Bill,

That's not the JVM's list of certificates.  That's Tomcat's keystore.  The
JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts

You would need to insert your certificate using a command such as the
following:

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
(assuming you've exported the container's certificate to server.crt).


-Scott

On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote:

 Thanks, Scott.



However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect via
SSL to both Tomcat instances. Is there a problem with what I am doing from a
CAS perspecive? Is there another keystore beyond the ones configured in
server.xml that I need to be populating?



Bill




 ------------------------------

*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On
Behalf Of *Scott Battaglia
*Sent:* Tuesday, June 19, 2007 9:40 AM
*To:* Yale CAS mailing list
*Subject:* Re: ACEGI, proxyValidate and PGTIOU



CAS's JVM does not trust your client application's certificate.

If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.

If you haven't added the certificate, you need to do so :-)

-Scott

On 6/19/07, *Bill Bailey* <[EMAIL PROTECTED]> wrote:

Hi,



I am using CAS with ACEGI security and I have the basics working. But when
I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
below), it only partly works. I am able to still authenticate through CAS,
but the resulting authentication token does not have the PGTIOU set … it is
an empty string.



I have checked the log files on the Tomcat instance hosting the CAS server
and I find the following exceptions which seem to relate to the proxy
callback URL. Any idea what is wrong?



2007-06-19 09:25:58,812 ERROR [
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
- <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
(StrictSSLProtocolSocketFactory.java:223)

            at org.apache.commons.httpclient.HttpConnection.open(
HttpConnection.java:706)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
HttpMethodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
HttpMethodDirector.java:170)

            at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:396)

            at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:324)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
(HttpBasedServiceCredentialsAuthenticationHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)

            at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)

            at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:690)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:803)

            at org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)

            at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)

            at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)

            at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128)

            at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:104)

            at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)

            at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:216)

            at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:844)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO [
org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed
 to authenticate the user which provided the following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
- <TicketException generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)

            at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)

            at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:690)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:803)

            at org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)

            at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)

            at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)

            at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128)

            at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:104)

            at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)

            at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:216)

            at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:844)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)

            ... 22 more


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas




--
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas




--
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to