Scott thanks I see now where the IdP is complaining about the cert.. I'm still trying to get to the bottom of this. I dont think the keystore is getting loaded.. at start. Is that what these messages are indicating, which happen at tomcat startup
15:06:02,520 [main] DEBUG Truststore = null - org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] 15:06:02,521 [main] DEBUG TrustPass = secret - org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] 15:06:02,521 [main] DEBUG trustType = jks - org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] Im still trying to figure out what pieces need what keys for this to work as I'd rather use apache for the ssl part ... however I think that cas and shib-idp still need to talk with the keystore keys. -- :wq! kevin.foote On 10/4/07, Scott Battaglia <[EMAIL PROTECTED]> wrote: > > Kevin, > > The Shibboleth IdP doesn't trust the CAS server's certificate it seems: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > -Scott > > > On 10/4/07, Kevin Foote <[EMAIL PROTECTED]> wrote: > > > Hello > > Im trying to get cas-server and cas-client to work for ldap > > authentication to MSAD for Shibboleth-IdP/SSO > > > > So far I'm using the package provided here shib.kuleuven.be/docs/idp which > > is basically what I need Shibboleth with CAS on the > > back end doing the connection to AD etc. I have set logging on > > everything to DEBUG and see quite a bit.. I also have things working > > somewhat as > > I can see the username being authenticated on the AD server side through > > logs there. It seems to die at a ticket problem.. > > Or is this related to certificates ?? > > > > Here is the error that I get: > > > > == /opt/tomcat5/logs/tomcat.log > > 13:51:10,199 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm > > Action [20071004] > > 13:51:10,205 [TP-Processor6] DEBUG Executing bind - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,206 [TP-Processor6] DEBUG Loading new form object - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,207 [TP-Processor6] DEBUG Creating new instance of form object > > class [class org.jasig.cas.authentication.principal.UsernamePasswo > > rdCredentials] - > > org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004] > > 13:51:10,208 [TP-Processor6] DEBUG Setting form object of type [class > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > > in scope [class org.springframework.webflow.ScopeType.Flow (1)] with > > name 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFormActi > > on [20071004] > > 13:51:10,244 [TP-Processor6] DEBUG No property editor registrar set, no > > custom editors to register - org.jasig.cas.web.flow.Authentication > > ViaFormAction [20071004] > > 13:51:10,269 [TP-Processor6] DEBUG Binding allowed request parameters in > > map['lt' -> '_c025B5288-CE44-A636-26C1-03360144BE32_kDFEE0594-228 > > 5-6890-46C6-8E9398DA2FAF', 'service' -> > > 'https://k2.cc.iup.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2F > > > > SAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A%2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp', > > '_eventId' -> 'submit', 'pass > > word' -> 'welcome1', '_currentStateId' -> '', 'username' -> 'testuser'] > > to form object with name 'credentials', pre-bind formObject toStri > > ng = null - org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004] > > 13:51:10,269 [TP-Processor6] DEBUG (Any field is allowed) - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,292 [TP-Processor6] DEBUG Binding completed for form object > > with name 'credentials', post-bind formObject toString = testuser - o > > rg.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,293 [TP-Processor6] DEBUG There are [0] errors, details: [] - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,294 [TP-Processor6] DEBUG Setting form errors instance in scope > > [class org.springframework.webflow.ScopeType.Request (0)] - org.j > > asig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,298 [TP-Processor6] DEBUG Executing validate - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,299 [TP-Processor6] DEBUG Invoking validator > > [EMAIL PROTECTED] - > > org.jasig.cas > > .web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,303 [TP-Processor6] DEBUG Validation completed for form object > > with name 'credentials' - org.jasig.cas.web.flow.AuthenticationVia > > FormAction [20071004] > > 13:51:10,304 [TP-Processor6] DEBUG There are [0] errors, details: [] - > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > > completed execution; result is 'success' - org.jasig.cas.web.flow. > > AuthenticationViaFormAction [20071004] > > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm > > Action [20071004] > > 13:51:10,306 [TP-Processor6] DEBUG Found existing form object with name > > 'credentials' of type [class org.jasig.cas.authentication.principa > > l.UsernamePasswordCredentials] in scope [class > > org.springframework.webflow.ScopeType.Flow (1)] - > > org.jasig.cas.web.flow.AuthenticationViaF > > ormAction [20071004] > > 13:51:10,365 [TP-Processor6] INFO AuthenticationHandler: > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > > authentic > > ated the user which provided the following credentials: testuser - > > org.jasig.cas.authentication.AuthenticationManagerImpl [20071004] > > 13:51:10,365 [TP-Processor6] DEBUG Creating SimplePrincipal for > > [testuser] - > > org.jasig.cas.authentication.principal.UsernamePasswordCreden > > tialsToPrincipalResolver [20071004] > > 13:51:10,381 [TP-Processor6] DEBUG Added ticket > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] to registry. - > > org.jasig.cas.ticket.registr > > y.DefaultTicketRegistry [20071004] > > 13:51:10,382 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > > completed execution; result is 'success' - org.jasig.cas.web.flow. > > AuthenticationViaFormAction [20071004] > > 13:51:10,383 [TP-Processor6] DEBUG Action > > 'SendTicketGrantingTicketAction' beginning execution - > > org.jasig.cas.web.flow.SendTicketGranting > > TicketAction [20071004] > > 13:51:10,384 [TP-Processor6] DEBUG Action > > 'SendTicketGrantingTicketAction' completed execution; result is 'success' - > > org.jasig.cas.web.fl > > ow.SendTicketGrantingTicketAction [20071004] > > 13:51:10,385 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > > beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction [2007 > > 1004] > > 13:51:10,386 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > > completed execution; result is 'hasService' - org.jasig.cas.web.flow.Has > > ServiceCheckAction [20071004] > > 13:51:10,387 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction' > > beginning execution - org.jasig.cas.web.flow.GenerateServiceTicket > > Action [20071004] > > 13:51:10,400 [TP-Processor6] DEBUG Attempting to retrieve ticket > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] - > > org.jasig.cas.ticket.reg > > istry.DefaultTicketRegistry [20071004] > > 13:51:10,401 [TP-Processor6] DEBUG Ticket > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] found in registry. - > > org.jasig.cas.ticket.registr > > y.DefaultTicketRegistry [20071004] > > 13:51:10,405 [TP-Processor6] DEBUG Added ticket > > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] to registry. - > > org.jasig.cas.ticket.registry > > .DefaultTicketRegistry [20071004] > > 13:51:10,406 [TP-Processor6] INFO Granted service ticket > > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] for service [ > > https://k2.cc.iup.edu > > /shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A% > > > > 2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp] for user [testuser] - > > org.jasig.cas.CentralAuthenticationServiceImpl [20071004] > > 13:51:10,407 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction' > > completed execution; result is 'success' - org.jasig.cas.web.flow. > > GenerateServiceTicketAction [20071004] > > 13:51:10,407 [TP-Processor6] DEBUG Action 'WarnAction' beginning > > execution - org.jasig.cas.web.flow.WarnAction [20071004] > > 13:51:10,408 [TP-Processor6] DEBUG Action 'WarnAction' completed > > execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction[2007 > > 1004] > > 13:51:11,018 [ > > edu.internet2.middleware.shibboleth.common.provider.SharedMemoryShibHandle.HandleCache.MemoryRepositoryCleaner] > > DEBUG Memory > > cache handle cache cleanup thread searching for stale entries. - > > edu.internet2.middleware.shibboleth.common.provider.HandleCache[20071004] > > 13:51:11,880 [ > > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCacher.Cleaner] > > DEBUG Resolver Cache cleanup thread searching cach > > e for stale entries. - > > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCache[20071004] > > 13:51:11,948 [TP-Processor5] ERROR > > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > > validate ProxyTicketValidator [[edu.ya > > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > > https://k2.c > > c.iup.edu/cas/serviceValidate] > > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > > renew=false]]] - edu.yale.its.tp.cas.client.CASReceipt [20071004] > > 13:51:11,949 [TP-Processor5] ERROR > > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > > validate ProxyTicketValidator [[edu.ya > > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > > https://k2.c > > c.iup.edu/cas/serviceValidate] > > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > > renew=false]]] - edu.yale.its.tp.cas.client.filter.CASFilter [2007 > > 1004] > > 13:51:11,954 [TP-Processor5] ERROR Servlet.service() for servlet IdP > > threw exception - org.apache.catalina.core.ContainerBase.[Catalina].[ > > localhost].[/shibboleth-idp].[IdP] [20071004] > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target > > at > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > > Source) > > at java.security.cert.CertPathBuilder.build(Unknown Source) > > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > > at sun.security.validator.PKIXValidator.engineValidate(Unknown > > Source) > > at sun.security.validator.Validator.validate(Unknown Source) > > at > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > > Source) > > at > > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown > > Source) > > at > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown > > Source) > > at > > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown > > Source) > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (Unknown > > Source) > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > > Source) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > > Source) > > at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown > > Source) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > > Source) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > > Source) > > at sun.net.www.protocol.https.HttpsClient.afterConnect (Unknown > > Source) > > at > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > > Source) > > at > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > > Source) > > at > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown > > Source) > > at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java > > :84) > > at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > > ServiceTicketValidator.java:212) > > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt ( > > CASReceipt.java:50) > > at > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > > CASFilter.java:455) > > at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter( > > CASFilter.java:378) > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > > ApplicationFilterChain.java:215) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > > ApplicationFilterChain.java:188) > > at org.apache.catalina.core.StandardWrapperValve.invoke ( > > StandardWrapperValve.java:210) > > at org.apache.catalina.core.StandardContextValve.invoke( > > StandardContextValve.java:174) > > at org.apache.catalina.core.StandardHostValve.invoke( > > StandardHostValve.java:127) > > at org.apache.catalina.valves.ErrorReportValve.invoke( > > ErrorReportValve.java:117) > > at org.apache.catalina.core.StandardEngineValve.invoke( > > StandardEngineValve.java:108) > > at org.apache.catalina.connector.CoyoteAdapter.service ( > > CoyoteAdapter.java:151) > > at org.apache.jk.server.JkCoyoteHandler.invoke( > > JkCoyoteHandler.java:200) > > at org.apache.jk.common.HandlerRequest.invoke( > > HandlerRequest.java:283) > > at org.apache.jk.common.ChannelSocket.invoke (ChannelSocket.java > > :773) > > at org.apache.jk.common.ChannelSocket.processConnection( > > ChannelSocket.java:703) > > at org.apache.jk.common.ChannelSocket$SocketConnection.runIt( > > ChannelSocket.java:895) > > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run > > (ThreadPool.java:685) > > at java.lang.Thread.run(Unknown Source) > > 13:51:11,955 [ > > edu.internet2.middleware.shibboleth.idp.provider.MemoryArtifactMapper..MemoryArtifactCleaner] > > DEBUG Memory-based artifact ma > > pper cleanup thread searching for stale entries. - > > edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper[20071004] > > 13:51:12,377 [Thread-13] DEBUG Checking for updates to resource > > (file:/usr/local/shib-idp/etc/my- metadata.xml) - > > edu.internet2.middleware. > > shibboleth.common.ResourceWatchdog [20071004] > > > > Thanks for any help .. > > > > -- > > :wq! > > kevin.foote > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
