Andy, Actually I have figured out the certificate issue.
Thanks I have noticed each CAS session creates two tickets. One is on tomcat on the CAS server that one gets destroyed. There is another on /tmp/cas apache server which is a different box with mod_auth_cas. That apache session file / ticket does not go away unless you manually delete it. However, reading the docs it appears the ticket service is working as advertised. Our client is asking for a way to delete the ticket in /tmp/cas as well. That is my issue ultimately. I thought it was because of the certificate error it could not redirect the logout back to the web server. However, fixing my cert error did not completely fix my problem. There must be another function to delete that session in /tmp/cas but I cannot figure out what it is in the docs. Maybe it is SLO, -----Original Message----- From: Andrew Morgan [mailto:[email protected]] Sent: Saturday, October 03, 2015 12:31 PM To: [email protected] Subject: RE: [cas-user] cas 3.5.2 catalina logs This error message: Error is [sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] means that your Java keystore does not contain the root CA certificate for the host dcis.hhs.gov. The Java keystore is typically in ${JAVA_HOME}/jre/lib/security/cacerts. You can use keytool to list the certificates in it: ${JAVA_HOME}/bin/keytool -list -keystore ${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit Look for your root CA certificate in there. My Oracle Java7 keystore has your root CA: digicerthighassuranceevrootca, Apr 16, 2008, trustedCertEntry, Certificate fingerprint (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25 Does yours? If the CAS server cannot contact the CAS clients, then SLO will not be performed. Andy On Fri, 2 Oct 2015, Chris Cheltenham wrote: > I thank you for your help Misagh, > > However, what we have is that the SLO is not able to reach the web server > apache session in /tmp/cas using mod_auth_cas. > I don't understand why it is saying the certificate for apahe is not valid. > I have it imported the CAS cert, same as the one in tomcat server.xml to the > CACerts file. > > The affect if the user session is still active until the apache /tmp/cas > session is removed. > Unless the user completely close the browser, the session is still open. > > We have a requirement that the user have to authenticate whenever they logout > and it is not working unless you close the browser. > > Does anyone know a way to fix that? > > If the answer is turning SLO off, I do not see where you do that in this file: > > /cas/cas-server-3.5.2.1/cas-server-core/src/main/java/org/jasig/cas/ti > cket/registry/support/DefaultTicketRegistryCleaner.java > > > From: Misagh Moayyed [mailto:[email protected]] > Sent: Wednesday, September 30, 2015 1:53 AM > To: [email protected] > Subject: RE: [cas-user] cas 3.5.2 catalina logs > > You have an app at https://dcis.hhs.gov/main.php whose certificate is > considered invalid, and your CAS has SLO turned on, and CAS is trying to send > SLO notifications to the app, and it fails. > > Reference: > http://jasig.github.io/cas/4.1.x/installation/Troubleshooting-Guide.ht > ml#pkix-path-building-failed > > From: Chris Cheltenham [mailto:[email protected]] > Sent: Tuesday, September 29, 2015 4:56 PM > To: [email protected]<mailto:[email protected]> > Subject: [cas-user] cas 3.5.2 catalina logs > > Hello, > > I see this in my tomcat6 logs. > > Does anyone know why something is trying to write back to main/php which does > not live on this server? > > > 2015-09-29 19:53:21,363 WARN [org.jasig.cas.util.HttpClient] - <Error Sending > message to url endpoint [https://dcis.hhs.gov/main.php]. > Error is [sun.security.validator.ValidatorException: PKIX path > building failed: sun.security.provider.certpath.SunCertPathBuilderExc > eption: unable to find valid certification path to requested target]> > root@acquisitions-reports1:/var/log/tomcat6 > Thank You; > > Chris Cheltenham > [email protected]<mailto:[email protected]> > SwainTechs > 10 Walnut Grove Rd > Suite 110 > Horsham, PA > 19044 > > 888-905-5767 / X407 > > > > > > -- > > You are currently subscribed to > [email protected]<mailto:[email protected]> as: > [email protected]<mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to > [email protected]<mailto:[email protected]> as: > [email protected]<mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
