Hi Scott, I appreciate the help.
I'm testing CAS on multiple servers and I'm sure I've got my JVM paths correct. I have looked over the SSL help a few times. I will paste exactly how I setup the keys. Names changed or <removed>, these are the exact steps I took. It must be something simple like the :8080 in my filter, or I need to give one of them a different name, I'm stumped. $cd /jre/lib/security $keytool -storepasswd -new passwd -storepass changeit -keystore cacerts $keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -dname "cn= authenticationserver.com, ou=<removed>, o=<removed>, l=<removed>, st=<removed>, c=<removed>" -keypass passwd -keystore /usr0/mykeystore.jks -storepass passwd -validity 365 $keytool -list -v -keystore /usr0/mykeystore.jks -storepass passwd (one 'tomcat' key in the keystore) $keytool -export -alias tomcat -keystore /usr0/mykeystore.jks -keypass passwd -file server.crt (now give file permissions to server.crt & mykeystore) $keytool -import -file server.crt -alias tomcat -keypass passwd -keystore cacerts (now if I have CAS on the same server as my web application it works.) (using the filter from the first email, it fails because the web application is on another machine. So I try to add that webserver to the authenticationserver keystore): $keytool -genkey -alias web -keyalg RSA -keysize 1024 -dname "cn= webserver1.com,ou=<removed>, ,o=<removed>, ,l=<removed>, ,st=<removed>, ,c=<removed>, " -keypass passwd -keystore /usr0/mykeystore.jks -storepass passwd -validity 365 $keytool -list -v -keystore /usr0/mykeystore.jks -storepass passwd (now two in the keystore, one called web, one called tomcat) $keytool -export -alias web -keystore /usr0/mykeystore.jks -keypass passwd -file web.crt $keytool -import -file web.crt -alias web -keypass passwd -keystore cacerts (still get same error). Cheers, Mike On 2/28/07, Scott Battaglia <[EMAIL PROTECTED]> wrote:
Are you adding it to your JVMs cacerts file? If you have multiple JVMs make sure its in the correct one (I've seen it placed in the wrong one accidentally a lot). -Scott On 2/28/07, Mike Crawford <[EMAIL PROTECTED]> wrote: > > Adding the key didn't work. > > Cheers, > > Mike > > On 2/28/07, Mike Crawford < [EMAIL PROTECTED] > wrote: > > > > Hi again, > > > > I'm pretty sure the problem is caused by 'webserver1' not being in the > > keystore, because it works fine if the web application is on the same server > > as the authentication server. In my keystore on the authentication server I > > have a key entry for the authentication server with alias 'tomcat'. I was > > going to try adding another key for webserver1, but can I just call it > > 'webserver1' and add it into my store? > > > > Thanks, > > > > Mike > > > > On 2/28/07, Mike Crawford < [EMAIL PROTECTED]> wrote: > > > > > > Hi Scott, > > > > > > I think this is the problem (from the tomcat log): Caused by: > > > javax.net.ssl.SSLHandshakeException: > > > sun.security.validator.ValidatorException: PKIX path building > > > failed: sun.security.provider.certpath.SunCertPathBuilderException : > > > unable to find valid certification path to requested target > > > > > > Here is the full paste with the servers and webapp name changed: > > > > > > SEVERE: Servlet.service() for servlet default threw exception > > > edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to > > > validate ProxyTicketValidator [[ > > > edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://authenticationserver.com/cas/serviceValidate] > > > ticket=[ST-2-RN7yyvC4XXMKUEED6VOlfsnT40SOzMu7o42-20] > > > service=[http%3A%2F%2Fwebserver1.com%3A8080%2Fmywebapp%2F] renew=false]]] > > > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt ( > > > CASReceipt.java:52) > > > at > > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > > > CASFilter.java:455) > > > at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter( > > > CASFilter.java:378) > > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter ( > > > ApplicationFilterChain.java:202) > > > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > > > ApplicationFilterChain.java:173) > > > at org.apache.catalina.core.StandardWrapperValve.invoke( > > > StandardWrapperValve.java :213) > > > at org.apache.catalina.core.StandardContextValve.invoke( > > > StandardContextValve.java:178) > > > at org.apache.catalina.core.StandardHostValve.invoke( > > > StandardHostValve.java:126) > > > at org.apache.catalina.valves.ErrorReportValve.invoke ( > > > ErrorReportValve.java:105) > > > at org.apache.catalina.core.StandardEngineValve.invoke( > > > StandardEngineValve.java:107) > > > at org.apache.catalina.connector.CoyoteAdapter.service( > > > CoyoteAdapter.java:148) > > > at org.apache.coyote.http11.Http11Processor.process ( > > > Http11Processor.java:869) > > > at > > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection > > > (Http11BaseProtocol.java:664) > > > at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket( > > > PoolTcpEndpoint.java :527) > > > at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt( > > > LeaderFollowerWorkerThread.java:80) > > > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run > > > (ThreadPool.java:684) > > > at java.lang.Thread.run (Thread.java:619) > > > Caused by: javax.net.ssl.SSLHandshakeException: > > > sun.security.validator.ValidatorException: PKIX path building > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > unable to find valid certification path to requested target > > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException( > > > Alerts.java:174) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal( > > > SSLSocketImpl.java:1520) > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE ( > > > Handshaker.java:182) > > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE( > > > Handshaker.java:176) > > > at > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > > > ClientHandshaker.java:975) > > > at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage( > > > ClientHandshaker.java:123) > > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop( > > > Handshaker.java:511) > > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record( > > > Handshaker.java:449) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord ( > > > SSLSocketImpl.java:817) > > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > > > SSLSocketImpl.java:1029) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > > > SSLSocketImpl.java:1056) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > > > SSLSocketImpl.java:1040) > > > at sun.net.www.protocol.https.HttpsClient.afterConnect( > > > HttpsClient.java:405) > > > at > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect( > > > AbstractDelegateHttpsURLConnection.java:170) > > > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > > > HttpURLConnection.java:981) > > > at > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( > > > HttpsURLConnectionImpl.java :234) > > > at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java > > > :84) > > > at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > > > ServiceTicketValidator.java:212) > > > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt ( > > > CASReceipt.java:50) > > > ... 16 more > > > Caused by: sun.security.validator.ValidatorException: PKIX path > > > building failed: > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > > > to find valid certification path to requested target > > > at sun.security.validator.PKIXValidator.doBuild( > > > PKIXValidator.java:285) > > > at sun.security.validator.PKIXValidator.engineValidate( > > > PKIXValidator.java:191) > > > at sun.security.validator.Validator.validate(Validator.java:218) > > > at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate( > > > X509TrustManagerImpl.java:126) > > > at > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted > > > (X509TrustManagerImpl.java:209) > > > at > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted > > > (X509TrustManagerImpl.java:249) > > > at > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > > > ClientHandshaker.java:954) > > > ... 30 more > > > Caused by: > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > > > to find valid certification path to requested target > > > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild > > > (SunCertPathBuilder.java :174) > > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java > > > :238) > > > at sun.security.validator.PKIXValidator.doBuild( > > > PKIXValidator.java:280) > > > ... 36 more > > > > > > > > > > > > Thanks, > > > > > > Mike > > > > > > On 2/28/07, Scott Battaglia <[EMAIL PROTECTED] > wrote: > > > > > > > > Mike, > > > > > > > > Is there any other messages in the log file? Exceptions, etc.? > > > > > > > > Thanks > > > > -Scott > > > > > > > > On 2/26/07, Mike Crawford < [EMAIL PROTECTED]> wrote: > > > > > > > > > Hi, > > > > > > > > > > I am trying to run a web server on one machine which redirects > > > > > to a CAS server running on another machine. When I try to > > > > > change the client.filter.serverName to redirect back to the web > > > > > server I get a 'Unable to validate ProxyTicketValidator' message. Does this > > > > > have something to do with proxyList? > > > > > > > > > > I've pasted an excerpt from client.filter.CASFilter with what > > > > > I'm trying to achieve. Ultimately there will be many web servers pointing > > > > > to the same authentication server. > > > > > > > > > > Thanks for your help, > > > > > > > > > > Mike Crawford > > > > > > > > > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl > > > > > </param-name> > > > > > <param-value>https://authenticationserver.com/cas/login > > > > > </param-value> > > > > > </init-param> > > > > > <init-param> > > > > > <param-name> > > > > > edu.yale.its.tp.cas.client.filter.validateUrl</param-name> > > > > > <param-value> > > > > > https://authenticationserver.com/cas/serviceValidate > > > > > </param-value> > > > > > </init-param> > > > > > <init-param> > > > > > <param-name> > > > > > edu.yale.its.tp.cas.client.filter.serverName</param-name> > > > > > <param-value>webserver1.com:8080 > > > > > </param-value> > > > > > </init-param> > > > > > _______________________________________________ > > > > > Yale CAS mailing list > > > > > [email protected] > > > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Yale CAS mailing list > > > > [email protected] > > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
