This may help: http://forum.springframework.org/showthread.php?t=30094
-Scott On 6/20/07, Bill Bailey <[EMAIL PROTECTED]> wrote:
Hi Jens, I can't see any similar problems with DNS lookup. The hostname resolves to the proper IP address and if I do a reverse on the IP I get the correct hostname. And no, I am not requiring client certificates. I have clientAuth=false in both server.xml files. Interestingly, I have now managed to break things to the point that it is failing one step sooner than before … and even though I would swear I have returned everything to the point it was when I started, it is still failing with a different error. Before, at least the Acegi client was able to call proxyValidate, but CAS was failing when it tried to invoke the proxyCallbackUrl. Now I can't even get the proxyValidate call to succeed. It fails every time with "InvalidAlgorithmParameterException : trustAnchors parameter must be non-empty". This is the single most frustrating experience I can remember configuring something and I've had some pretty bad experiences before. Bill *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Hausherr, Jens *Sent:* Wednesday, June 20, 2007 3:47 AM *To:* Yale CAS mailing list *Subject:* AW: ACEGI, proxyValidate and PGTIOU Hi Bill, I encountered some problems with SSL certificates also – but mine were a result of broken DNS entries: the reverse lookup used in certificate validation resulted in random hostnames returned for the IP address %-). Does your tomcat installation (the SSL connector) require client certificates? The exception "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" seems to point in this direction. I do not know if commons-httpclient supports client authentication for SSL. Just a wild guess… Jens ------------------------------ *Von:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Im Auftrag von *Bill Bailey *Gesendet:* Dienstag, 19. Juni 2007 15:50 *An:* Yale CAS mailing list *Betreff:* RE: ACEGI, proxyValidate and PGTIOU Thanks, Scott. However, I guess I am still a little confused. I have Tomcat 6.0 and Tomcat 5.5 running on the same machine (my development machine). I ran into some issues earlier with Tomcat finding the right keystore with my certificates so I added keystoreFile=C:\keystore\.keystore to the server.xml in both versions of Tomcat. So I thought both JVM's would be using the same keystore file. This works fine for allowing me to connect via SSL to both Tomcat instances. Is there a problem with what I am doing from a CAS perspecive? Is there another keystore beyond the ones configured in server.xml that I need to be populating? Bill ------------------------------ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Scott Battaglia *Sent:* Tuesday, June 19, 2007 9:40 AM *To:* Yale CAS mailing list *Subject:* Re: ACEGI, proxyValidate and PGTIOU CAS's JVM does not trust your client application's certificate. If you've added the certificate to CAS's JVM, that most likely means the hostname does not match the cn. If you haven't added the certificate, you need to do so :-) -Scott On 6/19/07, *Bill Bailey* <[EMAIL PROTECTED]> wrote: Hi, I am using CAS with ACEGI security and I have the basics working. But when I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see below), it only partly works. I am able to still authenticate through CAS, but the resulting authentication token does not have the PGTIOU set … it is an empty string. I have checked the log files on the Tomcat instance hosting the CAS server and I find the following exceptions which seem to relate to the proxy callback URL. Any idea what is wrong? 2007-06-19 09:25:58,812 ERROR [ org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname (StrictSSLProtocolSocketFactory.java:280) at org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket (StrictSSLProtocolSocketFactory.java:223) at org.apache.commons.httpclient.HttpConnection.open( HttpConnection.java:706) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open (MultiThreadedHttpConnectionManager.java:1321) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry( HttpMethodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod( HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod( HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod( HttpClient.java:324) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate (HttpBasedServiceCredentialsAuthenticationHandler.java:75) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( AuthenticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:194) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal( ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest( AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch( DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest( FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet( FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java :690) at javax.servlet.http.HttpServlet.service(HttpServlet.java :803) at org.jasig.cas.web.init.SafeDispatcherServlet.service( SafeDispatcherServlet.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter( ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke( StandardWrapperValve.java:228) at org.apache.catalina.core.StandardContextValve.invoke( StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke( ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke( StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service( CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process( Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) 2007-06-19 09:25:58,812 INFO [ org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:215) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal( ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest( AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle( SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch( DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService (DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest( FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet( FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java :690) at javax.servlet.http.HttpServlet.service(HttpServlet.java :803) at org.jasig.cas.web.init.SafeDispatcherServlet.service( SafeDispatcherServlet.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter( ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke( StandardWrapperValve.java:228) at org.apache.catalina.core.StandardContextValve.invoke( StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke( ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke( StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service( CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process( Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Http11Protocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException .<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate( AuthenticationManagerImpl.java:105) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket (CentralAuthenticationServiceImpl.java:194) ... 22 more _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
-- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
