Thanks, Scott.
However, I guess I am still a little confused. I have Tomcat 6.0 and Tomcat 5.5 running on the same machine (my development machine). I ran into some issues earlier with Tomcat finding the right keystore with my certificates so I added keystoreFile=C:\keystore\.keystore to the server.xml in both versions of Tomcat. So I thought both JVM's would be using the same keystore file. This works fine for allowing me to connect via SSL to both Tomcat instances. Is there a problem with what I am doing from a CAS perspecive? Is there another keystore beyond the ones configured in server.xml that I need to be populating? Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Tuesday, June 19, 2007 9:40 AM To: Yale CAS mailing list Subject: Re: ACEGI, proxyValidate and PGTIOU CAS's JVM does not trust your client application's certificate. If you've added the certificate to CAS's JVM, that most likely means the hostname does not match the cn. If you haven't added the certificate, you need to do so :-) -Scott On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote: Hi, I am using CAS with ACEGI security and I have the basics working. But when I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see below), it only partly works. I am able to still authenticate through CAS, but the resulting authentication token does not have the PGTIOU set ... it is an empty string. I have checked the log files on the Tomcat instance hosting the CAS server and I find the following exceptions which seem to relate to the proxy callback URL. Any idea what is wrong? 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn own Source) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .verifyHostname(StrictSSLProtocolSocketFactory.java:280) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .createSocket(StrictSSLProtocolSocketFactory.java:223) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70 6) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe thodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho dDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 96) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 24) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica tionHandler.java:75) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) 2007-06-19 09:25:58,812 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler failed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:215) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti on.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:105) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) ... 22 more _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
