The error contains the solution: " This will create and .keystore file
in the user's home directory."

 

So your key should be located in $HOME/.keystore

 

The FNFE is due to the missing 's' of cacerts.

 

Regards,

Jens

 

________________________________

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von Christian Haugen 
Gesendet: Freitag, 22. Juni 2007 10:31
An: Yale CAS mailing list
Betreff: RE: HTTPS SSL and Tomcat configuration issues

 

Hmm, I think I might have found the problem. In the Catalina log files I
get this:

 

Jun 22, 2007 5:13:52 AM org.apache.catalina.startup.Catalina load

INFO: Initialization processed in 1447 ms

Jun 22, 2007 5:13:52 AM org.apache.catalina.core.StandardService start

INFO: Starting service Catalina

Jun 22, 2007 5:13:52 AM org.apache.catalina.core.StandardEngine start

INFO: Starting Servlet Engine: Apache Tomcat/6.0.13

Jun 22, 2007 5:13:52 AM org.apache.catalina.startup.HostConfig deployWAR

INFO: Deploying web application archive cas.war

Jun 22, 2007 5:13:57 AM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-8080

Jun 22, 2007 5:13:57 AM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.FileNotFoundException:
/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacert (No such file or
directory)

        at java.io.FileInputStream.open(Native Method)

        at java.io.FileInputStream.<init>(FileInputStream.java:106)

        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
tory.java:316)

        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
Factory.java:259)

        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
ketFactory.java:410)

        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:378)

        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:125)

        at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

        at
org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:515)

        at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:204)

        at
org.apache.catalina.connector.Connector.start(Connector.java:1132)

        at
org.apache.catalina.core.StandardService.start(StandardService.java:531)

        at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

        at org.apache.catalina.startup.Catalina.start(Catalina.java:566)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)

        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:585)

        at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)

        at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

Jun 22, 2007 5:13:57 AM org.apache.catalina.startup.Catalina start

SEVERE: Catalina.start:

LifecycleException:  service.getName(): "Catalina";  Protocol handler
start failed: java.io.FileNotFoundException:
/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacert (No such file or
directory)

        at
org.apache.catalina.connector.Connector.start(Connector.java:1139)

        at
org.apache.catalina.core.StandardService.start(StandardService.java:531)

        at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

        at org.apache.catalina.startup.Catalina.start(Catalina.java:566)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)

        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:585)

        at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)

        at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

Jun 22, 2007 5:13:57 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 5111 ms

 

 

If I understand it correctly then my keystore is non existent? But I am
able to export the certificate to the keystore mentioned in the above
directory and the export and import seems to work without a hitch?

 

Uncomment the SSL configuration in the %catalina_home%\conf\server.xml.
Added this: 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/lib/jvm/java-1.5.0-sun/jre/lib/security/cacert" />

 

Set up the public/private key and keystore by entering the following
command. This will create and .keystore file in the user's home
directory.

 

            %java_home%\bin\keytool -genkey -alias tomcat -keyalg RSA

 

When you are prompted for the first and last name, enter localhost.

 

Export the certificate from the .keystore file to a file called
server.crt.

 

            %java_home%\bin\keytool -export -alias tomcat -file
server.crt

 

Import the certificate into the default jvm truststore.

 

            %java_home%\bin\keytool -import -file server.crt -keystore
%java_home%/jre/lib/security/cacerts

 

Test the SSL configuration by entering https://localhost:8443
<https://localhost:8443/> 

 

But still no luck, any reason why my keystore is not found? With much
gratitude!

 

Christian

 

________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hausherr, Jens
Sent: 22. juni 2007 09:10
To: Yale CAS mailing list
Subject: AW: HTTPS SSL and Tomcat configuration issues

 

Hello Christian,

 

There is a simple way to get the configuration: just copy the commented
out entry from the sample server.xml for the https connector. In most
cases you just have to add the parameter for the keystore file (c.f.
tomcat documentation).

 

And make sure your host has an DNS entry and that the reverse lookup
works - all components of CAS communicating with each other try to
verify the other side's hostname by reverse lookup.

 

Jens 

 

________________________________

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von Christian Haugen 
Gesendet: Donnerstag, 21. Juni 2007 17:46
An: Yale CAS mailing list
Betreff: HTTPS SSL and Tomcat configuration issues

 

Alrighty, thanks!

Now for a question that is probably asked a lot.. about HTTPS and SSL
certificates.

 

Right now I am running a server internally in my companies network with
the ip 10.47.8.12(provided if needed in any settings) and I have
followed every single guide I have found to make it work with tomcat and
ssl but no luck. Here is what I have done, hopefully there is some basic
error J

First of all, which one of these to folder should be set to be my
JRE_HOME folder? 

-          /usr/lib/jvm/java-1.5.0

-          /usr/lib/jvm/java-1.5.0-sun-1.5.0.11

 

I follow the guide
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html but my main issue
is with the server.xml file of which I am not really sure how to
configure. When I open my own server.xml it looks like this:

<!-- Define a SSL HTTP/1.1 Connector on port 8443

         This connector uses the JSSE configuration, when using APR, the

         connector should be using the OpenSSL style configuration

         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

 

I have for example no className and is unsure if this is something that
has to be added. Is there anything else in server.xml that has to be
changed when you don't change the keystore path when you create the
certificate?

 

When I perform the steps on the ssl-howto I don't get any error messages
but when I try to access https://10.47.8.12:8443
<https://10.47.8.12:8443/>  there is just nothing there. The port 8080
on http works like a charm both for the CAS page and the Tomcat page but
nothing on the https port 8443 attempt.

 

Thank you in advance!

 

Christian Haugen

________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andrew Petro
Sent: 20. juni 2007 16:27
To: Yale CAS mailing list
Subject: On implementing per-service authorization rules within CAS

 

> Is this possible to do with CAS

Yes.

One way you could accomplish your requirements would be to add a new
flow action to the CAS login flow.  After the authentication bit, a flow
action would do the callback you describe, and shunt the flow to a
suitable "You are not worthy" user experience if the user isn't
authorized.


Traditionally, CAS is about authentication, not authorization.  Lack of
authorization to use service A shouldn't, to my way of thinking, prevent
a user from authenticating, establishing single sign on.  Application
A's unwillingness to service a given user is application A's problem,
and its user experience to provide, rather than CAS's.

Why arrest me during the CAS login workflow, interrupt my single sign on
experience, after I've already done all the work of presenting valid
credentials?

Instead, I would handle this requirement at application A, having it
validate the service ticket, complete the authentication step, and then
apply authorization  logic, supplying its own "You are not authorized"
user experience.  Details of that experience may differ significantly
from application to application. 

*Why* am I not authorized?  ("You are not permitted to register for
courses at this time as there is an immunization hold on your account.
Please click *here* to learn more about account holds and to learn steps
to resolve this issue.")  

*What* am I still authorized to do?  ("I'm sorry, you are not a
Cooperative Support subscriber at this time.  If you believe our records
are in error, please call us at 1-800-XXX-XXX.  In the meantime, you are
welcome to browse the public content of this site, including knowledge
base articles and a description of the premium support program.")

As application complexity increases, authorization grows beyond a
boolean to a matter of roles and privileges.  I'd look to Acegi, GAP, or
the like to help me implement authorization and authorization user
experiences within applications rather than within CAS.

But you can extend CAS to do this if you want to.

Andrew

Christian Haugen wrote: 

Hi!

 

I have a general question about CAS and was hoping to get an answer
before I invest too much time in something that may not work. I am
planning on using CAS as a server that authenticates its user to two
separate web services residing on different servers. Here is my
scenario:

 

I have two web applications, A and B that have different user databases.
I want to set up a CAS server that has the following functionality:

- When you go to A or B's log on page you immediately get redirected to
the CAS log on page. This log on page will be a simple page with just
the logon functionality. If Bob for example want to connect to A and
thus get redirected to the   

  CAS log on page I want the CAS server to send Bob's log on information
to server A for approval. If this information is correct then I want Bob
to be redirected to A but also gain access to B, and vice versa. 

 

I have seen the information on
http://www.ja-sig.org/wiki/display/CAS/Using+CAS+without+the+CAS+login+s
creen but as far as I can understand from the guide it still lets the
CAS server do the authorization. I have a loginsystem in place on server
A that I wish to use so that the CAS server simply sends the login info
to A and A replies with granted/not granted access. 

 

Is this possible to do with CAS and is there more information about such
a setup online?

 

Thank you in advance, my regards

 

Christian Haugen

 
 
 
 
 
 
 



________________________________



 
 
 
 
 
 
 
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
  

 

 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to