Hi Jens,
I can't see any similar problems with DNS lookup. The hostname resolves to the proper IP address and if I do a reverse on the IP I get the correct hostname. And no, I am not requiring client certificates. I have clientAuth=false in both server.xml files. Interestingly, I have now managed to break things to the point that it is failing one step sooner than before ... and even though I would swear I have returned everything to the point it was when I started, it is still failing with a different error. Before, at least the Acegi client was able to call proxyValidate, but CAS was failing when it tried to invoke the proxyCallbackUrl. Now I can't even get the proxyValidate call to succeed. It fails every time with "InvalidAlgorithmParameterException : trustAnchors parameter must be non-empty". This is the single most frustrating experience I can remember configuring something and I've had some pretty bad experiences before. Bill From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hausherr, Jens Sent: Wednesday, June 20, 2007 3:47 AM To: Yale CAS mailing list Subject: AW: ACEGI, proxyValidate and PGTIOU Hi Bill, I encountered some problems with SSL certificates also - but mine were a result of broken DNS entries: the reverse lookup used in certificate validation resulted in random hostnames returned for the IP address %-). Does your tomcat installation (the SSL connector) require client certificates? The exception "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" seems to point in this direction. I do not know if commons-httpclient supports client authentication for SSL. Just a wild guess... Jens ________________________________ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bill Bailey Gesendet: Dienstag, 19. Juni 2007 15:50 An: Yale CAS mailing list Betreff: RE: ACEGI, proxyValidate and PGTIOU Thanks, Scott. However, I guess I am still a little confused. I have Tomcat 6.0 and Tomcat 5.5 running on the same machine (my development machine). I ran into some issues earlier with Tomcat finding the right keystore with my certificates so I added keystoreFile=C:\keystore\.keystore to the server.xml in both versions of Tomcat. So I thought both JVM's would be using the same keystore file. This works fine for allowing me to connect via SSL to both Tomcat instances. Is there a problem with what I am doing from a CAS perspecive? Is there another keystore beyond the ones configured in server.xml that I need to be populating? Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Tuesday, June 19, 2007 9:40 AM To: Yale CAS mailing list Subject: Re: ACEGI, proxyValidate and PGTIOU CAS's JVM does not trust your client application's certificate. If you've added the certificate to CAS's JVM, that most likely means the hostname does not match the cn. If you haven't added the certificate, you need to do so :-) -Scott On 6/19/07, Bill Bailey <[EMAIL PROTECTED]> wrote: Hi, I am using CAS with ACEGI security and I have the basics working. But when I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see below), it only partly works. I am able to still authenticate through CAS, but the resulting authentication token does not have the PGTIOU set ... it is an empty string. I have checked the log files on the Tomcat instance hosting the CAS server and I find the following exceptions which seem to relate to the proxy callback URL. Any idea what is wrong? 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn own Source) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .verifyHostname(StrictSSLProtocolSocketFactory.java:280) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory .createSocket(StrictSSLProtocolSocketFactory.java:223) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70 6) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe thodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho dDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 96) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3 24) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica tionHandler.java:75) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) 2007-06-19 09:25:58,812 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler failed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:215) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2 16) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84 4) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti on.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:105) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:194) ... 22 more _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
