Im getting pretty frustrated with this whole JKS thing. I know this is how
it needs to work, to avert man-in-the-middle etc, however my setup is so
simple its entirely frustrating when this small piece does not work. My
install is based off the package created by http://shib.kuleuven.be I know
there has to
be some people from there on this list :-)
I'm trying to use cas3 as the connection to our AD repository with the
shibboleth IdP software (using cas-client) to obtain authentication.
The connection between cas3 and AD works great. My errors happen when the
cas3 server tries talking back to the IdP.
Scott helped me figure out that its the shibboleth IdP servlet that does not
like the certs or cert layout. Here is what I have
== $CATALINA_HOME/conf/server.xml
<!-- connector defs -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="jks"
keystoreFile="/etc/pki/idp.jks"
keystorePass="secret"
/>
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreType="jks"
keystoreFile="/etc/pki/idp.jks"
keystorePass="secret"
/>
- a selfsigned test CA certificate and key pair K2CA.crt K2CA.key
- /etc/pki/idp.jks contains:
- a cert that was signed by my K2CA pair
- a copy of K2CA.crt
- $JAVA_HOME/jre/security/cacerts contains:
- tons of trusted CA certs
- a copy of K2CA.crt
Here is what I get basically from an login attempt via the
shibboleth-idp/SSO instance. You can see that the login actually worked..
cas ticket was granted etc..
== $CATALINA_HOME/logs/tomcat.log
15:08:41,738 [http-443-Processor25] DEBUG Binding allowed request parameters
in map['lt' -> '_cC623018A-7C97-CDC6-F2C6-F0522F47E152_k9720037A-1312-D
2F8-38FF-DBF1B6CEBA93', 'service' -> '
https://k2.cc.iup.edu/shibboleth-idp/SSO', '_eventId' -> 'submit',
'password' -> 'welcome1', '_currentStateId'
-> '', 'username' -> 'kpfoote'] to form object with name 'credentials',
pre-bind formObject toString = null - org.jasig.cas.web.flow.Authentication
ViaFormAction [20071011]
15:08:41,739 [http-443-Processor25] DEBUG (Any field is allowed) -
org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,761 [http-443-Processor25] DEBUG Binding completed for form object
with name 'credentials', post-bind formObject toString = kpfoote - org.j
asig.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,762 [http-443-Processor25] DEBUG There are [0] errors, details: []
- org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,763 [http-443-Processor25] DEBUG Setting form errors instance in
scope [class org.springframework.webflow.ScopeType.Request (0)] - org.jasi
g.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,763 [http-443-Processor25] DEBUG Executing validate -
org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,764 [http-443-Processor25] DEBUG Invoking validator
[EMAIL PROTECTED] -
org.jasig.cas.we
b.flow.AuthenticationViaFormAction [20071011]
15:08:41,768 [http-443-Processor25] DEBUG Validation completed for form
object with name 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFor
mAction [20071011]
15:08:41,769 [http-443-Processor25] DEBUG There are [0] errors, details: []
- org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011]
15:08:41,770 [http-443-Processor25] DEBUG Action
'AuthenticationViaFormAction' completed execution; result is 'success' -
org.jasig.cas.web.flow.Aut
henticationViaFormAction [20071011]
15:08:41,770 [http-443-Processor25] DEBUG Action
'AuthenticationViaFormAction' beginning execution -
org.jasig.cas.web.flow.AuthenticationViaFormAct
ion [20071011]
15:08:41,771 [http-443-Processor25] DEBUG Found existing form object with
name 'credentials' of type [class org.jasig.cas.authentication.principal.U
sernamePasswordCredentials] in scope [class
org.springframework.webflow.ScopeType.Flow (1)] -
org.jasig.cas.web.flow.AuthenticationViaFormAction [20
071011]
15:08:41,817 [http-443-Processor25] INFO AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticate
d the user which provided the following credentials: kpfoote -
org.jasig.cas.authentication.AuthenticationManagerImpl [20071011]
15:08:41,818 [http-443-Processor25] DEBUG Creating SimplePrincipal for
[kpfoote] -
org.jasig.cas.authentication.principal.UsernamePasswordCredential
sToPrincipalResolver [20071011]
15:08:41,833 [http-443-Processor25] DEBUG Added ticket
[TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] to registry. -
org.jasig.cas.ticket.registry.D
efaultTicketRegistry [20071011]
15:08:41,834 [http-443-Processor25] DEBUG Action
'AuthenticationViaFormAction' completed execution; result is 'success' -
org.jasig.cas.web.flow.Aut
henticationViaFormAction [20071011]
15:08:41,834 [http-443-Processor25] DEBUG Action
'SendTicketGrantingTicketAction' beginning execution -
org.jasig.cas.web.flow.SendTicketGrantingTic
ketAction [20071011]
15:08:41,836 [http-443-Processor25] DEBUG Attempting to retrieve ticket
[TGT-2-7MvurMH7Kpj2q6McQWqOEIcnZTFyP0s3hAs-50] - org.jasig.cas.ticket.regist
ry.DefaultTicketRegistry [20071011]
15:08:41,836 [http-443-Processor25] DEBUG Action
'SendTicketGrantingTicketAction' completed execution; result is 'success' -
org.jasig.cas.web.flow.
SendTicketGrantingTicketAction [20071011]
15:08:41,837 [http-443-Processor25] DEBUG Action 'HasServiceCheckAction'
beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction[20071011]
15:08:41,838 [http-443-Processor25] DEBUG Action 'HasServiceCheckAction'
completed execution; result is 'hasService' - org.jasig.cas.web.flow.HasSer
viceCheckAction [20071011]
15:08:41,838 [http-443-Processor25] DEBUG Action
'GenerateServiceTicketAction' beginning execution -
org.jasig.cas.web.flow.GenerateServiceTicketAct
ion [20071011]
15:08:41,839 [http-443-Processor25] DEBUG Attempting to retrieve ticket
[TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] - org.jasig.cas.ticket.regist
ry.DefaultTicketRegistry [20071011]
15:08:41,840 [http-443-Processor25] DEBUG Ticket
[TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] found in registry. -
org.jasig.cas.ticket.registry.D
efaultTicketRegistry [20071011]
15:08:41,844 [http-443-Processor25] DEBUG Added ticket
[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] to registry. -
org.jasig.cas.ticket.registry.De
faultTicketRegistry [20071011]
15:08:41,845 [http-443-Processor25] INFO Granted service ticket
[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] for service [
https://k2.cc.iup.edu/sh
ibboleth-idp/SSO] for user [kpfoote] -
org.jasig.cas.CentralAuthenticationServiceImpl [20071011]
15:08:41,845 [http-443-Processor25] DEBUG Action
'GenerateServiceTicketAction' completed execution; result is 'success' -
org.jasig.cas.web.flow.Gen
erateServiceTicketAction [20071011]
15:08:41,846 [http-443-Processor25] DEBUG Action 'WarnAction' beginning
execution - org.jasig.cas.web.flow.WarnAction [20071011]
15:08:41,847 [http-443-Processor25] DEBUG Action 'WarnAction' completed
execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction[20071011]
15:08:42,468 [DefaultQuartzScheduler_Worker-0] INFO Starting cleaning of
expired tickets from ticket registry at [Thu Oct 11 15:08:42 EDT 2007] - o
rg.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner [20071011]
15:08:42,469 [DefaultQuartzScheduler_Worker-0] INFO 0 found to be removed.
Removing now. - org.jasig.cas.ticket.registry.support.DefaultTicketRegi
stryCleaner [20071011]
15:08:42,469 [DefaultQuartzScheduler_Worker-0] INFO Finished cleaning of
expired tickets from ticket registry at [Thu Oct 11 15:08:42 EDT 2007] - o
rg.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner [20071011]
15:08:42,664 [http-443-Processor24] DEBUG Handshake failed -
org.apache.tomcat.util.net.PoolTcpEndpoint [20071011]
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(
JSSESocketFactory.java:120)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java:521)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:685)
at java.lang.Thread.run(Unknown Source)
15:08:42,667 [http-443-Processor25] ERROR
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.
its.tp.cas.client.ProxyTicketValidator proxyList=[null] [
edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[
https://k2.cc.iup.edu/cas
/serviceValidate] ticket=[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20]
service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%2FSSO] renew=false]]]
-
edu.yale.its.tp.cas.client.CASReceipt [20071011]
15:08:42,668 [http-443-Processor25] ERROR
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.
its.tp.cas.client.ProxyTicketValidator proxyList=[null] [
edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[
https://k2.cc.iup.edu/cas
/serviceValidate] ticket=[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20]
service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%2FSSO] renew=false]]]
-
edu.yale.its.tp.cas.client.filter.CASFilter [20071011]
15:08:42,669 [http-443-Processor25] ERROR Servlet.service() for servlet IdP
threw exception - org.apache.catalina.core.ContainerBase.[Catalina].[loc
alhost].[/shibboleth-idp].[IdP] [20071011]
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
ServiceTicketValidator.java:212)
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java
:50)
at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
CASFilter.java:455)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(
CASFilter.java:378)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:870)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:685)
at java.lang.Thread.run(Unknown Source)
15:10:53,136 [main] INFO Pausing Coyote HTTP/1.1 on http-443 -
org.apache.coyote.http11.Http11BaseProtocol [20071011]
15:10:53,138 [main] INFO Pausing Coyote HTTP/1.1 on http-8443 -
org.apache.coyote.http11.Http11BaseProtocol [20071011]
15:10:53,139 [http-443-Processor23] DEBUG Handshake failed -
org.apache.tomcat.util.net.PoolTcpEndpoint [20071011]
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(
JSSESocketFactory.java:120)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java:521)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:685)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
... 9 more
15:10:53,142 [http-8443-Processor25] DEBUG Handshake failed -
org.apache.tomcat.util.net.PoolTcpEndpoint [20071011]
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(
JSSESocketFactory.java:120)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java:521)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:685)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
... 9 more
15:10:54,140 [main] INFO Stopping service Catalina -
org.apache.catalina.core.StandardService [20071011]
--
:wq!
kevin.foote
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
