William, Thanks for the idea. Yes, I am using a self-signed cert on my CAS server. CAS and Shibboleth are both running in the same Tomcat instance. The cert is in all (both) JVM cacerts files. For giggles, I also added it to idp.jks. Same result. :-(
Eric -----Original Message----- From: William G. Thompson, Jr. [mailto:[email protected]] Sent: Tuesday, March 12, 2013 5:28 PM To: [email protected] Subject: Re: [cas-user] Shibboleth in front of CAS CAS client will make a back-channel https call. It looks like the CAS server cert is not trusted by the IdP JVM (where the CAS client is running). Using a self-singed cert on the CAS server? Need to import that into the IdP JVM? On Tue, Mar 12, 2013 at 4:51 PM, Stein, Eric <[email protected]> wrote: > :-) > > Thanks! I went back through and realized that my handlers.xml file got > clobbered by a rebuild. I fixed that and I got to the CAS login page as > expected. When I authenticated, though, I got a PKIX exception. I don't see > the exception when I log in through CAS without Shibboleth. It seems odd to > me that the certificate can be found using just CAS, but not when going from > Shibboleth IdP -> CAS. Is there some black magic I missed? > > Thanks, > Eric > > > Mar 12, 2013 1:42:11 PM org.jasig.cas.client.util.CommonUtils > getResponseFromServer > SEVERE: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > Source) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown > Source) > at > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:311) > at > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:291) > at > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:32) > at > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:187) > at > org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:164) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) > at > org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:448) > at > org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:403) > at > org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1703) > at java.lang.Thread.run(Unknown Source) Caused by: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) > at sun.security.validator.Validator.validate(Unknown Source) > at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > ... 32 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) > at java.security.cert.CertPathBuilder.build(Unknown Source) > ... 38 more > -----Original Message----- > From: Misagh Moayyed [mailto:[email protected]] > Sent: Tuesday, March 12, 2013 2:05 PM > To: [email protected] > Subject: RE: [cas-user] Shibboleth in front of CAS > > Sorry, I meant turn up the logging level to DEBUG :) > > -Misagh > > > >> -----Original Message----- >> From: Misagh Moayyed [mailto:[email protected]] >> Sent: Tuesday, March 12, 2013 11:03 AM >> To: [email protected] >> Subject: RE: [cas-user] Shibboleth in front of CAS >> >> How many login handlers do you have enabled for shib? If you turn up >> the > IDP >> logging to SHIB, you can tell which handler is taking over the login > request. >> Chances are, it's not the CAS external handler because you have more > than one >> enabled in your shib config and SP isn't requesting an authN method >> explicitly. >> >> -Misagh >> >> >> >> > -----Original Message----- >> > From: Stein, Eric [mailto:[email protected]] >> > Sent: Tuesday, March 12, 2013 9:43 AM >> > To: [email protected] >> > Subject: [cas-user] Shibboleth in front of CAS >> > >> > I'm trying to run Shibboleth using CAS as the authentication provider. >> > I followed these directions for setting things up: >> > https://github.com/Unicon/shib-cas-authenticator#readme >> > I tried running a test of Shibboleth against TestShib.org and I'm >> getting a >> > FatalProfileException message. Here's an abbreviated >> > >> > idp-process.log >> > 07:27:11.749 - ERROR >> > [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine: >> > 61 >> > 8] >> - No >> > user identified by login handler. >> > 07:27:11.764 - ERROR >> > [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine: >> > 56 >> > 3] >> - >> > Authentication failed with the error: >> > edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException: >> No >> > user identified by login handler. >> > at >> > >> > edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.val > idat >> eSu >> > ccessfulAuthentication(AuthenticationEngine.java:619) [shibboleth- >> > identityprovider-2.3.8.jar:na] >> > at >> > >> > edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.com > plet >> eAu >> > thentication(AuthenticationEngine.java:537) >> [shibboleth-identityprovider- >> > 2.3.8.jar:na] >> > at >> > >> > edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.ser > vice >> (Au >> > thenticationEngine.java:225) >> > [shibboleth-identityprovider-2.3.8.jar:na] >> > [...] >> > >> > >> > Does anybody know what might be causing this? I can provide any >> configuration >> > files, but I didn't want to spam with everything and I don't know >> > what's important. >> > >> > Thanks, >> > Eric >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] To unsubscribe, change settings or access >> > archives, >> see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access >> archives, > see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
