By some reason, no i'm getting more debug info in the logs, when i attempt to login i see in the log:
http-8443-2, READ: TLSv1 Application Data, length = 1024
2010-08-17 12:41:20,984 DEBUG
[org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
<Performing LDAP bind with credential:
uid=joel,ou=People,dc=mydomain,dc=org>
keyStore is : /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts
keyStore type is : BKS
keyStore provider is :
init keystore
default context init failed: java.security.KeyStoreException: BKS not
found
2010-08-17 12:41:20,984 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed to
authenticate the user which provided the following credentials:
[username: joel]>
2010-08-17 12:41:20,988 DEBUG
[org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not
generate service.>
2010-08-17 12:41:20,988 DEBUG
[org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not
generate service.>
http-8443-2, WRITE: TLSv1 Application Data, length = 288
http-8443-2, WRITE: TLSv1 Application Data, length = 5200
and above this, i found this too:
http-8443-2, setSoTimeout(60000) called
http-8443-2, READ: TLSv1 Handshake, length = 206
*** ClientHello, TLSv1
RandomCookie: GMT: 1282041516 bytes = { 88, 187, 242, 214, 202, 149,
98, 82, 254, 122, 148, 127, 39, 21, 215, 73, 81, 84, 30, 153, 48, 68,
205, 160, 112, 1, 156, 239 }
Session ID: {76, 106, 102, 242, 196, 105, 183, 221, 101, 48, 43, 229,
158, 134, 68, 18, 40, 101, 219, 93, 18, 205, 9, 181, 201, 97, 132, 3,
163, 222, 235, 166}
Cipher Suites: [Unknown 0x0:0xff, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x88, Unknown 0x0:0x87,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
Unknown 0x0:0x84, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Unknown 0x0:0x45, Unknown 0x0:0x44, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, Unknown 0x0:0x96, Unknown 0x0:0x41,
SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension server_name, [host_name: anarchy.mydomain.org]
Extension elliptic_curves, curve names: {secp256r1, secp384r1,
secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
***
\%% Resuming [Session-2, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1282041516 bytes = { 185, 71, 136, 233, 59, 128,
207, 234, 227, 255, 178, 217, 178, 70, 245, 127, 227, 5, 59, 35, 54, 20,
60, 63, 134, 47, 108, 132 }
Session ID: {76, 106, 102, 242, 196, 105, 183, 221, 101, 48, 43, 229,
158, 134, 68, 18, 40, 101, 219, 93, 18, 205, 9, 181, 201, 97, 132, 3,
163, 222, 235, 166}
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
CONNECTION KEYGEN:
Client Nonce:
0000: 4C 6A 67 AC 58 BB F2 D6 CA 95 62 52 FE 7A 94 7F
Ljg.X.....bR.z..
0010: 27 15 D7 49 51 54 1E 99 30 44 CD A0 70 01 9C EF
'..IQT..0D..p...
Server Nonce:
0000: 4C 6A 67 AC B9 47 88 E9 3B 80 CF EA E3 FF B2 D9
Ljg..G..;.......
0010: B2 46 F5 7F E3 05 3B 23 36 14 3C 3F 86 2F 6C
84 .F....;#6.<?./l.
Master Secret:
0000: 26 90 CA 44 29 77 5E 69 19 8B AA 3A 1C 6D A4 03
&..D)w^i...:.m..
0010: F6 BB 1C 93 C3 CC DD CD AB 69 1F 25 66 D8 87 8B .........i.%
f...
0020: F9 59 DC 82 8D 86 B1 81 21 49 CF D7 BF 4F 35 EF .Y......!
I...O5.
Client MAC write Secret:
0000: 19 3D 3F 2A BF 49 73 A1 9D 17 D4 62 7B 5E 36
B3 .=?*.Is....b.^6.
0010: 6F F1 D1 75 o..u
Server MAC write Secret:
0000: E0 5B 6B 40 F9 D4 AC 42 24 54 19 08 74 F1 F7 99 [email protected]
$T..t...
0010: BC 13 98 A4 ....
Client write key:
0000: 56 2D 84 4B C1 DB 3E C4 5A 79 C7 96 9D ED 78 3A
V-.K..>.Zy....x:
Server write key:
0000: A6 7A 86 EC 7F 9A A3 3E E9 0D 37 7E CC 2A 4E
05 .z.....>..7..*N.
Client write IV:
0000: E3 CB A3 14 F6 94 C8 65 84 E6 28 1E C0 96 87
1B .......e..(.....
Server write IV:
0000: FA 2A E5 E2 82 0A D3 DA BD 8B EB ED 6B 6B F6
DF .*..........kk..
http-8443-2, WRITE: TLSv1 Handshake, length = 74
http-8443-2, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 192, 47, 168, 3, 99, 105, 45, 145, 129, 214, 37, 205 }
***
http-8443-2, WRITE: TLSv1 Handshake, length = 48
http-8443-2, READ: TLSv1 Change Cipher Spec, length = 1
http-8443-2, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 158, 138, 250, 73, 41, 226, 18, 175, 124, 48, 178, 230 }
***
Any ideas?
On Tue, 2010-08-17 at 00:12 +0200, [email protected] wrote:
> > After enabling SSL debugging, did you try authenticating again?
> Anything
> > useful in the logs?
> >
>
> Yes i tried again and the only thing i see in the logs is:
>
> 2010-08-16 17:10:13,544 DEBUG
> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
> <Performing LDAP bind with credential:
> uid=joel,ou=People,dc=mydomain,dc=org>
> 2010-08-16 17:10:13,548 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler failed
> to authenticate the user which provided the following credentials:
> [username: joel]>
>
>
> > Also, I don't know if its an issue but your username joell is
> different
> > from
> > the ldap uid joel
> >
>
> it was an error (i changed the real username by hand when copied it
> here).
>
>
> Marvin: the output that SSL debug options of setenv.sh generated is
> the one that i put in my last email, giving all the certificates that
> are into the keystore.
>
>
> >
> >
> > On Mon, Aug 16, 2010 at 2:17 PM, <[email protected]> wrote:
> >
> >> Hi,
> >>
> >> Yes, actually i changed the value 'ldap' to 'ldaps' in the
> >> deployerContextConfig.xml and added the certificates to the
> keystore.
> >>
> >> I already added org.jasig.cas.adaptors.ldap category to debug in my
> >> log4j.xml file but it doesn't give much more information than
> before,
> >> after
> >> a failed login attempt here is what it says:
> >>
> >>
> >> 2010-08-16 17:10:13,544 DEBUG
> >> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] -
> >> <Performing LDAP bind with credential:
> >> uid=joel,ou=People,dc=mydomain,dc=org>
> >> 2010-08-16 17:10:13,548 INFO
> >> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> >> <AuthenticationHandler:
> >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
> failed to
> >> authenticate the user which provided the following credentials:
> >> [username:
> >> joell]>
> >>
> >> Scott: i read the link that you gave me (
> >> https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and
> +Reference+Guide)
> >> and the only thing was that i was importing my certificates in PEM
> >> format
> >> instead of DER, so i delete my LDAP server cert and my cacert from
> the
> >> keystore converted them to DER and then added them again to the
> >> keystore,
> >> but still not working.
> >>
> >> I added this lines to the setenv.sh file:
> >>
> >> # Uncomment the next 4 lines for custom SSL keystore
> >> # used by all deployed applications
> >>
> KEYSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts"
> >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE"
> >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStoreType=BKS"
> >> CATALINA_OPTS=$CATALINA_OPTS"
> -Djavax.net.ssl.keyStorePassword=changeit"
> >>
> >> # Uncomment the next 4 lines to allow custom SSL trust store
> >> # used by all deployed applications
> >>
> TRUSTSTORE="/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts"
> >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=
> $TRUSTSTORE"
> >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStoreType=BKS"
> >> CATALINA_OPTS=$CATALINA_OPTS"
> >> -Djavax.net.ssl.trustStorePassword=changeit"
> >>
> >> # Uncomment the next line to print SSL debug trace in catalina.out
> >> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl"
> >>
> >> export CATALINA_OPTS
> >>
> >> and when starting tomcat, it gives me:
> >>
> >> ***
> >> found key for : tomcat
> >> chain [0] = [
> >> [
> >> Version: V3
> >> Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company,
> >> L=Madrid, ST=Madrid, C=ES
> >> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> >>
> >> Key: Sun RSA public key, 1024 bits
> >> modulus:
> >>
> 12429917734398243518800808265619280814716750420968419601771757790510823806987670798732881378060652289286981824141461030753004205618458414459411736262213365948359424037369540538035098119857266639254595546481328107025155708999410195469263713472820440725503744411023
> >> public exponent: 65537
> >> Validity: [From: Mon Aug 16 13:48:05 CEST 2010,
> >> To: Sun Nov 14 12:48:05 CET 2010]
> >> Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company,
> >> L=Madrid,
> >> ST=Madrid, C=ES
> >> SerialNumber: [ 4c692575]
> >>
> >> ]
> >> Algorithm: [SHA1withRSA]
> >> Signature:
> >> 0000: 2C 33 09 DE 3D 8E 98 92 5F 43 5D A4 FF 55 B6 D1
> >> ,3..=..._C]..U..
> >> 0010: CB 8A 1F 85 AC E2 75 09 73 BA BC B7 22 95 E5 14
> >> ......u.s..."...
> >> 0020: 96 C8 80 F4 30 28 AD C9 FD FD BD 72 CC C7 AD 31
> >> ....0(.....r...1
> >> 0030: 2C 5B 88 8B AD FF 1A D1 AA 6C 7E 5E C0 44 6B 6D
> >> ,[.......l.^.Dkm
> >> 0040: DC 61 D1 E5 8D A2 1A FB EE AD 73 5E D8 70 A7 92
> >> .a........s^.p..
> >> 0050: 97 FA 50 2E 9F 11 A1 2D 6E 18 21 94 D4 E1 B8 82
> >> ..P....-n.!.....
> >> 0060: 18 14 B6 F9 F3 BE 32 CC 83 15 0D 88 7E 7E 6A 6E
> >> ......2.......jn
> >> 0070: 84 EE A4 DA 6C 7E F4 FB 35 C9 B0 3F 98 B4 37 7C
> >> ....l...5..?..7.
> >>
> >> ]
> >> ***
> >>
> >> [...]
> >>
> >> adding as trusted cert:
> >> Subject: CN=anarchy.mydomain.org, OU=Engineering, O=My Company,
> >> L=Madrid, ST=Madrid, C=ES
> >> Issuer: CN=anarchy.mydomain.org, OU=Engineering, O=My Company,
> >> L=Madrid, ST=Madrid, C=ES
> >> Algorithm: RSA; Serial number: 0x4c692575
> >> Valid from Mon Aug 16 13:48:05 CEST 2010 until Sun Nov 14 12:48:05
> CET
> >> 2010
> >>
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> this
> >> one
> >> is the server certificate for tomcat
> >>
> >> [...]
> >>
> >> adding as trusted cert:
> >> Subject: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering,
> O=My
> >> Company
> >> Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My
> >> Company
> >> Algorithm: RSA; Serial number: 0xa63c9b1583f12ee5
> >> Valid from Thu Oct 01 10:06:14 CEST 2009 until Sun Sep 29 10:06:14
> >> CEST
> >> 2019
> >>
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> this is
> >> my
> >> cacert certificate
> >>
> >> [...]
> >>
> >> adding as trusted cert:
> >> Subject: CN=ldap.mydomain.org, OU=Engineering, O=My Company, C=ES,
> >> ST=Madrid, L=Madrid
> >> Issuer: CN=Root CA, C=ES, ST=Madrid, L=Madrid, OU=Engineering, O=My
> >> Company
> >> Algorithm: RSA; Serial number: 0x1c
> >> Valid from Wed
> Dec 02 16:52:41 CET 2009 until Fri
> Dec 02 16:52:41 CET
> >> 2011
> >>
> >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> and
> >> this is my ldap server certificate
> >>
> >>
> >> Any ideas?
> >>
> >>
> >>
> >>
> >>
> >> > Just to confirm (for my sanity). You took the configuration you
> used
> >> for
> >> > connecting to LDAP over a non-secure port, and merely changed it
> to
> >> > connect
> >> > over a secure-port (and then added the certs you needed) and it
> >> stopped
> >> > working?
> >> >
> >> > On this page, there are some tips for adding additional DEBUG
> logging
> >> for
> >> > SSL issues:
> >> >
> >> https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and
> +Reference+Guide
> >> >
> >> > It may help to determine what's going on if it is an SSL issue.
> >> >
> >> >
> >> > On Mon, Aug 16, 2010 at 9:00 AM, Joel Rosental R.
> >> > <[email protected]>wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> I'm new to CAS and want to set it up (latest version 3.4.2.1
> with
> >> tomcat
> >> >> 6) under a
> >>
> Debian GNU/Linux Lenny environment. Until now, i've been able
> >> >> to configure the CAS Server using a LDAP backend, however, i
> would
> >> want
> >> >> to use ldaps rather than plain ldap, and i've done everything
> that is
> >> in
> >> >> the "official documentation" but it is still not working. This
> is
> >> what
> >> >> i've done so far:
> >> >>
> >> >> I have my own PKI environment in another machine which i use for
> >> several
> >> >> services, so i copied ldap server certificates along with
> cacert.pem.
> >> >>
> >> >> Imported them into the keystore
> ($JAVA_HOME/jre/lib/security/cacerts)
> >> >> like this:
> >> >>
> >> >> keytool -import -alias rootca -file cacert.pem
> >> >>
> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts
> >> >> -trustcacerts
> >> >>
> >> >> Then, i imported ldapcert.pem (LDAP's server cert):
> >> >>
> >> >> keytool -import -alias ldapcert -file ldapcert.pem
> >> >>
> -keystore /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/security/cacerts.
> >> >>
> >> >> Once this is done, i verify they're included in the keystore by
> >> >> examining output of: keytool -l -keystore
> >> >> $JAVA_HOME/jre/lib/security/cacerts and both of them appear as
> >> >> "trustedCertEntry".
> >> >>
> >> >> After this, i modify my deployerConfigContext.xml and it is like
> >> this:
> >> >>
> >> >> <property name="authenticationHandlers">
> >> >> <list>
> >> >> <!--
> >> >> | This is the authentication
> >> >> handler that authenticates services by means of callback via
> SSL,
> >> >> thereby validating
> >> >> | a server side SSL certificate.
> >> >> +-->
> >> >> <bean
> >> >>
> >> >>
> >>
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> >> >> p:httpClient-ref="httpClient" />
> >> >> <!--
> >> >> | This is the authentication
> >> >> handler declaration that every CAS deployer will need to change
> >> before
> >> >> deploying CAS
> >> >> | into production. The default
> >> >> SimpleTestUsernamePasswordAuthenticationHandler authenticates
> >> >> UsernamePasswordCredentials
> >> >> | where the username equals the
> >> >> password. You will need to replace this with an
> AuthenticationHandler
> >> >> that implements your
> >> >> | local authentication strategy.
> >> >> You might accomplish this by coding a new such handler and
> declaring
> >> >> |
> >> >> edu.someschool.its.cas.MySpecialHandler here, or you might use
> one of
> >> >> the handlers provided in the adaptors modules.
> >> >> +-->
> >> >>
> >> >> <bean
> >> >>
> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"
> >> >
> >> >> <property name="filter"
> >> >> value="uid=%
> >> >> u,ou=People,dc=mydomain,dc=org" />
> >> >> <property name="contextSource"
> >> >> ref="contextSource" />
> >> >> </bean>
> >> >> </list>
> >> >> </property>
> >> >>
> >> >> <bean id="contextSource"
> >> >> class="org.springframework.ldap.core.support.LdapContextSource">
> >> >> <property name="urls">
> >> >> <list>
> >> >> <value>ldaps://ldap.mydomain.org</value>
> >> >> </list>
> >> >> </property>
> >> >> <property name="userDn"
> >> >> value="uid=myuser,ou=People,dc=mydomain,dc=org"/>
> >> >> <property name="password" value="xxx"/>
> >> >> <property name="baseEnvironmentProperties">
> >> >> <map>
> >> >> <entry>
> >> >> <key>
> >> >> <value>java.naming.security.authentication</value>
> >> >> </key>
> >> >> <value>simple</value>
> >> >> </entry>
> >> >> </map>
> >> >> </property>
> >> >> </bean>
> >> >>
> >> >> Then restart tomcat and when i try to login in the log file it
> says:
> >> >>
> >> >> 2010-08-16 14:49:26,629 INFO
> >> >> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> >> >> <AuthenticationHandler:
> >> >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
> failed
> >> to
> >> >> authenticate the user which provided the following credentials:
> >> >> [username: myuser]>
> >> >>
> >> >> And nothing else.
> >> >>
> >> >> I've followed https://wiki.jasig.org/display/CASUM/LDAP to setup
> the
> >> >> ldap backend, and there it says: "Please note that the JVM needs
> to
> >> >> trust the certificate of your SSL enabled LDAP server, else CAS
> will
> >> >> refuse to connect to your LDAP server. You can add the LDAP
> server's
> >> >> certificate to the JVM trust store
> >> ($JAVA_HOME/jre/lib/security/cacerts)
> >> >> to solve that issue." and i already did that, so don't know why
> is it
> >> >> still failing?
> >> >>
> >> >> Thanks in advance by your help.
> >> >>
> >> >
> >> > --
> >>
> >> > You are currently subscribed to [email protected] as:
> >> > [email protected]
> >>
> >> > To unsubscribe, change settings or access archives, see
> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>
> >> --
> >> You are currently subscribed to [email protected] as:
> >> [email protected]
> >>
> >> To unsubscribe, change settings or access archives, see
> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>
> >>
> >
> > --
> > You are currently subscribed to [email protected] as:
> > [email protected]
> > To unsubscribe, change settings or access archives, see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
signature.asc
Description: This is a digitally signed message part
