> 2010-02-23 10:58:13,223 DEBUG > [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] > - Certificates not found in request.
This is the key to your problem. You must configure your Web server to request a certificate from from the client. http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has an example of the Tomcat connector configuration if you are using Tomcat directly. You should set clientAuth="require" for testing to make sure that a connection to CAS is not allowed unless the client presents a certificate. We have a totally separate Web server port (9443) for X.509 authentication to satisfy this use case. If you have Apache in front of Tomcat, you'll want to use the mod_ssl directive SSLVerifyClient="require". I would do some testing with a simple tool like wget to ensure the Web server is properly requiring the certificate. Also, it sounds like the certificate may be coming from a hardware security device. I'd recommend taking the hardware out of the equation for testing and development and using a soft certificate instead. (I can sympathize with the complexity of what you're doing; we did the same thing a few years ago and it was a bear.) M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
