I'm no expert but here's my thinking. You only need one certificate. That certificate will prove the identity of the CAS server. All other parties (e.g. webapps 1 and 2) don't prove their identities.
Once you bring in a 2nd machine into the mix, you can't use localhost anymore. Localhost only has meaning when dealing with the current machine. In other words, server1 and server2 are both localhost according to themselves. Here's something to try: Create a certificate using the common name of the external machine name of server1. (If you can't execute the command "ping server1" from server2, then you don't have a DNS entry for server1.) You'll have to tell the JVM on both servers to "trust" the certificate so that during the behind-the-scenes https call to the CAS server to get the authenticated username, the webapps will accept the certificate as valid. So there are two "clients" consuming the certificate of the CAS server: (1) the browser of the end user when he/she goes to the CAS login page and (2) each of the webapps when they make the https connection to the CAS server to get the username of the authenticated user. ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of webzo Sent: Wednesday, March 21, 2007 3:22 AM To: Yale CAS mailing list Subject: Certificate- where to install? Here is the setup- I have server 1 with Webapp1 and CAS. I have server2 with Webapp2 and its web.xml pointing to CAS on server1. I have installed a certificate on server 1 with common name=localhost. Access to webapp 1 is protected with no problems. Access to webapp 2 takes me to CAS login page where I login and authentication is successful. However, during redirection to webapp2, I get the familiar Error during ProxyTicketValidation (during SSL Handshake). Question- I think I need to install one more certificate. Where should I install it and what should be the common name? I tried installing a certificate on server2 with common name=localhost. That didn't help. I can see 2 other possibilities- on server 2 with CN=<name of server1> or vice-versa. I guess I haven't understood which entity is certifying what when a certificate is installed. Could someone please clarify? Thank you. ________________________________________ Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
