Hi Scott,
Thanks again. I am getting a clearer picture, but I still can't get it to work. I've seen a lot of other people discussing SSL/Certificate issues on this list so I guess it is my turn to feel the pain. Here are the steps I did ... I deleted the old keystore I was using for Tomcat and started from scratch. keytool -genkey -alias tomcat -keypass changeit -keystore C:\keystore\.keystore I then set keystoreFile=C:\keystore\.keystore in both the Tomcat 6.0 and Tomcat 5.5 server.xml files. Basic SSL works fine after doing the above two steps ... keytool -export -alias tomcat -file tomcat.crt -keystore C:\keystore\.keystore Certificate file tomcat.crt exports without any errors or warnings ... keytool -import -file tomcat.crt -alias tomcat -keystore "C:\Program Files\Java\jdk1.6.0_01\jre\lib\security\cacerts" Certificate imports without any errors or warnings ... keytool -list -keystore "C:\Program Files\Java\jdk1.6.0_01\jre\lib\security\cacerts" Lists 44 entries including the certificate just added under the tomcat alias Still gets the same error as before ... I did notice that doing keytool -list without a -keystore parameter returned an empty list so I wondered if there was another keystore at play here. So I tried adding the certificate to the 'default' keystore using the following command. keytool -import -file tomcat.crt -alias tomcat Certificate imports without any errors or warnings ... keytool -list Lists 1 entry ... the new certificate with the tomcat alias I just added Still get the same error. I am losing my mind here. What am I still not doing? Thanks in advance for any suggestions. Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Tuesday, June 19, 2007 9:56 AM To: Yale CAS mailing list Subject: Re: ACEGI, proxyValidate and PGTIOU Bill, That's not the JVM's list of certificates. That's Tomcat's keystore. The JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts You would need to insert your certificate using a command such as the following: %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts (assuming you've exported the container's certificate to server.crt). -Scott On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote: Thanks, Scott. However, I guess I am still a little confused. I have Tomcat 6.0 and Tomcat 5.5 running on the same machine (my development machine). I ran into some issues earlier with Tomcat finding the right keystore with my certificates so I added keystoreFile=C:\keystore\.keystore to the server.xml in both versions of Tomcat. So I thought both JVM's would be using the same keystore file. This works fine for allowing me to connect via SSL to both Tomcat instances. Is there a problem with what I am doing from a CAS perspecive? Is there another keystore beyond the ones configured in server.xml that I need to be populating? Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Tuesday, June 19, 2007 9:40 AM To: Yale CAS mailing list Subject: Re: ACEGI, proxyValidate and PGTIOU CAS's JVM does not trust your client application's certificate. If you've added the certificate to CAS's JVM, that most likely means the hostname does not match the cn. If you haven't added the certificate, you need to do so :-) -Scott On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote: Hi, I am using CAS with ACEGI security and I have the basics working. But when I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see below), it only partly works. I am able to still authenticate through CAS, but the resulting authentication token does not have the PGTIOU set ... it is an empty string. I have checked the log files on the Tomcat instance hosting the CAS server and I find the following exceptions which seem to relate to the proxy callback URL. Any idea what is wrong? 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn own Source) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .verifyHostname(StrictSSLProtocolSocketFactory.java:280) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .createSocket(StrictSSLProtocolSocketFactory.java:223) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70 6) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe thodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho dDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 96) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 24) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica tionHandler.java:75) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) 2007-06-19 09:25:58,812 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler failed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor > 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor > org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:215) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti on.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:105) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) ... 22 more _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
