Bill, That's not the JVM's list of certificates. That's Tomcat's keystore. The JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts
You would need to insert your certificate using a command such as the following: %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts (assuming you've exported the container's certificate to server.crt). -Scott On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote:
Thanks, Scott. However, I guess I am still a little confused. I have Tomcat 6.0 and Tomcat 5.5 running on the same machine (my development machine). I ran into some issues earlier with Tomcat finding the right keystore with my certificates so I added keystoreFile=C:\keystore\.keystore to the server.xml in both versions of Tomcat. So I thought both JVM's would be using the same keystore file. This works fine for allowing me to connect via SSL to both Tomcat instances. Is there a problem with what I am doing from a CAS perspecive? Is there another keystore beyond the ones configured in server.xml that I need to be populating? Bill ------------------------------ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Scott Battaglia *Sent:* Tuesday, June 19, 2007 9:40 AM *To:* Yale CAS mailing list *Subject:* Re: ACEGI, proxyValidate and PGTIOU CAS's JVM does not trust your client application's certificate. If you've added the certificate to CAS's JVM, that most likely means the hostname does not match the cn. If you haven't added the certificate, you need to do so :-) -Scott On 6/19/07, *Bill Bailey* <[EMAIL PROTECTED]> wrote: Hi, I am using CAS with ACEGI security and I have the basics working. But when I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see below), it only partly works. I am able to still authenticate through CAS, but the resulting authentication token does not have the PGTIOU set … it is an empty string. I have checked the log files on the Tomcat instance hosting the CAS server and I find the following exceptions which seem to relate to the proxy callback URL. Any idea what is wrong? 2007-06-19 09:25:58,812 ERROR [ org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname (StrictSSLProtocolSocketFactory.java:280) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket (StrictSSLProtocolSocketFactory.java:223) at org.apache.commons.httpclient.HttpConnection.open( HttpConnection.java:706) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open (MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry( HttpMethodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod( HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod( HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod( HttpClient.java:324) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate (HttpBasedServiceCredentialsAuthenticationHandler.java:75) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( AuthenticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:194) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal( ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest( AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch( DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest( FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet( FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java :690) at javax.servlet.http.HttpServlet.service(HttpServlet.java :803) at org.jasig.cas.web.init.SafeDispatcherServlet.service( SafeDispatcherServlet.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter( ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke( StandardWrapperValve.java:228) at org.apache.catalina.core.StandardContextValve.invoke( StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke( ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke( StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service( CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process( Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) 2007-06-19 09:25:58,812 INFO [ org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:215) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal( ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest( AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch( DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest( FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet( FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java :690) at javax.servlet.http.HttpServlet.service(HttpServlet.java :803) at org.jasig.cas.web.init.SafeDispatcherServlet.service( SafeDispatcherServlet.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter( ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke( StandardWrapperValve.java:228) at org.apache.catalina.core.StandardContextValve.invoke( StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke( ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke( StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service( CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process( Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException .<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( AuthenticationManagerImpl.java:105) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:194) ... 22 more _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
-- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
