Thank you Petro for your reply and for clarify my doubts. And yes. I think this information must be on the page http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
Thanks again >From: "Andrew Petro" <[EMAIL PROTECTED]> >Reply-To: Yale CAS mailing list <[email protected]> >To: "'Yale CAS mailing list'" <[email protected]> >Subject: RE: SSL :Certificates to JVM keystore? >Date: Sat, 23 Sep 2006 19:39:24 -0700 >MIME-Version: 1.0 >Received: from pantheon-po09.its.yale.edu ([130.132.50.55]) by >bay0-mc1-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sat, >23 Sep 2006 19:45:04 -0700 >Received: from tp.its.yale.edu (tp.its.yale.edu [130.132.59.225])by >pantheon-po09.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id >k8O2hMNJ022488;Sat, 23 Sep 2006 22:43:32 -0400 >Received: from mr2.its.yale.edu (mr2.its.yale.edu [130.132.50.8])by >tp.its.yale.edu (8.13.1/8.13.1) with ESMTP id k8O2hKRs017682for ><[email protected]>; Sat, 23 Sep 2006 22:43:20 -0400 >Received: from ns2.unicon.net (ns2.unicon.net [12.164.136.139])by >mr2.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP idk8O2hBAK001080for ><[email protected]>; Sat, 23 Sep 2006 22:43:11 -0400 >Received: from saber.unicon.net (mailduit [12.164.148.152])by >ns2.unicon.net (8.9.3/8.9.0) with ESMTP id TAA10282for ><[email protected]>; Sat, 23 Sep 2006 19:39:26 -0700 (MST) >Received: from Janus (ip68-99-95-247.ph.ph.cox.net >[::ffff:68.99.95.247])(AUTH: LOGIN apetro, SSL: >TLSv1/SSLv3,128bits,RC4-MD5)by saber.unicon.net with esmtp; Sat, 23 Sep >2006 19:39:26 -0700id 002D71BD.4515EFDE.00006191 >X-Message-Info: LsUYwwHHNt3KJwDQ/nXFuYeaBLZZ9gPg7eIXAz0j4Is= >X-Mailer: Microsoft Office Outlook 11 >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 >Thread-Index: AcbfYx0f5LqoC5PGSJ2f8911gYOB6QAHc3og >X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed) >X-Yale-Not-Spam: For more info see: >http://www.yale.edu/email/spam/content.html >X-Yale-Spam-Score: (0) >X-Scanned-By: MIMEDefang 2.52 on 130.132.50.8 >X-MIME-Autoconverted: from quoted-printable to 8bit by tp.its.yale.edu >idk8O2hKRs017682 >X-BeenThere: [email protected] >X-Mailman-Version: 2.1.6 >Precedence: list >List-Id: Yale CAS mailing list <cas.tp.its.yale.edu> >List-Unsubscribe: ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]> >List-Archive: <http://tp.its.yale.edu/pipermail/cas> >List-Post: <mailto:[email protected]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Subscribe: ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]> >Errors-To: [EMAIL PROTECTED] >Return-Path: [EMAIL PROTECTED] >X-OriginalArrivalTime: 24 Sep 2006 02:45:04.0461 (UTC) >FILETIME=[704F8FD0:01C6DF83] > >Hello, > >CAS is an authentication mechanism wherein the Central Authentication >Service server serves as the "trusted intermediary" brokering >authentication >between participants. Participants need not trust one another so long as >they all trust the CAS server. > >End users and their web browsers must trust the CAS server (otherwise the >user shouldn't feel comfortable typing in her password!) They must also >trust the channel of communication between one another. The standard way >for securing the channel between browser and website is SSL. So it is >obligatory that your CAS server be accessed by the end user over SSL. > >The "client application", the non-CAS web application that the user's >really >trying to authenticate to, must also trust the CAS server (otherwise it >shouldn't care who the CAS server says the user is). And it must trust the >channel whereby it communicates with the CAS server. The standard way for >securing the channel over which web requests are fulfilled (and CAS >services >are really lightweight XML over HTTP "web services) is SSL. So it is >obligatory that your CAS server offer the ticket validation services over >SSL. > >SSL is a public key encryption technology. If you pay a good chuck of >money >for a "real" commercial SSL certificate, then it will be signed by a >certifying authority that "everyone" trusts implicitly and it just works. >For your real production CAS server it makes a lot of sense to throw money >at this problem and buy such an SSL certificate, with the resulting >improved >user factors both for end users and applications using CAS. > >For smaller CAS deployments and certainly in development it makes a lot of >sense to use a "self-signed" certificate. Since self-signed SSL >certificates are essentially just made up on the fly, it is necessary to >distribute the corresponding public key. Your self-signed SSL cert is only >meaningful to me inasmuch as I have by a secure mechanism already received >the corresponding public key. > >For Java web applications, installing that public key into the JVM keystore >of the client application will result in the Java CAS client in the client >application being able to verify the security of the channel (SSL) between >it and the CAS server and so it will be able to validate service tickets. > > >That was a long way of saying "Yes, it is necessary to import the public >key >portion SSL certificate into the JVM keystore of any client Java web >applications using your CAS server, unless your SSL certificate is >implicitly trusted by virtue of its being expensive." > >And of course, whether you have a self signed certificate or a commercial >certificate, you will need to install it into your Tomcat keystore for your >CAS server so that it can offer the CAS web application over SSL, if Tomcat >is going to be your SSL endpoint. (Apache, or some expensive hardware box >in front of your CAS server, might instead be your SSL endpoint for your >CAS >server.) > >This help any? > >Would it help if something very much like the above were pasted atop the >CAS >documentation page on SSL considerations? > >http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues > >Andrew > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >On > > Behalf Of kike velez > > Sent: Saturday, September 23, 2006 3:50 PM > > To: [email protected] > > Subject: SSL :Certificates to JVM keystore? > > > > Hello > > > > I looking for this question on the archive but i don´t have this issue >to > > clear. > > > > Its obligatory to import the ssl certificates to de jvm keystore? > > if the answer is yes Why? > > > > I see in the Tomcat documentation and i don´t see nothing about it. > > > > Thanks in advance > > >_______________________________________________ >Yale CAS mailing list >[email protected] >http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
