Hello, I am relatively new to SSO, especially CAS.
So, I am testing some basic functions, but at the moment I'm stuck with some SSL issue (I think). I followed the instructions in the wiki for the DEMO -> https://wiki.jasig.org/display/CASUM/Demo That worked fine. So, the next step would be to "integrate" both tomcats into one apache by using Proxypass. So I set up a machine called compc (computer c) with openSuse, installed Apache2.2 and created the SSL-Stuff with "/usr/bin/gensslcert -C compc" (as in the Demo it's stated: In the above dialog, it is critical that you enter the CAS server name as the answer (compA) to the following question: What is your first and last name? ) Then I added the following ProxyPass-Directives to both, the SSL-Vhost and the Default-Server: ProxyPass /cas http://compa:8080/cas ProxyPassReverse /cas http://comp:8080/cas ProxyPass /servlets-examples http://compb:8080/servlets-examples ProxyPassReverse /servlets-examples http://compb:8080/servlets-examples And changed the web.xml in the tomcat on compb (servlet-examples): <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://compc/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://compc:443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>compc</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name> <param-value>true</param-value> </init-param> After that I added the server.crt from compc that is used by the apache to the keystore cacerts on compb (first with that "Java-Tool" quoted in the Demo, afterwards "by hand" with the keytool.exe). So, if I call http://compc/servlet-examples/servlet/HelloWorldExample I get redirected to https://compc/cas/login?... and after that back to example, BUT: It seems as if the SSL-Handshake between compb and compc is not working when compb tries to validate the ticket at https://compc/cas/serviceValidate... (see Exception report at the end). But the certificate from compc is (!) loaded into the keystore.. so I don't understand why this is not working.. I hope some of the more experienced user can give me a hint why this is not running. PS: If I use https://compb:8443/cas/serviceValidate as the validateUrl and compb:8080 as serverName everything is working fine with Proxypass, except that the servername compb:8080 appears in the parameters (so external users can see internal server names..). And it is possible to validate the ticket with the browser, means if I go to https://compc/cas/serviceValidate and enter the parameters by hand I get the username that I used before to login into CAS. ################## description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://compc:443/cas/serviceValidate] ticket=[ST-33-oeZFpmcZ0SdWddQjJfuv-cas] service=[http%3A%2F%2Fcompc%3A80%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]] edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381) filters.ExampleFilter.doFilter(ExampleFilter.java:102) root cause edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://compc:443/cas/serviceValidate] ticket=[ST-33-oeZFpmcZ0SdWddQjJfuv-cas] service=[http%3A%2F%2Fcompc%3A80%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]] edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) filters.ExampleFilter.doFilter(ExampleFilter.java:102) root cause javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching compc found com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074) com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212) edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) filters.ExampleFilter.doFilter(ExampleFilter.java:102) root cause java.security.cert.CertificateException: No name matching compc found sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:210) sun.security.util.HostnameChecker.match(HostnameChecker.java:77) com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264) com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053) com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212) edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) filters.ExampleFilter.doFilter(ExampleFilter.java:102) note The full stack trace of the root cause is available in the Apache Tomcat/5.5.29 logs. ###################### -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
