I set up on localhost:
- a Tomcat for CAS
- a Tomcat with two simple services (successfully registered in a
persistent store using the hibernate config I found on the CAS site.)
Both Tomcats use the same JRE and both use the APR runtime library.
For the CAS Tomcat SSL is configured as follows:
<Connector port="11143" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
clientAuth="false" sslProtocol="all"
SSLCertificateFile="${catalina.home}/tomcatcert.pem"
SSLCertificateKeyFile="${catalina.home}/tomcatkey.pem"
SSLPassword="******" SSLVerifyClient="none"
/>
A similar config exists for the services Tomcat.
I also created a self-signed certificate in DER-format and imported it in the
JRE cacerts file.
- Accessing a service and being rerouted to the CAS login: no problem
- Logging in with the correct credentials: successfully rerouted to
the service
- On the service index page I inserted a link to the CAS logout action
- When logging out, I end up on the CAS logout page.
- However:
o After logging out, I can still access the service (without being rerouted
to the CAS login page)
o In the logging I find the following error:
"Error Sending message to url endpoint
[https://localhost:11043/additionservice/]. Error is
[sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target"
This seems to be pointing at a certificate not being stored in the JRE's
keystore (although it is).
My question is if CAS can be set up with the APR runtime library. Is the above
error caused by using APR?
Another question: when I want to move away from localhost and start using a
"real" URL (for example, "www.vlaamsbrabant.be/cas") where in the CAS config do
I have to replace localhost with the "real" URL?
These are the places I'm thinking of:
- In the services db
- In cas.properties: server.name<http://server.name>=https://localhost:11143
- In classes/protocol_views.properties:
casSamlServiceSuccessView.issuer=localhost
- In spring-configuration/uniqueIdGenerators.xml: <constructor-arg
index="0" value="localhost:11143" />
Guy Thomas
Analist-Programmeur
Dienst Projecten en Ontwikkelingen
Provinciehuis
Provincieplein 1
3010 Leuven
Tel: 016267945
--------------------------------------------------------------------------------
Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit
professioneel e-mailadres kunnen door de werkgever gelezen worden. In het kader
van de vervulling van onze taak van openbaar belang nemen wij uw relevante
persoonlijke gegevens op in onze bestanden. U kunt deze inzien en verbeteren
conform de Wet Verwerking Persoonsgegevens van 8 december 1992.
Het ondernemingsnummer van het provinciebestuur is 0253.973.219
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
