[cas-user] SSL problem with casclient.jar

Marco Panella Fri, 27 Mar 2009 08:03:18 -0700

We use shibboleth 1.3 with CAS as Single Sign On Server.

Our CAS server certificate was self-signed and all worked well.
Yesterday we changed the CAS certificate and now the CAS server is configured
with a GlobalSign certificate with multiple CNs:


       Subject: C=IT, O=GARR, OU=UNIPR,
CN=my.unipr.it/[email protected]
       X509v3 Subject Alternative Name:
          DNS:my.unipr.it, DNS:cas.unipr.it, DNS:shibidp.unipr.it,
DNS:yin.unipr.it, DNS:yang.unipr.it, DNS:posta.unipr.it, email:[email protected]

We found that is there a problem for shibboleth IDP, which use casclient.jar:
https://shibsp.ntu.ac.uk/confluence/display/Shibboleth/CAS+Client+installation

Is there a way to make shibboleth and CASFilter to validate the Proxy Ticket?

I loaded the CAS certificate and the Certification Authority certificate in
the JVM.

But I still get this error:
2009-03-27 13:48:10,883 [TP-Processor3] ERROR
edu.yale.its.tp.cas.client.CASReceipt -
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://cas.unipr.it/serviceValidate]
ticket=[ST-2533-9eE9olmVOLg32vWoWJQ0]
service=[https%3A%2F%2Fshibidp.unipr.it%2FCASSSO%3Fshire%3Dhttps%253A%252F%252Fdspace-unipr.cilea.it%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1238158089%26target%3Dcookie%26providerId%3Dhttp%253A%252F%252Fdspace-unipr.cilea.it]
renew=false]]]
2009-03-27 13:48:10,884 [TP-Processor3] ERROR
edu.yale.its.tp.cas.client.filter.CASFilter -
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://cas.unipr.it/serviceValidate]
ticket=[ST-2533-9eE9olmVOLg32vWoWJQ0]
service=[https%3A%2F%2Fshibidp.unipr.it%2FCASSSO%3Fshire%3Dhttps%253A%252F%252Fdspace-unipr.cilea.it%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1238158089%26target%3Dcookie%26providerId%3Dhttp%253A%252F%252Fdspace-unipr.cilea.it]
renew=false]]]

type Exception report

message

description The server encountered an internal error () that prevented it from
fulfilling this request.

exception

javax.servlet.ServletException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://cas.unipr.it/serviceValidate]
ticket=[ST-2273-FQulesgK8FznuwrRiF30]
service=[https%3A%2F%2Fshibidp.unipr.it%2FCASSSO%3Fshire%3Dhttps%253A%252F%252Fdspace-unipr.cilea.it%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1238154774%26target%3Dcookie%26providerId%3Dhttp%253A%252F%252Fdspace-unipr.cilea.it]
renew=false]]]
    edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java(Compiled
Code))

root cause

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://cas.unipr.it/serviceValidate]
ticket=[ST-2273-FQulesgK8FznuwrRiF30]
service=[https%3A%2F%2Fshibidp.unipr.it%2FCASSSO%3Fshire%3Dhttps%253A%252F%252Fdspace-unipr.cilea.it%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1238154774%26target%3Dcookie%26providerId%3Dhttp%253A%252F%252Fdspace-unipr.cilea.it]
renew=false]]]
    edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
   
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
    edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java(Compiled
Code))

note The full stack trace of the root cause is available in the Apache
Tomcat/5.0 logs.

Do I have to get a new certificate with subject CN=cas.unipr.it?

best regards
Marco Panella 

--
Universita' degli Studi di Parma (http://www.unipr.it)


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] SSL problem with casclient.jar

Reply via email to