> I successfully completed a uPortal installation but as many posts have > found, "Unable to validate ProxyTicketValidator" is the SSL error that I > received.
You need to ensure that the CAS server trusts the certificate presented by uPortal. From the commands you provided, it's not clear what certificate is meant by server.crt. Some important points that I hope will help you: - You don't need to use the genkey command. That's for a keypair used for client authentication and SSL session key negotiation. In your case you need to set up a trusted certificate only. - You only need to deal with truststores. Although Java keystores and truststores are fundamentally the same data structure, only truststores are used to determine trusted peers during SSL negotiation. - You are doing unnecessary configuration (for this problem, at least) with the Tomcat keystore/truststore setup in server.xml. You need to configure the system keystore used by the JVM, which is $JAVA_HOME/jre/lib/security/cacerts by default. You can also specify an arbitrary keystore file as the system truststore with the system property javax.net.ssl.trustStore, e.g. -Djavax.net.ssl.trustStore=/home/cas/.keystore. - All this configuration should be on the CAS server since it's issuing an outbound connection to the uPortal proxy callback URL and it's that connection that is failing due to SSL trust problems. If you need background with Java SSL trust, I strongly suggest you review http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
