Andrew: This is an excellent reference on SSL...Thanks! In addition to better README, may I suggest:
1) Utility that conducts "install" of the cas-server-SSL-cert into CAS-using-application JVM. 2) Error trapping and meaningful interpretation of the of the well-known, but meaningless to the end-user, ProxyTicketValidator error. I will be glad to open JIRA if you agree with the above suggestions. I am attempting documentation from a beginner perspective (see "Beginner Issues" section and "Step 13: Establishing trust with CAS SSO Server") at: http://www.ja-sig.org/wiki/display/CASUM/Demo It is important to note that the above is how I got the DEMO going after getting this error repeatedly and may not apply to production issues all. Any expert constructive comments on my write-up are welcome. The suggestion #1 is inspired by the Sun blog, which is another issue with multiple domain http://blogs.sun.com/andreas/entry/no_more_unable_to_find The InstallCert program is perhaps OK for demo (based on keytool), but probably need CAS specific tool similar to that... Secondly, my guess is that the ProxyTicketValidator problem possibly has many potential causes, as alluded in the Beginner Issues in my wiki...even if the highest level direct cause is indeed the SSL issue noted in this thread. Some sophisticated error-trapping/logging/diagnostics will help troubleshoot the problem better. This is why I suggest #2. Regards, Uday Kari -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew William Petro Sent: Monday, May 21, 2007 5:51 AM To: Yale CAS mailing list Subject: CAS-using-application JVMs must trust CAS-server-SSL-certificate Dmitry, Your CAS-using-application's JVM does not trust your CAS-server's SSL certificate. It neither trusts the cert explicitly (has its public key locally installed) nor does it trust a certifying authority that in turn signed the public key of the cas-server-SSL-cert that the SSL protocol is offering the client application. (Your application's JVM could trust the certifying authority if 1) there is such a certifying authority and 2) you installed the public key of that certifying authority's signing certificate into your application's JVM). Short version: you need to install the public key of your CAS-server's SSL cert into your CAS-using-application's JVM. You will need to do this for every application you configure to use CAS, unless you 1) use a commercial cert, 2) use a certifying authority and instead install the certifying authority public key into the CAS-using-application JVMs, or 3) opt out of security by not using SSL. These SSL issues are coming up over and over and they have been covered on this list many many times before. I don't mean that as a criticism of you, Dmitry -- clearly these must be widely confusing issues to generate so much repeated traffic. What can be done to make this issue less arduous? A better README distributed with the client? Explicit detection of this error and better error messaging in the logs, with a hyperlink out to a wiki page discussing this issue in excruciating detail? That wiki page? A video tutorial on certificate installation tasks? Not only has this issue come up before, but I've asked this "what can be done about it" question before. At this point, I guess I'm asking that something actually be done about it. Very nice stack trace paste, by the way. Normally this stack trace doesn't include those sun.security portions and is therefore more confusing than it has to be. I've been kicking myself assuming I'm the one who introduced the stack-trimming behavior with that CASReceipt bit once upon a time and have been meaning to revisit that code and release a patch fixing it to include more stack context. Yet here you go with useful stack traces. Anything you're doing differently likely to be causing those? Andrew > Hello, > > I've deployed my application and CAS to one server (server1) and > created certificate as it is described on the site. It works > perfectly. > > Now, I'm trying to move my application to another server (server2). > And I've started to get errors: > > 13:36:44,587 ERROR [CASReceipt:55] > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[ed > u.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[http > s://server1:8443/cas-web/serviceValidate] > ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > 13:36:44,587 ERROR [CASFilter:380] > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[ed > u.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[http > s://server1:8443/cas-web/serviceValidate] > ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > 13:36:44,587 ERROR [[MainServlet]:253] Servlet.service() for servlet > MainServlet threw exception > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicke > tValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://server1:8443/cas-web/ > serviceValidate] ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) > ... > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.pro > vider.certpath.SunCertPathBuilderException: unable to find valid > certification path to requested target > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) > ... > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: sun.security.provider.certpath.SunCertPathBuilderExce > ption: unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) > ... > > What can be these errors caused by? > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
