If you are having issues setting up Tomcat for SSL, then you CAN Tomcat with the Apache HTTP server, which is considerably easier to setup for SSL. If you want to go this route, you will need mod_proxy_ajp (Apache 2.2+) or mod_jk to pass requests from Apache HTTP to Tomcat.
Andrew R Feller, Analyst Subversion Administrator University Information Systems Louisiana State University [EMAIL PROTECTED] (office) 225.578.3737 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Foote Sent: Thursday, October 11, 2007 2:32 PM To: [email protected] Subject: cas cas-client shibboleth and JKS Im getting pretty frustrated with this whole JKS thing. I know this is how it needs to work, to avert man-in-the-middle etc, however my setup is so simple its entirely frustrating when this small piece does not work. My install is based off the package created by http://shib.kuleuven.be I know there has to be some people from there on this list :-) I'm trying to use cas3 as the connection to our AD repository with the shibboleth IdP software (using cas-client) to obtain authentication. The connection between cas3 and AD works great. My errors happen when the cas3 server tries talking back to the IdP. Scott helped me figure out that its the shibboleth IdP servlet that does not like the certs or cert layout. Here is what I have == $CATALINA_HOME/conf/server.xml <!-- connector defs --> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType="jks" keystoreFile="/etc/pki/idp.jks" keystorePass="secret" /> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreType="jks" keystoreFile="/etc/pki/idp.jks" keystorePass="secret" /> - a selfsigned test CA certificate and key pair K2CA.crt K2CA.key - /etc/pki/idp.jks contains: - a cert that was signed by my K2CA pair - a copy of K2CA.crt - $JAVA_HOME/jre/security/cacerts contains: - tons of trusted CA certs - a copy of K2CA.crt Here is what I get basically from an login attempt via the shibboleth-idp/SSO instance. You can see that the login actually worked.. cas ticket was granted etc.. == $CATALINA_HOME/logs/tomcat.log 15:08:41,738 [http-443-Processor25] DEBUG Binding allowed request parameters in map['lt' -> '_cC623018A-7C97-CDC6-F2C6-F0522F47E152_k9720037A-1312-D 2F8-38FF-DBF1B6CEBA93', 'service' -> ' https://k2.cc.iup.edu/shibboleth-idp/SSO', '_eventId' -> 'submit', 'password' -> 'welcome1', '_currentStateId' -> '', 'username' -> 'kpfoote'] to form object with name 'credentials', pre-bind formObject toString = null - org.jasig.cas.web.flow.Authentication ViaFormAction [20071011] 15:08:41,739 [http-443-Processor25] DEBUG (Any field is allowed) - org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,761 [http-443-Processor25] DEBUG Binding completed for form object with name 'credentials', post-bind formObject toString = kpfoote - org.j asig.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,762 [http-443-Processor25] DEBUG There are [0] errors, details: [] - org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,763 [http-443-Processor25] DEBUG Setting form errors instance in scope [class org.springframework.webflow.ScopeType.Request (0)] - org.jasi g.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,763 [http-443-Processor25] DEBUG Executing validate - org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,764 [http-443-Processor25] DEBUG Invoking validator [EMAIL PROTECTED] - org.jasig.cas.we b.flow.AuthenticationViaFormAction [20071011] 15:08:41,768 [http-443-Processor25] DEBUG Validation completed for form object with name 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFor mAction [20071011] 15:08:41,769 [http-443-Processor25] DEBUG There are [0] errors, details: [] - org.jasig.cas.web.flow.AuthenticationViaFormAction [20071011] 15:08:41,770 [http-443-Processor25] DEBUG Action 'AuthenticationViaFormAction' completed execution; result is 'success' - org.jasig.cas.web.flow.Aut henticationViaFormAction [20071011] 15:08:41,770 [http-443-Processor25] DEBUG Action 'AuthenticationViaFormAction' beginning execution - org.jasig.cas.web.flow.AuthenticationViaFormAct ion [20071011] 15:08:41,771 [http-443-Processor25] DEBUG Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.U sernamePasswordCredentials] in scope [class org.springframework.webflow.ScopeType.Flow (1)] - org.jasig.cas.web.flow.AuthenticationViaFormAction [20 071011] 15:08:41,817 [http-443-Processor25] INFO AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticate d the user which provided the following credentials: kpfoote - org.jasig.cas.authentication.AuthenticationManagerImpl [20071011] 15:08:41,818 [http-443-Processor25] DEBUG Creating SimplePrincipal for [kpfoote] - org.jasig.cas.authentication.principal.UsernamePasswordCredential sToPrincipalResolver [20071011] 15:08:41,833 [http-443-Processor25] DEBUG Added ticket [TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] to registry. - org.jasig.cas.ticket.registry.D efaultTicketRegistry [20071011] 15:08:41,834 [http-443-Processor25] DEBUG Action 'AuthenticationViaFormAction' completed execution; result is 'success' - org.jasig.cas.web.flow.Aut henticationViaFormAction [20071011] 15:08:41,834 [http-443-Processor25] DEBUG Action 'SendTicketGrantingTicketAction' beginning execution - org.jasig.cas.web.flow.SendTicketGrantingTic ketAction [20071011] 15:08:41,836 [http-443-Processor25] DEBUG Attempting to retrieve ticket [TGT-2-7MvurMH7Kpj2q6McQWqOEIcnZTFyP0s3hAs-50] - org.jasig.cas.ticket.regist ry.DefaultTicketRegistry [20071011] 15:08:41,836 [http-443-Processor25] DEBUG Action 'SendTicketGrantingTicketAction' completed execution; result is 'success' - org.jasig.cas.web.flow. SendTicketGrantingTicketAction [20071011] 15:08:41,837 [http-443-Processor25] DEBUG Action 'HasServiceCheckAction' beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction [20071011] 15:08:41,838 [http-443-Processor25] DEBUG Action 'HasServiceCheckAction' completed execution; result is 'hasService' - org.jasig.cas.web.flow.HasSer viceCheckAction [20071011] 15:08:41,838 [http-443-Processor25] DEBUG Action 'GenerateServiceTicketAction' beginning execution - org.jasig.cas.web.flow.GenerateServiceTicketAct ion [20071011] 15:08:41,839 [http-443-Processor25] DEBUG Attempting to retrieve ticket [TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] - org.jasig.cas.ticket.regist ry.DefaultTicketRegistry [20071011] 15:08:41,840 [http-443-Processor25] DEBUG Ticket [TGT-2-belXrF52AuXucPY2CwHGrkTjqlRxSAIvG4U-50] found in registry. - org.jasig.cas.ticket.registry.D efaultTicketRegistry [20071011] 15:08:41,844 [http-443-Processor25] DEBUG Added ticket [ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] to registry. - org.jasig.cas.ticket.registry.De faultTicketRegistry [20071011] 15:08:41,845 [http-443-Processor25] INFO Granted service ticket [ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] for service [https://k2.cc.iup.edu/sh ibboleth-idp/SSO] for user [kpfoote] - org.jasig.cas.CentralAuthenticationServiceImpl [20071011] 15:08:41,845 [http-443-Processor25] DEBUG Action 'GenerateServiceTicketAction' completed execution; result is 'success' - org.jasig.cas.web.flow.Gen erateServiceTicketAction [20071011] 15:08:41,846 [http-443-Processor25] DEBUG Action 'WarnAction' beginning execution - org.jasig.cas.web.flow.WarnAction [20071011] 15:08:41,847 [http-443-Processor25] DEBUG Action 'WarnAction' completed execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction [20071011] 15:08:42,468 [DefaultQuartzScheduler_Worker-0] INFO Starting cleaning of expired tickets from ticket registry at [Thu Oct 11 15:08:42 EDT 2007] - o rg.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner [20071011] 15:08:42,469 [DefaultQuartzScheduler_Worker-0] INFO 0 found to be removed. Removing now. - org.jasig.cas.ticket.registry.support.DefaultTicketRegi stryCleaner [20071011] 15:08:42,469 [DefaultQuartzScheduler_Worker-0] INFO Finished cleaning of expired tickets from ticket registry at [Thu Oct 11 15:08:42 EDT 2007] - o rg.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner [20071011] 15:08:42,664 [http-443-Processor24] DEBUG Handshake failed - org.apache.tomcat.util.net.PoolTcpEndpoint [20071011] javax.net.ssl.SSLHandshakeException : Received fatal alert: certificate_unknown at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake (JSSESocketFactory.java:120) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:521) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java :81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:685) at java.lang.Thread.run(Unknown Source) 15:08:42,667 [http-443-Processor25] ERROR edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to validate ProxyTicketValidator [[edu.yale. its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://k2.cc.iup.edu/cas /serviceValidate] ticket=[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%2FSSO] renew=false]]] - edu.yale.its.tp.cas.client.CASReceipt [20071011] 15:08:42,668 [http-443-Processor25] ERROR edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale. its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ https://k2.cc.iup.edu/cas /serviceValidate] ticket=[ST-2-51CM659d5yimes0hfk7veCqCSHUf1V1vAFp-20] service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp%2FSSO] renew=false]]] - edu.yale.its.tp.cas.client.filter.CASFilter [20071011] 15:08:42,669 [http-443-Processor25] ERROR Servlet.service() for servlet IdP threw exception - org.apache.catalina.core.ContainerBase.[Catalina].[loc alhost].[/shibboleth-idp].[IdP] [20071011] sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unk nown Source) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted (Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect (Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un known Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream (Unknown Source) at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicket Validator.java:212) at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java:50) at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt er.java:455) at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:108) at org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87 0) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc essConnection(Http11BaseProtocol.java :665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:685) at java.lang.Thread.run(Unknown Source) 15:10:53,136 [main] INFO Pausing Coyote HTTP/1.1 on http-443 - org.apache.coyote.http11.Http11BaseProtocol [20071011] 15:10:53,138 [main] INFO Pausing Coyote HTTP/1.1 on http-8443 - org.apache.coyote.http11.Http11BaseProtocol [20071011] 15:10:53,139 [http-443-Processor23] DEBUG Handshake failed - org.apache.tomcat.util.net.PoolTcpEndpoint [20071011] javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake (JSSESocketFactory.java:120) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:521) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java :81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:685) at java.lang.Thread.run(Unknown Source) Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) ... 9 more 15:10:53,142 [http-8443-Processor25] DEBUG Handshake failed - org.apache.tomcat.util.net.PoolTcpEndpoint [20071011] javax.net.ssl.SSLHandshakeException : Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unkno wn Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake (JSSESocketFactory.java:120) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:521) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java :81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:685) at java.lang.Thread.run(Unknown Source) Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) ... 9 more 15:10:54,140 [main] INFO Stopping service Catalina - org.apache.catalina.core.StandardService [20071011] -- :wq! kevin.foote
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
