Hi Luke, I'm just dealing with the certificate subject for some days.
I'm now in the state, to need your help for proxy-ticket-validation, where you suggest to have a second certificate. Can you please give me an overview to this area. Many thanks and best regards Volker Obel -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Luke McLean Gesendet: Donnerstag, 22. März 2007 10:05 An: [email protected] Betreff: Re: Certificate- where to install? Hi Webzo, The installation of certificates can be very confusing. Tomcat actually uses two keystores, one to hold private keys (usually created under the users data directory) and one to hold trusted public keys (%JAVA_HOME%/jre/lib/security/cacerts). The private key certificate you create for the CAS machine (cn for cert must equal the dns name for server1 eg. server1.dev.edu) is created in the private keystore. A public key, that pairs with that private key, is then exported from the private keystore and is placed in the trusted keystore on any machine with a cassified webapp. In your case you will need to add it to the %JAVA_HOME%/jre/lib/security/cacerts trusted keystore on server1 (for Webapp1 to use) and the %JAVA_HOME%/jre/lib/security/cacerts trusted keystore on server2 (for Webapp2 to use). When the Webapps connects to CAS via https to resolve the service ticket they make use of the public key in their cacerts file so that they do not have to prompt the user (as the cert is trusted). If you wish to use the proxy functionality you would need a second cert... but not for basic authentication so that can wait for another day... Hope this short explanation helps, The code to create, export and import keys is in the CAS documentation. If you get stuck post back and I'll help you out. Regards, Luke. webzo wrote: > > Here is the setup- > I have server 1 with Webapp1 and CAS. > I have server2 with Webapp2 and its web.xml pointing to CAS on server1. > I have installed a certificate on server 1 with common name=localhost. > Access to webapp 1 is protected with no problems. > Access to webapp 2 takes me to CAS login page where I login and > authentication is successful. However, during redirection to webapp2, I > get the familiar Error during ProxyTicketValidation (during SSL > Handshake). > > Question- I think I need to install one more certificate. Where should I > install it and what should be the common name? I tried installing a > certificate on server2 with common > name=localhost. That didn't help. I can see 2 other possibilities- on > server 2 with CN=<name of server1> or vice-versa. I guess I haven't > understood which entity is certifying what when a certificate is > installed. Could someone please clarify? > > Thank you. > > > > > > > > ____________________________________________________________________________ ________ > Don't pick lemons. > See all the new 2007 cars at Yahoo! Autos. > http://autos.yahoo.com/new_cars.html > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- View this message in context: http://www.nabble.com/Certificate--where-to-install--tf3438938.html#a9610694 Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
