Re: Web server on different machine to CAS server

Wed, 28 Feb 2007 08:05:25 -0800 

Hi again,

I'm pretty sure the problem is caused by 'webserver1' not being in the
keystore, because it works fine if the web application is on the same server
as the authentication server.  In my keystore on the authentication server I
have a key entry for the authentication server with alias 'tomcat'.  I was
going to try adding another key for webserver1, but can I just call it
'webserver1' and add it into my store?

Thanks,

Mike

On 2/28/07, Mike Crawford <[EMAIL PROTECTED]> wrote:


Hi Scott,

I think this is the problem (from the tomcat log): Caused by:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException : unable to
find valid certification path to requested target

Here is the full paste with the servers and webapp name changed:

SEVERE: Servlet.service() for servlet default threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to validate
ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidatorproxyList=[null] [
edu.yale.its.tp.cas.client.ServiceTicketValidator 
casValidateUrl=[https://authenticationserver.com/cas/serviceValidate]
ticket=[ST-2-RN7yyvC4XXMKUEED6VOlfsnT40SOzMu7o42-20]
service=[http%3A%2F%2Fwebserver1.com%3A8080%2Fmywebapp%2F] renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java
:52)
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
CASFilter.java:455)
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java
:378)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (
ApplicationFilterChain.java:202)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java :213)
    at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (
ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process (
Http11Processor.java:869)
    at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
(Http11BaseProtocol.java:664)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java :527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:684)
    at java.lang.Thread.run (Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java
:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java
:1520)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Handshaker.java
:182)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java
:176)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:975)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (
ClientHandshaker.java:123)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java
:511)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(
Handshaker.java:449)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (
SSLSocketImpl.java:817)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
SSLSocketImpl.java:1029)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1056)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1040)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(
HttpsClient.java:405)
    at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (
AbstractDelegateHttpsURLConnection.java:170)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
HttpURLConnection.java:981)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
HttpsURLConnectionImpl.java :234)
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
ServiceTicketValidator.java:212)
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java
:50)
    ... 16 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java
:285)
    at sun.security.validator.PKIXValidator.engineValidate(
PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validator.java :218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(
X509TrustManagerImpl.java:126)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:209)
    at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:954)
    ... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(
SunCertPathBuilder.java :174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java
:280)
    ... 36 more



Thanks,

Mike

On 2/28/07, Scott Battaglia <[EMAIL PROTECTED]> wrote:
>
> Mike,
>
> Is there any other messages in the log file?  Exceptions, etc.?
>
> Thanks
> -Scott
>
> On 2/26/07, Mike Crawford < [EMAIL PROTECTED]> wrote:
>
> > Hi,
> >
> > I am trying to run a web server on one machine which redirects to a
> > CAS server running on another machine.  When I try to
> > change the client.filter.serverName to redirect back to the web server
> > I get a 'Unable to validate ProxyTicketValidator' message.  Does this have
> > something to do with proxyList?
> >
> > I've pasted an excerpt from client.filter.CASFilter with what I'm
> > trying to achieve.  Ultimately there will be many web servers pointing to
> > the same authentication server.
> >
> > Thanks for your help,
> >
> > Mike Crawford
> >
> > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> >                    <param-value>https://authenticationserver.com/cas/login
> > </param-value>
> >             </init-param>
> >             <init-param>
> >                    <param-name>
> > edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
> >                    <param-value>
> > https://authenticationserver.com/cas/serviceValidate</param-value>
> >             </init-param>
> >             <init-param>
> >                    <param-name>
> > edu.yale.its.tp.cas.client.filter.serverName</param-name>
> >                    <param-value>webserver1.com:8080 </param-value>
> >             </init-param>
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to