] .bindDn = cn = xxxxx, cn = Users, dc = xxx, >>>>>>>>>>>>> dc = org, dc = br >>>>>>>>>>>>> cas.authn.ldap [0] .bindCredential = xxxxxxx >>>>>>>>>>>>> cas.adminPagesSecurity.actuatorEndpointsEnabled = true >>>>>>>>>>>>> cas.monitor.endpoints.enabled = true >>>>>>>>>>>>> endpoints.enabled = true >>>>>>>>>>>>> cas.adminPagesSecurity.ip = ^ 10 \\. 1 \\. (3 \\. [0-9] {1,3} >>>>>>>>>>>>> | 0 \\. [12] 0) $ >>>>>>>>>>>>> cas.monitor.endpoints.sensitive = false >>>>>>>>>>>>> endpoints.sensitive = false >>>>>>>>>>>>> cas.adminPagesSecurity.loginUrl = $ {cas.server.prefix} / >>>>>>>>>>>>> login >>>>>>>>>>>>> cas.adminPagesSecurity.service = $ {cas.server.prefix} / >>>>>>>>>>>>> status / dashboard >>>>>>>>>>>>> cas.adminPagesSecurity.users = file: >>>>>>>>>>>>> /etc/cas/config/admusers.properties >>>>>>>>>>>>> cas.adminPagesSecurity.adminRoles [0] = ROLE_ADMIN >>>>>>>>>>>>> ############## >>>>>>>>>>>>> I'm trying to free cas.adminPagesSecurity.ip for the >>>>>>>>>>>>> 10.1.3.0/24 network. but I do not know if that's the right >>>>>>>>>>>>> way. >>>>>>>>>>>>> I've tried to follow another topic that talks about it but >>>>>>>>>>>>> without success. >>>>>>>>>>>>> Please, can someone help me !!! >>>>>>>>>>>>> Thank you. >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>>>>>> --- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "CAS Community" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to cas-user+u...@apereo.org. >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeed >>>>>>>>>>>>> 34f4-003b-45ed-9221-264c6f45ea04%40apereo.org >>>>>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeed34f4-003b-45ed-9221-264c6f45ea04%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>>>> --- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "CAS Community" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to cas-user+u...@apereo.org. >>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015 >>>>>>>>>>> 990e-68d9-4477-992b-fc2d2c19040d%40apereo.org >>>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015990e-68d9-4477-992b-fc2d2c19040d%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "CAS Community" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to cas-user+u...@apereo.org. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6774 >>>>>>>>> 0b15-321a-4baf-b2ad-1f981c399c0d%40apereo.org >>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/67740b15-321a-4baf-b2ad-1f981c399c0d%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>> - Website: https://apereo.github.io/cas >>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to cas-user+u...@apereo.org. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2e >>>>>>> 1a7a-3d75-481e-9e24-487d7aea8a5e%40apereo.org >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2e1a7a-3d75-481e-9e24-487d7aea8a5e%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to cas-user+u...@apereo.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a5 >>>>> 04b3-1be5-4adc-a63a-3df2c70029a7%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a504b3-1be5-4adc-a63a-3df2c70029a7%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion on the web visit https://groups.google.com/a/ap >>> ereo.org/d/msgid/cas-user/8af99ef5-6027-4581-8521-1d9e5105cd >>> 62%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8af99ef5-6027-4581-8521-1d9e5105cd62%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/69723a80-1b26-4bdd-be35- > a0be66a2c003%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/69723a80-1b26-4bdd-be35-a0be66a2c003%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPJ9Zn-jQzWNd-EPisTmviDy05g6_B434ispNTDRK%2ByaA%40mail.gmail.com.
