Arti, When using self signed certificates, both ends need to know about the other certificate. You can create one certificate and add it to both apache and cas or you can install both certificates in the client and in the server. If both applications are running on the same computer, the one certificate approach will be sufficient (create the one for apache first and import it into keytool).
Also, check your logs to see why 'Unauthorized' is displayed. Ray P.S. the -alias property should be a name for your application that you would use to search in keytool. On Mon, 2021-03-29 at 23:54 -0700, arti wavale wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, Created ssl certificate in CAS 5.2 server system 1] keytool -genkey -keyalg RSA -alias thekeystore -keystore thekeystore -storepass changeit -validity 360 -keysize 2048 -ext san=ip:192.168.07.111 2] keytool -export -alias thekeystore -keypass changeit -file cas.crt -keystore thekeystore -storepass changeit 3] keytool -import -file cas.crt -alias thekeystore -keypass changeit -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -storepass changeit created ssl certificate in Apache client system 1] openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.crt How can I connect cas server 5.2 to Apache client Apache client side, I can redirected to cas server login page but after entered username and password then it is show "Unauthorized " error page which certificate i need to pass from server to client /etc/ssl/certs path how can i connect server and client to each other Thanks and Regards Arti On Thursday, March 25, 2021 at 10:20:22 PM UTC+5:30 Ray Bon wrote: Arti, 'subject alternative name' is part of your SSL certificate. See, https://apereo.github.io/cas/6.3.x/installation/Troubleshooting-Guide.html#no-subject-alternative-names, for some trouble shooting. Ray On Thu, 2021-03-25 at 04:23 -0700, arti wavale wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I am facing same issue so can you tell me how you created certificate and share your admusers.properties file once ISSUE: CAS is unable to process this request: "500:Internal Server Error" org.pac4j.core.exception.TechnicalException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: No subject alternative names present at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:170) at org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65) at org.pac4j.springframework.web.SecurityInterceptor$$FastClassBySpringCGLIB$$efdcf9fe.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673) at org.pac4j.springframework.web.SecurityInterceptor$$EnhancerBySpringCGLIB$$577bc7b.preHandle(<generated>) at org.apereo.cas.config.CasSecurityContextConfiguration$CasAdminStatusInterceptor.preHandle(CasSecurityContextConfiguration.java:155) at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:28) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:245) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:93) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:117) at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:61) at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:92) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:110) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:324) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:69) at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: No subject alternative names present at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:458) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) at org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:62) at org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:68) at org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:37) at org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:44) at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:115) ... 90 more Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:444) ... 97 more Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:156) at sun.security.util.HostnameChecker.match(HostnameChecker.java:100) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 113 more On Tuesday, February 6, 2018 at 11:42:35 PM UTC+5:30 Carlos Eduardo Santos wrote: Thank you gentlemen for all the help. Thank you David ! I was able to solve the certificate problem, I had problem with admusers.properties but I was able to resolve and access the dashboard. As a solution, I had to create a new certificate with the domain certificates we have, following the steps of the excellent documentation provided by David. Now I'm accessing the dashboard and other options and also cas-management. Thank you one more time !! Em sexta-feira, 2 de fevereiro de 2018 10:54:00 UTC-2, Carlos Eduardo Santos escreveu: / status / dashborad - Page not found. Hello everyone, I have been trying to configure the CAS server for a few days (following all the information from "the new school"). The information is very clear, but I could not access anything ahead of / status /. To the status page I can visualize the dashboard, for example, nothing. Below the configuration of cas.properties cas.server.name<http://cas.server.name> = http: // xxxxxxxxxxxxxx cas.server.prefix = $ {server.name<http://server.name>} / cas cas.tgc.secure = true cas.tgc.encryptionKey = DCETkZ33-A7TETvjgZ24J_o2xQkyQxc0FCFa725ubnY cas.tgc.signingKey = 8y-RtN0Ny3VF9DAkNQPvIeXXkHtTetFu9bEcG5G7F95ckmSdvE9ZdMSbVCRvBEmwJv_Bbr7wBIfsCrXdo-IytQ cas.webflow.crypto.signing.key = J4qjH74TlZY5Ic6GTnblZbwKN4Ye1mBuMEr-a3_DNpakNbmkX0LUmXGQ30oetbf8N_dNXsG_rdjWyXUOen1mEA cas.webflow.crypto.encryption.key = dE1URfP5K6nvFtnUgBppQw == cas.authn.accept.users = logging.config = file: /etc/cas/config/log4j2.xml cas.serviceRegistry.config.location = file: / etc / cas / services cas.authn.accept.users = cas.authn.ldap [0] .order = 0 cas.authn.ldap [0] .name = Active Directory cas.authn.ldap [0] .type = AUTHENTICATED cas.authn.ldap [0] .ldapUrl = ldap: //10.1.0.48:389<http://10.1.0.48:389> cas.authn.ldap [0] .userFilter = sAMAccountName = {user} cas.authn.ldap [0] .useSsl = false cas.authn.ldap [0] .baseDn = OU = CNANET, DC = cna, DC = org, DC = br cas.authn.ldap [0] .dnFormat = uid =% s, ou = people, dc = example, dc = org cas.authn.ldap [0] .subtreeSearch = true cas.authn.ldap [0] .bindDn = cn = xxxxx, cn = Users, dc = xxx, dc = org, dc = br cas.authn.ldap [0] .bindCredential = xxxxxxx cas.adminPagesSecurity.actuatorEndpointsEnabled = true cas.monitor.endpoints.enabled = true endpoints.enabled = true cas.adminPagesSecurity.ip = ^ 10 \\. 1 \\. (3 \\. [0-9] {1,3} | 0 \\. [12] 0) $ cas.monitor.endpoints.sensitive = false endpoints.sensitive = false cas.adminPagesSecurity.loginUrl = $ {cas.server.prefix} / login cas.adminPagesSecurity.service = $ {cas.server.prefix} / status / dashboard cas.adminPagesSecurity.users = file: /etc/cas/config/admusers.properties cas.adminPagesSecurity.adminRoles [0] = ROLE_ADMIN ############## I'm trying to free cas.adminPagesSecurity.ip for the 10.1.3.0/24<http://10.1.3.0/24> network. but I do not know if that's the right way. I've tried to follow another topic that talks about it but without success. Please, can someone help me !!! Thank you. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected] I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c746cc806b50879d516b2ae0073b835497ff68e.camel%40uvic.ca.
