Phil, Don't worry about the hostname if you're using the IP address for now. Eventually you will want to set it up, and make sure that the server resolves it to the same address as the user agents.
The access_log won't give you diagnostic information, you'll need to find it in error_log. If you don't see anything in there, you'll need to increase the logging level, or preferably tell phpCAS to write its own debug log: per the wiki [1]: phpCAS::setDebug($filename); If you currently have just the self-signed certificate for Tomcat, you'll only need to export it: keytool -export -alias tomcat -file selfsigned.crt -keystore keystore.jks And then place it in the trusted certificates store in your app server; most likely you just need to copy it to /etc/pki/tls/certs/ on your phpCAS client server. As for your wildcard, you can create a new keystore from your PKCS12 file for use with Tomcat: keytool -importkeystore -srcstoretype PKCS12 -srckeystore wildcard.p12 -srcstorepass verysecret -srckeypass verysecret -deststoretype JKS -destkeystore wildcard.jks -deststorepass verysecret -destkeypass verysecret -destalias tomcat Best regards, -- Carlos. [1] https://wiki.jasig.org/display/CASC/phpCAS+troubleshooting -----Original Message----- From: Romov, Phil [mailto:[email protected]] Sent: Thursday, 07 May, 2015 17:12 To: [email protected] Subject: Re: [cas-user] authentication failed using phpCAS and CI even though CAS is creating service tickets Carlos, I¹m going to have to find out the hostname, all this time I¹ve been using the IP directly. Is the hostname absolutely necessary? Also I checked apache error_logs on the CI side, no errors thereŠ (access logs look like this, donna if this tells me anything (except that the pause is 60 seconds and not 30 lol) 10.6.1.22 - - [07/May/2015:20:58:04 +0000] "GET / HTTP/1.1" 302 277 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36" 10.6.1.22 - - [07/May/2015:20:58:04 +0000] "GET /?ticket=ST-7-9mPn49KGjOJKKTJ2wZiP-cas.bigdev HTTP/1.1" 200 1710 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36" 10.6.1.22 - - [07/May/2015:20:59:07 +0000] "GET /js/jquery.datatables.min.js HTTP/1.1" 200 26653 "https://10.24.71.107/?ticket=ST-7-9mPn49KGjOJKKTJ2wZiP-cas.bigdev"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36" 10.6.1.22 - - [07/May/2015:20:59:07 +0000] "GET /js/ciapp.js HTTP/1.1" 200 402 "https://10.24.71.107/?ticket=ST-7-9mPn49KGjOJKKTJ2wZiP-cas.bigdev"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36" 10.6.1.22 - - [07/May/2015:20:59:07 +0000] "GET /css/ciapp.css HTTP/1.1" 304 - "https://10.24.71.107/?ticket=ST-7-9mPn49KGjOJKKTJ2wZiP-cas.bigdev"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36" ) I do still have a self-signed certificate (tried to get our wildcard cert working, but had difficulty getting tomcat playing nice with the p12 file, so put that on hold for now) - I¹m going to look into adding that to the trusted store on 10.24. (is it on apache side, or os side? Any hints are appreciated, I¹ll be googling this stuff in the meanwhile) Thanks, Phil Romov Senior Developer, Information Technology HFA 40 Wall St, 6th Floor New York, NY 10005-1344 Ph: 212-922-3288 [email protected] Check us out: harryfox.com <http://www.harryfox.com/>|hfaslingshot.com <http://www.hfaslingshot.com/>|songfile.com <http://www.songfile.com/> twitter.com/harryfoxagency <http://www.twitter.com/harryfoxagency>|harryfox.com/facebook <http://www.harryfox.com/facebook>|harryfox.com/linkedin <http://www.harryfox.com/linkedin>|youtube.com/user/HarryFoxAgency <https://www.youtube.com/user/HarryFoxAgency> This email may be confidential. HFA is not a law firm and does not provide legal advice, counsel or opinions of any nature. HFA assumes no responsibility for actions you take based upon the contents of this message. You should obtain independent legal counsel before applying any information provided to you in this message to your specific circumstances. HFA does not accept any responsibility for computer viruses, so please scan all attachments. If you¹ve received this email by mistake, we¹d appreciate it if you would reply to let us know, and then delete the email. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. On 5/7/15, 4:48 PM, "Carlos M. Fernández" <[email protected]> wrote: >Hi, Phil, > >Check that the CI app can resolve the CAS server's hostname, that it >can connect to the CAS server, and that it trusts the CAS server's >certificate. If you still have a self-signed certificate, you will need >to add that to the trusted certificate store in the CI app's host. The >error logs from the web server running the CI app should contain a hint >of the actual cause. > >Best regards, >-- >Carlos. > >-----Original Message----- >From: Romov, Phil [mailto:[email protected]] >Sent: Thursday, 07 May, 2015 16:41 >To: [email protected] >Subject: [cas-user] authentication failed using phpCAS and CI even >though CAS is creating service tickets > >Hi all, >I¹m working with CAS for the first time, I¹ve got cas itself working >and authenticating against our user store, so I can go to through the >web app and login there and it succeeds > >Now I¹m trying to get my code igniter web app to use CAS. I¹ve started >with this example: >https://github.com/eliasdorneles/code-igniter-cas-library > >When I run it, on the cas side in cas.log I¹m seeing stuff like >(10.24.71.107 is my CI app, and 10.30.3.105 is the working cas web app) > >2015-05-07 20:32:11,390 INFO >[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >ticket [ST-5-15WSI4vQZVjP62A2hqFO-cas.bigdev] for service >[https://10.24.71.107/auth] for user [[email protected]] > >2015-05-07 20:32:11,390 INFO >[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >Audit trail record BEGIN > >============================================================= > >WHO: [email protected] > >WHAT: ST-5-15WSI4vQZVjP62A2hqFO-cas.bigdev for >https://10.24.71.107/auth > >ACTION: SERVICE_TICKET_CREATED > >APPLICATION: CAS > >WHEN: Thu May 07 20:32:11 UTC 2015 > >CLIENT IP ADDRESS: 10.6.1.22 > >SERVER IP ADDRESS: 10.30.3.105 > >============================================================= > >However, on my CI app (after waiting 30 seconds or so) I get back: >CAS Authentication failed! > >You were not authenticated. > >You may submit your request again by clicking >here<https://10.24.71.107/auth>. > >If the problem persists, you may contact the administrator of this >site<mailto:[no%20address%20given]>. > >________________________________ >phpCAS 1.3.3 using server >https://10.30.3.105:8443/cas-server-webapp-4.0.0/ (CAS 2.0) > >Please let me know if there is something obvious I am missing, or where >I can start looking for clues if not cas.log > >Thanks, >Phil > >-- >You are currently subscribed to [email protected] as: >[email protected] To unsubscribe, change settings or access archives, >see http://www.ja-sig.org/wiki/display/JSG/cas-user > > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
