You need to create the certificate with a real dns name, you can't use
localhost !
----- Original Message -----
From: Uday Kari
To: [EMAIL PROTECTED]
Sent: 4/13/2007 9:52:37 PM
Subject: Unable to validate ProxyTicketValidator
Thanks, Andrew. As recommended moved this thread from dev list to here.
Basically, struggling to get the CAS demo going here using just plain old
tomcat 5.5.20 and jdk1.5.0_06 getting the same error Unable to validate
ProxyTicketValidator. Please let me know if I can provide additional
information.
I did seem to make an incremental improvement though. The Microsoft Internet
Explorer (Version 7.0.5730.11) browser still complains as before but I no
longer get the message The security certificate presented by this website was
issued for a different website's address. This seems to have eliminated by
following Andrew s note below (paraphrasing/translating) whereby he seems to
be saying that I should be create the certificate with the name localhost
(right?).
Specifically, when executing the following command
C:\jdk1.5.0_06\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: is
What is the name of your organization?
[Unknown]: pdc
What is the name of your City or Locality?
[Unknown]: kihei
What is the name of your State or Province?
[Unknown]: hi
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost:8443, OU=is, O=pdc, L=kihei, ST=hi, C=US correct?
[no]: yes
Of course, I import this into the JVM cacerts file as recommended/required in
various threads since CAS uses the JVM cacerts file which needs to have the
same entry as the tomcat keystore. For completeness, here is how I imported
the about certificate into cacerts:
C:\jdk1.5.0_06\bin>keytool -delete -alias tomcat -keypass changeit -keystore ..\
jre\lib\security\cacerts
Enter keystore password: changeit
C:\jdk1.5.0_06\bin>keytool -export -alias tomcat -keypass changeit -file server.
crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\jdk1.5.0_06\bin>keytool -import -file server.crt -alias tomcat -keypass chang
eit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Serial number: 461fd754
Valid from: Fri Apr 13 09:17:40 HST 2007 until: Thu Jul 12 09:17:40 HST 2007
Certificate fingerprints:
MD5: C4:F8:5F:7B:90:1B:32:2E:1B:96:10:01:49:3C:40:A3
SHA1: F1:2B:1F:0F:4D:DE:61:EE:C8:36:37:D9:20:8C:A8:41:EE:03:F1:A9
Trust this certificate? [no]: yes
Certificate was added to keystore
My server.xml file entry for SSL is as follows:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/ukari/.keystore" />
Again the workflow to get the error is identical to my message below except for
the minor browser level improvement noted above by naming the certificate
localhost
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Petro
Sent: Thursday, April 12, 2007 5:56 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] Unable to validate ProxyTicketValidator
> with the familiar warning about the SSL certificate being named differently
> than localhost
> casValidateUrl=[https://localhost:8443/cas/proxyValidate]
Here's my hypothesis:
The CAS server SSL cert does not authenticate "localhost", but the CASFilter is
configured to validate the ticket against a CAS addressed as "localhost".
Since the cert doesn't match, the client JVM does not see an SSL cert it likes
for authenticating the callback. Since the client JVM didn't see a cert it
liked on the callback, the callback fails. Since the callback failed, the
CASFilter (via the ProxyTicketValidator) is unable to validate the service
ticket. Yielding the error you're seeing.
This thread doesn't seem to be about developing CAS server or the CAS client
libraries. It should probably be moved to the cas@ email list.
Andrew
http://support.unicon.net/
Uday Kari wrote:
Followed the instruction in the following thread and verified that the SSL
certification is in JVM cacerts file as required:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg00090.html
However, I am still getting the Unable to validate ProxyTicketValidator error
when I finish logging in
Specifically:
The request https://localhost:8443/ works fine with the familiar warning about
the SSL certificate being named differently than localhost. (so server is up).
https://localhost:8443/app1 leads to the application after the above warning,
but immediately redirects to CAS as expected.
I login with the equal credentials such as yahoo/yahoo and google/google.
Apparently the ticket generates just fine.
Then on the way back to render the protected (but very simple jsp within the
app1 context), I get an HTTP 500 error with the following stack trace on the
screen:
exception
javax.servlet.ServletException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
root cause
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
Specifically, here are the excerpts from my Catalina.2007-04-12.log for the
last two login attempts (user/password = yahoo, google)
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
And, the following from my stdout_20070412.log
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler
successfully authenticated the user which provided the following credentials:
yahoo>
2007-04-12 15:56:13,099 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] for
service [https://localhost:8443/app1/] for user [yahoo]>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler
successfully authenticated the user which provided the following credentials:
google>
2007-04-12 15:57:53,404 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] for
service [https://localhost:8443/app1/] for user [google]>
_______________________________________________
cas-dev mailing list
[EMAIL PROTECTED]
http://tp.its.yale.edu/mailman/listinfo/cas-dev
_______________________________________________
Yale CAS mailing list
[EMAIL PROTECTED]
http://tp.its.yale.edu/mailman/listinfo/cas
