Okay, making progress on this. I managed to get ClearPass and EhCache working
on one test box. However, now I am going back and trying to lock down
ClearPass. I added this:
<bean id="clearPassProxyList"
class="org.jasig.cas.client.validation.ProxyList">
<constructor-arg>
<list>
<value>https://server1.yc.edu</value>
<value>https://server2.yc.edu</value>
<value>https://server3.yc.edu</value>
</list>
</constructor-arg>
</bean>
I've tried placing it in deployerconfigcontext.xml (as it says in the comment
in clearpass-configuration.xml) and in clearpassconfiguration.xml (as it says
to do in the wiki). In either case, I get the following error message in the
log when a ClearPass application tries to access it:
2013-08-23 11:04:03,273 WARN
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -
org.jasig.cas.client.validation.InvalidProxyChainTicketValidationException:
Invalid proxy chain: [https://server2.yc.edu/coa/auth?proxyResponse=true]
So, two questions:
1. Where is the clearPassProxyList bean actually supposed to be added?
deployerConfigContext.xml or clearpass-configuration.xml?
2. Is there some sort of wildcard or something that needs to be added to the
end of the list value in the bean that will allow it to accept all proxy
requests from that server? What am I missing here?
Thanks,
----------------------------------
Mark St. Laurent
Web Systems Administrator
Yavapai College
(928) 717-7654
http://www.yc.edu
-----Original Message-----
From: St Laurent, Mark
Sent: Tuesday, August 20, 2013 8:11 AM
To: [email protected]
Subject: RE: [cas-user] ClearPass on 3.5.2
I started with the ClearPass filter locked down, but in the course of
troubleshooting I have it set to accept any proxy. Same with the services,
started locked down, now running in open mode. No dice.
----------------------------------
Mark St. Laurent
Web Systems Administrator
Yavapai College
(928) 717-7654
http://www.yc.edu
-----Original Message-----
From: Marvin Addison [mailto:[email protected]]
Sent: Tuesday, August 20, 2013 4:34 AM
To: [email protected]
Subject: Re: [cas-user] ClearPass on 3.5.2
> Which file(s)? I don't even know if it is in a file or not. From the full
> cas.log entry it looks like it doesn't like the XML response it's getting
> from ClearPass:
Ah, I see.
> I noticed this as well: When I try to authenticate from a ClearPass app, I
> get a 403 error in the web browser with this URL:
>
> [HttpException (0x80004005): Error getting response from clearPass at
> URL:
> https://cas3.yc.edu/clearPass?ticket=ST-2-9c0fY6oKlCddkLw0V9yH-cas3.yc
> .edu&service=https://cas3.yc.edu/clearPass. The remote server returned
> an error: (403) Forbidden.]
>
> ClearPass is calling ClearPass? That doesn't look right.
Indeed. My hunch is that you've got a servlet configuration problem where the
/clearPass URI is not wired up correctly. Perhaps it's protected by the CAS
client filter; that would explain the service parameter in the URL above and it
would also explain why you're not geting a valid XML payload. I bet if you dump
the XML message you get back it's an HTML error page for a 403 or similar.
Maybe someone with more ClearPass experience can jump in here with other ideas
or a more specific suggestion.
M
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
