Jen,
You will need to install custom certs on both sides (CAS and cas-management).
The jvm is responsible for certificate processing, tomcat only needs to know
where it is to send it to the browser.
sudo keytool -import -file ${certName} -alias ${aliasName} -keystore
$JAVA_HOME/jre/lib/security/cacerts
https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl
Ray
On Fri, 2018-05-18 at 08:20 -0700, Jennifer LaVoie wrote:
Yes. I understand the distinction...I was typing quickly :)
I do get an error in my cas-management log about ssl - but my regular
/cas/login link loads just fine (self signed cert on this particular server)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
~[?:1.8.0_171]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
~[?:1.8.0_171]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
~[?:1.8.0_171]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
~[?:1.8.0_171]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
~[?:1.8.0_171]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:1.8.0_171]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
~[?:1.8.0_171]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
~[?:1.8.0_171]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
~[?:1.8.0_171]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
~[?:1.8.0_171]
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
~[?:1.8.0_171]
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
~[?:1.8.0_171]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
~[?:1.8.0_171]
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:61)
~[pac4j-cas-2.2.0.jar:?]
at
org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:68)
~[pac4j-cas-2.2.0.jar:?]
at
org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:37)
~[pac4j-cas-2.2.0.jar:?]
at org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:44)
~[pac4j-core-2.2.0.jar:?]
at
org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:113)
~[pac4j-core-2.2.0.jar:?]
... 72 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
~[?:1.8.0_171]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
~[?:1.8.0_171]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
~[?:1.8.0_171]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
~[?:1.8.0_171]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
~[?:1.8.0_171]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
~[?:1.8.0_171]
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
~[?:1.8.0_171]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
~[?:1.8.0_171]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
~[?:1.8.0_171]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:1.8.0_171]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
~[?:1.8.0_171]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
~[?:1.8.0_171]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
~[?:1.8.0_171]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
~[?:1.8.0_171]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
~[?:1.8.0_171]
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
~[?:1.8.0_171]
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
~[?:1.8.0_171]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
~[?:1.8.0_171]
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
~[cas-client-core-3.4.1.jar:3.4.1]
at
org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:61)
~[pac4j-cas-2.2.0.jar:?]
at
org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:68)
~[pac4j-cas-2.2.0.jar:?]
at
org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:37)
~[pac4j-cas-2.2.0.jar:?]
at org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:44)
~[pac4j-core-2.2.0.jar:?]
at
org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:113)
~[pac4j-core-2.2.0.jar:?]
On Thursday, May 17, 2018 at 4:16:06 PM UTC-4, rbon wrote:
Jen,
I think you mean a cas-management error and not 'CAS error'.
Are CAS and cas-management running on the same tomcat?
Logging config for cas-management is in log4j2-management.xml which also
introduces cas-management.log.
Ray
On Thu, 2018-05-17 at 12:55 -0700, Jennifer LaVoie wrote:
nothing helpful in cas.log or catalina.out that I can see
it seems to be CAS error because the leaf is on the tab and above the error
that I posted it says
Cas Service Management
Jen
On Thursday, May 17, 2018 at 3:44:27 PM UTC-4, David Curry wrote:
Haven't seen that one, that I can recall.
Is that a CAS error (shows in a CAS-branded web page) or a Tomcat error?
Do the logs (cas.log and/or catalina.out) say anything helpful?
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
[The New School]
On Thu, May 17, 2018 at 3:40 PM, Jennifer LaVoie <[email protected]> wrote:
I updated the management.properties file with some ports specifically defined.
And that is now working as expected...
However, I get this
The CAS management webapp is unavailable.
There was an error trying to complete your request. Please notify your support
desk or try again.
On Thursday, May 17, 2018 at 3:18:42 PM UTC-4, Jennifer LaVoie wrote:
So I have followed all the steps here
https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_configure-webapp-properties.html
(awesome site)
And when I try to go to
https://cashost:8443/cas-management
I am redirected to here
https://casserver.herokuapp.com/cas/login?service=https%3A%2F%2Fcashost%3A8443%2Fcas-management%2Fmanage.html
I have already logged into my cas.
What config file have I forgotten to change?
Jen
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53c3f120-14ec-41af-8447-1db0e370795e%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/53c3f120-14ec-41af-8447-1db0e370795e%40apereo.org?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526658503.1817.105.camel%40uvic.ca.
