Mike, Its definitely a keystore issue. This may be able to help you: http://www.ja-sig.org/products/cas/server/ssl/index.html
-Scott On 2/28/07, Mike Crawford <[EMAIL PROTECTED]> wrote:
Hi again, I'm pretty sure the problem is caused by 'webserver1' not being in the keystore, because it works fine if the web application is on the same server as the authentication server. In my keystore on the authentication server I have a key entry for the authentication server with alias 'tomcat'. I was going to try adding another key for webserver1, but can I just call it 'webserver1' and add it into my store? Thanks, Mike On 2/28/07, Mike Crawford <[EMAIL PROTECTED]> wrote: > > Hi Scott, > > I think this is the problem (from the tomcat log): Caused by: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException : unable to > find valid certification path to requested target > > Here is the full paste with the servers and webapp name changed: > > SEVERE: Servlet.service() for servlet default threw exception > edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to > validate ProxyTicketValidator [[ > edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://authenticationserver.com/cas/serviceValidate] > ticket=[ST-2-RN7yyvC4XXMKUEED6VOlfsnT40SOzMu7o42-20] > service=[http%3A%2F%2Fwebserver1.com%3A8080%2Fmywebapp%2F] renew=false]]] > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java > :52) > at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > CASFilter.java:455) > at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter( > CASFilter.java:378) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:202) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:173) > at org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java :213) > at org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:178) > at org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:126) > at org.apache.catalina.valves.ErrorReportValve.invoke ( > ErrorReportValve.java:105) > at org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:107) > at org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:148) > at org.apache.coyote.http11.Http11Processor.process ( > Http11Processor.java:869) > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection > (Http11BaseProtocol.java:664) > at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( > PoolTcpEndpoint.java :527) > at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( > LeaderFollowerWorkerThread.java:80) > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > ThreadPool.java:684) > at java.lang.Thread.run (Thread.java:619) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java > :174) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal( > SSLSocketImpl.java:1520) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Handshaker.java > :182) > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java > :176) > at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:975) > at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage ( > ClientHandshaker.java:123) > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop( > Handshaker.java:511) > at com.sun.net.ssl.internal.ssl.Handshaker.process_record( > Handshaker.java:449) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord ( > SSLSocketImpl.java:817) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1029) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1056) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1040) > at sun.net.www.protocol.https.HttpsClient.afterConnect( > HttpsClient.java:405) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect ( > AbstractDelegateHttpsURLConnection.java:170) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:981) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( > HttpsURLConnectionImpl.java :234) > at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) > at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > ServiceTicketValidator.java:212) > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java > :50) > ... 16 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java > :285) > at sun.security.validator.PKIXValidator.engineValidate( > PKIXValidator.java:191) > at sun.security.validator.Validator.validate(Validator.java :218) > at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate( > X509TrustManagerImpl.java:126) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted( > X509TrustManagerImpl.java:209) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted( > X509TrustManagerImpl.java:249) > at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:954) > ... 30 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild( > SunCertPathBuilder.java :174) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java > :238) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java > :280) > ... 36 more > > > > Thanks, > > Mike > > On 2/28/07, Scott Battaglia <[EMAIL PROTECTED] > wrote: > > > > Mike, > > > > Is there any other messages in the log file? Exceptions, etc.? > > > > Thanks > > -Scott > > > > On 2/26/07, Mike Crawford < [EMAIL PROTECTED]> wrote: > > > > > Hi, > > > > > > I am trying to run a web server on one machine which redirects to a > > > CAS server running on another machine. When I try to > > > change the client.filter.serverName to redirect back to the web > > > server I get a 'Unable to validate ProxyTicketValidator' message. Does this > > > have something to do with proxyList? > > > > > > I've pasted an excerpt from client.filter.CASFilter with what I'm > > > trying to achieve. Ultimately there will be many web servers pointing to > > > the same authentication server. > > > > > > Thanks for your help, > > > > > > Mike Crawford > > > > > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> > > > <param-value>https://authenticationserver.com/cas/login > > > </param-value> > > > </init-param> > > > <init-param> > > > <param-name> > > > edu.yale.its.tp.cas.client.filter.validateUrl</param-name> > > > <param-value> > > > https://authenticationserver.com/cas/serviceValidate</param-value> > > > </init-param> > > > <init-param> > > > <param-name> > > > edu.yale.its.tp.cas.client.filter.serverName</param-name> > > > <param-value>webserver1.com:8080 </param-value> > > > </init-param> > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
