Scott
thanks I see now where the IdP is complaining about the cert.. I'm still
trying to get to the bottom of this. I dont think the
keystore is getting loaded.. at start. Is that what these messages are
indicating, which happen at tomcat startup

15:06:02,520 [main] DEBUG Truststore = null -
org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009]
15:06:02,521 [main] DEBUG TrustPass = secret -
org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009]
15:06:02,521 [main] DEBUG trustType = jks -
org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009]

Im still trying to figure out what pieces need what keys for this to work as
I'd rather use apache for the
ssl part ... however I think that cas and shib-idp still need to talk with
the keystore keys.

-- 
:wq!
kevin.foote

On 10/4/07, Scott Battaglia <[EMAIL PROTECTED]> wrote:
>
> Kevin,
>
> The Shibboleth IdP doesn't trust the CAS server's certificate it seems:
>
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> -Scott
>
>
> On 10/4/07, Kevin Foote <[EMAIL PROTECTED]> wrote:
>
> > Hello
> > Im trying to get cas-server and cas-client to work for ldap
> > authentication to MSAD for Shibboleth-IdP/SSO
> >
> > So far I'm using the package provided here shib.kuleuven.be/docs/idp which
> > is basically what I need Shibboleth with CAS on the
> > back end doing the connection to AD etc. I have set logging on
> > everything to DEBUG and see quite a bit.. I also have things working
> > somewhat as
> > I can see the username being authenticated on the AD server side through
> > logs there.  It seems to die at a ticket problem..
> > Or is this related to certificates ??
> >
> > Here is the error that I get:
> >
> > == /opt/tomcat5/logs/tomcat.log
> > 13:51:10,199 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction'
> > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm
> > Action [20071004]
> > 13:51:10,205 [TP-Processor6] DEBUG Executing bind -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,206 [TP-Processor6] DEBUG Loading new form object -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,207 [TP-Processor6] DEBUG Creating new instance of form object
> > class [class org.jasig.cas.authentication.principal.UsernamePasswo
> > rdCredentials] - 
> > org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004]
> > 13:51:10,208 [TP-Processor6] DEBUG Setting form object of type [class
> > org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
> > in scope [class org.springframework.webflow.ScopeType.Flow (1)] with
> > name 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFormActi
> > on [20071004]
> > 13:51:10,244 [TP-Processor6] DEBUG No property editor registrar set, no
> > custom editors to register - org.jasig.cas.web.flow.Authentication
> > ViaFormAction [20071004]
> > 13:51:10,269 [TP-Processor6] DEBUG Binding allowed request parameters in
> > map['lt' -> '_c025B5288-CE44-A636-26C1-03360144BE32_kDFEE0594-228
> > 5-6890-46C6-8E9398DA2FAF', 'service' -> 
> > 'https://k2.cc.iup.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2F
> >
> > SAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A%2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp',
> > '_eventId' -> 'submit', 'pass
> > word' -> 'welcome1', '_currentStateId' -> '', 'username' -> 'testuser']
> > to form object with name 'credentials', pre-bind formObject toStri
> > ng = null - org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004]
> > 13:51:10,269 [TP-Processor6] DEBUG (Any field is allowed) -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,292 [TP-Processor6] DEBUG Binding completed for form object
> > with name 'credentials', post-bind formObject toString = testuser - o
> > rg.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,293 [TP-Processor6] DEBUG There are [0] errors, details: [] -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,294 [TP-Processor6] DEBUG Setting form errors instance in scope
> > [class org.springframework.webflow.ScopeType.Request (0)] - org.j
> > asig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,298 [TP-Processor6] DEBUG Executing validate -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,299 [TP-Processor6] DEBUG Invoking validator
> > [EMAIL PROTECTED] -
> > org.jasig.cas
> > .web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,303 [TP-Processor6] DEBUG Validation completed for form object
> > with name 'credentials' - org.jasig.cas.web.flow.AuthenticationVia
> > FormAction [20071004]
> > 13:51:10,304 [TP-Processor6] DEBUG There are [0] errors, details: [] -
> > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004]
> > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction'
> > completed execution; result is 'success' - org.jasig.cas.web.flow.
> > AuthenticationViaFormAction [20071004]
> > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction'
> > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm
> > Action [20071004]
> > 13:51:10,306 [TP-Processor6] DEBUG Found existing form object with name
> > 'credentials' of type [class org.jasig.cas.authentication.principa
> > l.UsernamePasswordCredentials] in scope [class
> > org.springframework.webflow.ScopeType.Flow (1)] -
> > org.jasig.cas.web.flow.AuthenticationViaF
> > ormAction [20071004]
> > 13:51:10,365 [TP-Processor6] INFO  AuthenticationHandler:
> > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
> > authentic
> > ated the user which provided the following credentials: testuser -
> > org.jasig.cas.authentication.AuthenticationManagerImpl [20071004]
> > 13:51:10,365 [TP-Processor6] DEBUG Creating SimplePrincipal for
> > [testuser] -
> > org.jasig.cas.authentication.principal.UsernamePasswordCreden
> > tialsToPrincipalResolver [20071004]
> > 13:51:10,381 [TP-Processor6] DEBUG Added ticket
> > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] to registry. -
> > org.jasig.cas.ticket.registr
> > y.DefaultTicketRegistry [20071004]
> > 13:51:10,382 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction'
> > completed execution; result is 'success' - org.jasig.cas.web.flow.
> > AuthenticationViaFormAction [20071004]
> > 13:51:10,383 [TP-Processor6] DEBUG Action
> > 'SendTicketGrantingTicketAction' beginning execution -
> > org.jasig.cas.web.flow.SendTicketGranting
> > TicketAction [20071004]
> > 13:51:10,384 [TP-Processor6] DEBUG Action
> > 'SendTicketGrantingTicketAction' completed execution; result is 'success' -
> > org.jasig.cas.web.fl
> > ow.SendTicketGrantingTicketAction [20071004]
> > 13:51:10,385 [TP-Processor6] DEBUG Action 'HasServiceCheckAction'
> > beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction [2007
> > 1004]
> > 13:51:10,386 [TP-Processor6] DEBUG Action 'HasServiceCheckAction'
> > completed execution; result is 'hasService' - org.jasig.cas.web.flow.Has
> > ServiceCheckAction [20071004]
> > 13:51:10,387 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction'
> > beginning execution - org.jasig.cas.web.flow.GenerateServiceTicket
> > Action [20071004]
> > 13:51:10,400 [TP-Processor6] DEBUG Attempting to retrieve ticket
> > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] -
> > org.jasig.cas.ticket.reg
> > istry.DefaultTicketRegistry [20071004]
> > 13:51:10,401 [TP-Processor6] DEBUG Ticket
> > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] found in registry. -
> > org.jasig.cas.ticket.registr
> > y.DefaultTicketRegistry [20071004]
> > 13:51:10,405 [TP-Processor6] DEBUG Added ticket
> > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] to registry. -
> > org.jasig.cas.ticket.registry
> > .DefaultTicketRegistry [20071004]
> > 13:51:10,406 [TP-Processor6] INFO  Granted service ticket
> > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] for service [
> > https://k2.cc.iup.edu
> > /shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A%
> >
> > 2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp] for user [testuser] -
> > org.jasig.cas.CentralAuthenticationServiceImpl [20071004]
> > 13:51:10,407 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction'
> > completed execution; result is 'success' - org.jasig.cas.web.flow.
> > GenerateServiceTicketAction [20071004]
> > 13:51:10,407 [TP-Processor6] DEBUG Action 'WarnAction' beginning
> > execution - org.jasig.cas.web.flow.WarnAction [20071004]
> > 13:51:10,408 [TP-Processor6] DEBUG Action 'WarnAction' completed
> > execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction[2007
> > 1004]
> > 13:51:11,018 [
> > edu.internet2.middleware.shibboleth.common.provider.SharedMemoryShibHandle.HandleCache.MemoryRepositoryCleaner]
> > DEBUG Memory
> >  cache handle cache cleanup thread searching for stale entries. -
> > edu.internet2.middleware.shibboleth.common.provider.HandleCache[20071004]
> > 13:51:11,880 [
> > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCacher.Cleaner]
> > DEBUG Resolver Cache cleanup thread searching cach
> > e for stale entries. -
> > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCache[20071004]
> > 13:51:11,948 [TP-Processor5] ERROR
> > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> > validate ProxyTicketValidator [[edu.ya
> > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [
> > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[
> > https://k2.c
> > c.iup.edu/cas/serviceValidate]
> > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20]
> > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%
> >
> > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider
> > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp]
> > renew=false]]] - edu.yale.its.tp.cas.client.CASReceipt [20071004]
> > 13:51:11,949 [TP-Processor5] ERROR
> > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> > validate ProxyTicketValidator [[edu.ya
> > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [
> > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[
> > https://k2.c
> > c.iup.edu/cas/serviceValidate]
> > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20]
> > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%
> >
> > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider
> > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp]
> > renew=false]]] - edu.yale.its.tp.cas.client.filter.CASFilter [2007
> > 1004]
> > 13:51:11,954 [TP-Processor5] ERROR Servlet.service() for servlet IdP
> > threw exception - org.apache.catalina.core.ContainerBase.[Catalina].[
> > localhost].[/shibboleth-idp].[IdP] [20071004]
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
> >         at 
> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> > Source)
> >         at java.security.cert.CertPathBuilder.build(Unknown Source)
> >         at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> >         at sun.security.validator.PKIXValidator.engineValidate(Unknown
> > Source)
> >         at sun.security.validator.Validator.validate(Unknown Source)
> >         at
> > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> > Source)
> >         at
> > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
> >  Source)
> >         at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> > Source)
> >         at 
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> > Source)
> >         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (Unknown
> > Source)
> >         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> > Source)
> >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> > Source)
> >         at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown 
> > Source)
> >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> > Source)
> >         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> > Source)
> >         at sun.net.www.protocol.https.HttpsClient.afterConnect (Unknown
> > Source)
> >         at
> > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> > Source)
> >         at 
> > sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> > Source)
> >         at
> > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown 
> > Source)
> >         at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java
> > :84)
> >         at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> > ServiceTicketValidator.java:212)
> >         at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (
> > CASReceipt.java:50)
> >         at
> > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> > CASFilter.java:455)
> >         at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(
> > CASFilter.java:378)
> >         at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> > ApplicationFilterChain.java:215)
> >         at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> > ApplicationFilterChain.java:188)
> >         at org.apache.catalina.core.StandardWrapperValve.invoke (
> > StandardWrapperValve.java:210)
> >         at org.apache.catalina.core.StandardContextValve.invoke(
> > StandardContextValve.java:174)
> >         at org.apache.catalina.core.StandardHostValve.invoke(
> > StandardHostValve.java:127)
> >         at org.apache.catalina.valves.ErrorReportValve.invoke(
> > ErrorReportValve.java:117)
> >         at org.apache.catalina.core.StandardEngineValve.invoke(
> > StandardEngineValve.java:108)
> >         at org.apache.catalina.connector.CoyoteAdapter.service (
> > CoyoteAdapter.java:151)
> >         at org.apache.jk.server.JkCoyoteHandler.invoke(
> > JkCoyoteHandler.java:200)
> >         at org.apache.jk.common.HandlerRequest.invoke(
> > HandlerRequest.java:283)
> >         at org.apache.jk.common.ChannelSocket.invoke (ChannelSocket.java
> > :773)
> >         at org.apache.jk.common.ChannelSocket.processConnection(
> > ChannelSocket.java:703)
> >         at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(
> > ChannelSocket.java:895)
> >         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
> > (ThreadPool.java:685)
> >         at java.lang.Thread.run(Unknown Source)
> > 13:51:11,955 [
> > edu.internet2.middleware.shibboleth.idp.provider.MemoryArtifactMapper..MemoryArtifactCleaner]
> >  DEBUG Memory-based artifact ma
> > pper cleanup thread searching for stale entries. -
> > edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper[20071004]
> > 13:51:12,377 [Thread-13] DEBUG Checking for updates to resource
> > (file:/usr/local/shib-idp/etc/my- metadata.xml) -
> > edu.internet2.middleware.
> > shibboleth.common.ResourceWatchdog [20071004]
> >
> > Thanks for any help ..
> >
> > --
> > :wq!
> > kevin.foote
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to