Thanks, Andrew. As recommended moved this thread from dev list to here.
Basically, struggling to get the CAS demo going here using just plain
old tomcat 5.5.20 and jdk1.5.0_06 getting the same error Unable to
validate ProxyTicketValidator. Please let me know if I can provide
additional information.
I did seem to make an incremental improvement though. The Microsoft
Internet Explorer (Version 7.0.5730.11) browser still complains as
before but I no longer get the message "The security certificate
presented by this website was issued for a different website's address."
This seems to have eliminated by following Andrew 's note below
(paraphrasing/translating) whereby he seems to be saying that I should
be create the certificate with the name localhost (right?).
Specifically, when executing the following command
C:\jdk1.5.0_06\bin>keytool -genkey -alias tomcat -keypass changeit
-keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: is
What is the name of your organization?
[Unknown]: pdc
What is the name of your City or Locality?
[Unknown]: kihei
What is the name of your State or Province?
[Unknown]: hi
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost:8443, OU=is, O=pdc, L=kihei, ST=hi, C=US correct?
[no]: yes
Of course, I import this into the JVM cacerts file as
recommended/required in various threads since CAS uses the JVM cacerts
file which needs to have the same entry as the tomcat keystore. For
completeness, here is how I imported the about certificate into cacerts:
C:\jdk1.5.0_06\bin>keytool -delete -alias tomcat -keypass changeit
-keystore ..\
jre\lib\security\cacerts
Enter keystore password: changeit
C:\jdk1.5.0_06\bin>keytool -export -alias tomcat -keypass changeit -file
server.
crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\jdk1.5.0_06\bin>keytool -import -file server.crt -alias tomcat
-keypass chang
eit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Serial number: 461fd754
Valid from: Fri Apr 13 09:17:40 HST 2007 until: Thu Jul 12 09:17:40 HST
2007
Certificate fingerprints:
MD5: C4:F8:5F:7B:90:1B:32:2E:1B:96:10:01:49:3C:40:A3
SHA1:
F1:2B:1F:0F:4D:DE:61:EE:C8:36:37:D9:20:8C:A8:41:EE:03:F1:A9
Trust this certificate? [no]: yes
Certificate was added to keystore
My server.xml file entry for SSL is as follows:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/ukari/.keystore"
/>
Again the workflow to get the error is identical to my message below
except for the minor browser level improvement noted above by naming the
certificate "localhost"
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Petro
Sent: Thursday, April 12, 2007 5:56 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] Unable to validate ProxyTicketValidator
> with the familiar warning about the SSL certificate being named
differently than localhost
> casValidateUrl=[https://localhost:8443/cas/proxyValidate]
Here's my hypothesis:
The CAS server SSL cert does not authenticate "localhost", but the
CASFilter is configured to validate the ticket against a CAS addressed
as "localhost". Since the cert doesn't match, the client JVM does not
see an SSL cert it likes for authenticating the callback. Since the
client JVM didn't see a cert it liked on the callback, the callback
fails. Since the callback failed, the CASFilter (via the
ProxyTicketValidator) is unable to validate the service ticket.
Yielding the error you're seeing.
This thread doesn't seem to be about developing CAS server or the CAS
client libraries. It should probably be moved to the cas@ email list.
Andrew
http://support.unicon.net/
Uday Kari wrote:
Followed the instruction in the following thread and verified that the
SSL certification is in JVM cacerts file as required:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg00090.html
However, I am still getting the Unable to validate ProxyTicketValidator
error when I finish logging in...
Specifically:
* The request https://localhost:8443/ works fine with the familiar
warning about the SSL certificate being named differently than
localhost. (so server is up).
* https://localhost:8443/app1 leads to the application after the
above warning, but immediately redirects to CAS as expected.
* I login with the "equal" credentials such as yahoo/yahoo and
google/google.
* Apparently the ticket generates just fine.
* Then on the way back to render the protected (but very simple
jsp within the app1 context), I get an HTTP 500 error with the following
stack trace on the screen:
exception
javax.servlet.ServletException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
root cause
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
Specifically, here are the excerpts from my Catalina.2007-04-12.log for
the last two login attempts (user/password = yahoo, google)
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.filter.CASFilter
doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.filter.CASFilter
doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
And, the following from my stdout_20070412.log
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: yahoo>
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] for service
[https://localhost:8443/app1/] for user [yahoo]>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: google>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] for service
[https://localhost:8443/app1/] for user [google]>
________________________________
_______________________________________________
cas-dev mailing list
[EMAIL PROTECTED]
http://tp.its.yale.edu/mailman/listinfo/cas-dev
_______________________________________________
Yale CAS mailing list
[EMAIL PROTECTED]
http://tp.its.yale.edu/mailman/listinfo/cas
