Kevin, Is the certificate in whatever keystore the JVM is using (i.e. the cacerts file?)
-Scott On 10/10/07, Kevin Foote <[EMAIL PROTECTED]> wrote: > > Scott > thanks I see now where the IdP is complaining about the cert.. I'm still > trying to get to the bottom of this. I dont think the > keystore is getting loaded.. at start. Is that what these messages are > indicating, which happen at tomcat startup > > 15:06:02,520 [main] DEBUG Truststore = null - > org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] > 15:06:02,521 [main] DEBUG TrustPass = secret - > org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] > 15:06:02,521 [main] DEBUG trustType = jks - > org.apache.tomcat.util.net.jsse.JSSESocketFactory [20071009] > > Im still trying to figure out what pieces need what keys for this to work > as I'd rather use apache for the > ssl part ... however I think that cas and shib-idp still need to talk with > the keystore keys. > > -- > :wq! > kevin.foote > > On 10/4/07, Scott Battaglia <[EMAIL PROTECTED]> wrote: > > > > Kevin, > > > > The Shibboleth IdP doesn't trust the CAS server's certificate it seems: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target > > > > -Scott > > > > > > On 10/4/07, Kevin Foote < [EMAIL PROTECTED]> wrote: > > > > > Hello > > > Im trying to get cas-server and cas-client to work for ldap > > > authentication to MSAD for Shibboleth-IdP/SSO > > > > > > So far I'm using the package provided here shib.kuleuven.be/docs/idp which > > > is basically what I need Shibboleth with CAS on the > > > back end doing the connection to AD etc. I have set logging on > > > everything to DEBUG and see quite a bit.. I also have things working > > > somewhat as > > > I can see the username being authenticated on the AD server side > > > through logs there. It seems to die at a ticket problem.. > > > Or is this related to certificates ?? > > > > > > Here is the error that I get: > > > > > > == /opt/tomcat5/logs/tomcat.log > > > 13:51:10,199 [TP-Processor6] DEBUG Action > > > 'AuthenticationViaFormAction' beginning execution - > > > org.jasig.cas.web.flow.AuthenticationViaForm > > > Action [20071004] > > > 13:51:10,205 [TP-Processor6] DEBUG Executing bind - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,206 [TP-Processor6] DEBUG Loading new form object - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,207 [TP-Processor6] DEBUG Creating new instance of form > > > object class [class > > > org.jasig.cas.authentication.principal.UsernamePasswo > > > rdCredentials] - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004] > > > 13:51:10,208 [TP-Processor6] DEBUG Setting form object of type [class > > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > > > in scope [class org.springframework.webflow.ScopeType.Flow (1)] with > > > name 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFormActi > > > on [20071004] > > > 13:51:10,244 [TP-Processor6] DEBUG No property editor registrar set, > > > no custom editors to register - org.jasig.cas.web.flow.Authentication > > > ViaFormAction [20071004] > > > 13:51:10,269 [TP-Processor6] DEBUG Binding allowed request parameters > > > in map['lt' -> '_c025B5288-CE44-A636-26C1-03360144BE32_kDFEE0594-228 > > > 5-6890-46C6-8E9398DA2FAF', 'service' -> > > > 'https://k2.cc.iup.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2F > > > > > > SAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A%2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp', > > > '_eventId' -> 'submit', 'pass > > > word' -> 'welcome1', '_currentStateId' -> '', 'username' -> > > > 'testuser'] to form object with name 'credentials', pre-bind formObject > > > toStri > > > ng = null - org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004] > > > 13:51:10,269 [TP-Processor6] DEBUG (Any field is allowed) - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,292 [TP-Processor6] DEBUG Binding completed for form object > > > with name 'credentials', post-bind formObject toString = testuser - o > > > rg.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,293 [TP-Processor6] DEBUG There are [0] errors, details: [] - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,294 [TP-Processor6] DEBUG Setting form errors instance in > > > scope [class org.springframework.webflow.ScopeType.Request (0)] - > > > org.j > > > asig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,298 [TP-Processor6] DEBUG Executing validate - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,299 [TP-Processor6] DEBUG Invoking validator > > > [EMAIL PROTECTED] - > > > org.jasig.cas > > > .web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,303 [TP-Processor6] DEBUG Validation completed for form > > > object with name 'credentials' - > > > org.jasig.cas.web.flow.AuthenticationVia > > > FormAction [20071004] > > > 13:51:10,304 [TP-Processor6] DEBUG There are [0] errors, details: [] - > > > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > > > 13:51:10,305 [TP-Processor6] DEBUG Action > > > 'AuthenticationViaFormAction' completed execution; result is 'success' - > > > org.jasig.cas.web.flow. > > > AuthenticationViaFormAction [20071004] > > > 13:51:10,305 [TP-Processor6] DEBUG Action > > > 'AuthenticationViaFormAction' beginning execution - > > > org.jasig.cas.web.flow.AuthenticationViaForm > > > Action [20071004] > > > 13:51:10,306 [TP-Processor6] DEBUG Found existing form object with > > > name 'credentials' of type [class > > > org.jasig.cas.authentication.principa > > > l.UsernamePasswordCredentials] in scope [class > > > org.springframework.webflow.ScopeType.Flow (1)] - > > > org.jasig.cas.web.flow.AuthenticationViaF > > > ormAction [20071004] > > > 13:51:10,365 [TP-Processor6] INFO AuthenticationHandler: > > > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > > > authentic > > > ated the user which provided the following credentials: testuser - > > > org.jasig.cas.authentication.AuthenticationManagerImpl [20071004] > > > 13:51:10,365 [TP-Processor6] DEBUG Creating SimplePrincipal for > > > [testuser] - > > > org.jasig.cas.authentication.principal.UsernamePasswordCreden > > > tialsToPrincipalResolver [20071004] > > > 13:51:10,381 [TP-Processor6] DEBUG Added ticket > > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] to registry. - > > > org.jasig.cas.ticket.registr > > > y.DefaultTicketRegistry [20071004] > > > 13:51:10,382 [TP-Processor6] DEBUG Action > > > 'AuthenticationViaFormAction' completed execution; result is 'success' - > > > org.jasig.cas.web.flow. > > > AuthenticationViaFormAction [20071004] > > > 13:51:10,383 [TP-Processor6] DEBUG Action > > > 'SendTicketGrantingTicketAction' beginning execution - > > > org.jasig.cas.web.flow.SendTicketGranting > > > TicketAction [20071004] > > > 13:51:10,384 [TP-Processor6] DEBUG Action > > > 'SendTicketGrantingTicketAction' completed execution; result is 'success' > > > - > > > org.jasig.cas.web.fl > > > ow.SendTicketGrantingTicketAction [20071004] > > > 13:51:10,385 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > > > beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction[2007 > > > 1004] > > > 13:51:10,386 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > > > completed execution; result is 'hasService' - > > > org.jasig.cas.web.flow.Has > > > ServiceCheckAction [20071004] > > > 13:51:10,387 [TP-Processor6] DEBUG Action > > > 'GenerateServiceTicketAction' beginning execution - > > > org.jasig.cas.web.flow.GenerateServiceTicket > > > Action [20071004] > > > 13:51:10,400 [TP-Processor6] DEBUG Attempting to retrieve ticket > > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] - > > > org.jasig.cas.ticket.reg > > > istry.DefaultTicketRegistry [20071004] > > > 13:51:10,401 [TP-Processor6] DEBUG Ticket > > > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] found in registry. - > > > org.jasig.cas.ticket.registr > > > y.DefaultTicketRegistry [20071004] > > > 13:51:10,405 [TP-Processor6] DEBUG Added ticket > > > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] to registry. - > > > org.jasig.cas.ticket.registry > > > .DefaultTicketRegistry [20071004] > > > 13:51:10,406 [TP-Processor6] INFO Granted service ticket > > > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] for service [ > > > https://k2.cc.iup.edu > > > /shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A% > > > > > > 2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp] for user [testuser] - > > > org.jasig.cas.CentralAuthenticationServiceImpl [20071004] > > > 13:51:10,407 [TP-Processor6] DEBUG Action > > > 'GenerateServiceTicketAction' completed execution; result is 'success' - > > > org.jasig.cas.web.flow. > > > GenerateServiceTicketAction [20071004] > > > 13:51:10,407 [TP-Processor6] DEBUG Action 'WarnAction' beginning > > > execution - org.jasig.cas.web.flow.WarnAction [20071004] > > > 13:51:10,408 [TP-Processor6] DEBUG Action 'WarnAction' completed > > > execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction[2007 > > > 1004] > > > 13:51:11,018 [ > > > edu.internet2.middleware.shibboleth.common.provider.SharedMemoryShibHandle.HandleCache.MemoryRepositoryCleaner] > > > DEBUG Memory > > > cache handle cache cleanup thread searching for stale entries. - > > > edu.internet2.middleware.shibboleth.common.provider.HandleCache[20071004] > > > 13:51:11,880 [ > > > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCacher.Cleaner] > > > DEBUG Resolver Cache cleanup thread searching cach > > > e for stale entries. - > > > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCache[20071004] > > > 13:51:11,948 [TP-Processor5] ERROR > > > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > > > validate ProxyTicketValidator [[edu.ya > > > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > > > https://k2.c > > > c.iup.edu/cas/serviceValidate] > > > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > > > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > > > > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > > > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > > > renew=false]]] - edu.yale.its.tp.cas.client.CASReceipt [20071004] > > > 13:51:11,949 [TP-Processor5] ERROR > > > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > > > validate ProxyTicketValidator [[edu.ya > > > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > > > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > > > https://k2.c > > > c.iup.edu/cas/serviceValidate] > > > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > > > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > > > > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > > > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > > > renew=false]]] - edu.yale.its.tp.cas.client.filter.CASFilter [2007 > > > 1004] > > > 13:51:11,954 [TP-Processor5] ERROR Servlet.service() for servlet IdP > > > threw exception - org.apache.catalina.core.ContainerBase.[Catalina].[ > > > localhost].[/shibboleth-idp].[IdP] [20071004] > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > > find valid certification path to requested target > > > at > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > > > Source) > > > at java.security.cert.CertPathBuilder.build(Unknown Source) > > > at sun.security.validator.PKIXValidator.doBuild(Unknown > > > Source) > > > at sun.security.validator.PKIXValidator.engineValidate(Unknown > > > Source) > > > at sun.security.validator.Validator.validate(Unknown Source) > > > at > > > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown > > > Source) > > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown > > > Source) > > > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > > > Source) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > > > Source) > > > at > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > > > Source) > > > at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown > > > Source) > > > at > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > > > Source) > > > at > > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > > > Source) > > > at > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown > > > Source) > > > at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java > > > :84) > > > at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > > > ServiceTicketValidator.java:212) > > > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt ( > > > CASReceipt.java:50) > > > at > > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > > > CASFilter.java:455) > > > at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter( > > > CASFilter.java:378) > > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > > > ApplicationFilterChain.java:215) > > > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > > > ApplicationFilterChain.java:188) > > > at org.apache.catalina.core.StandardWrapperValve.invoke ( > > > StandardWrapperValve.java:210) > > > at org.apache.catalina.core.StandardContextValve.invoke( > > > StandardContextValve.java:174) > > > at org.apache.catalina.core.StandardHostValve.invoke( > > > StandardHostValve.java:127) > > > at org.apache.catalina.valves.ErrorReportValve.invoke( > > > ErrorReportValve.java:117) > > > at org.apache.catalina.core.StandardEngineValve.invoke( > > > StandardEngineValve.java:108) > > > at org.apache.catalina.connector.CoyoteAdapter.service ( > > > CoyoteAdapter.java:151) > > > at org.apache.jk.server.JkCoyoteHandler.invoke( > > > JkCoyoteHandler.java:200) > > > at org.apache.jk.common.HandlerRequest.invoke( > > > HandlerRequest.java:283) > > > at org.apache.jk.common.ChannelSocket.invoke ( > > > ChannelSocket.java:773) > > > at org.apache.jk.common.ChannelSocket.processConnection( > > > ChannelSocket.java:703) > > > at org.apache.jk.common.ChannelSocket$SocketConnection.runIt( > > > ChannelSocket.java:895) > > > at > > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > > > ThreadPool.java:685) > > > at java.lang.Thread.run(Unknown Source) > > > 13:51:11,955 [ > > > edu.internet2.middleware.shibboleth.idp.provider.MemoryArtifactMapper..MemoryArtifactCleaner] > > > DEBUG Memory-based artifact ma > > > pper cleanup thread searching for stale entries. - > > > edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper[20071004] > > > 13:51:12,377 [Thread-13] DEBUG Checking for updates to resource > > > (file:/usr/local/shib-idp/etc/my- metadata.xml) - > > > edu.internet2.middleware. > > > shibboleth.common.ResourceWatchdog [20071004] > > > > > > Thanks for any help .. > > > > > > -- > > > :wq! > > > kevin.foote > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > > -- > > -Scott Battaglia > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
