Simon,
Yes, you should have the intermediary CA's certificate for whoever generates your SSL certificates in the CA bundle on your machines. You might also enforce HTTPS access to Sakai's login tool (http://ca-dti-simrou:8080/sakai-login-tool/container) Andrew R Feller, Analyst Subversion Administrator University Information Systems Louisiana State University [EMAIL PROTECTED] (office) 225.578.3737 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Rousseau Sent: Monday, October 22, 2007 6:55 AM To: [email protected] Subject: CAS proxy mode Hi, We are wondering about a little details. When we want to use CAS in proxy mode, do we need to add the certificate from the distant server in the CAS cacert? I'm asking this because at this time, our application can successfully connect to the CAS server but when we read the CAS log we see an error in it. As you can see a service ticket is granted but in the second part an Exception is trowed on creation of the proxy ticket. 2007-10-17 11:01:17,658 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-4-Z9y6r2ny5x1GpHF9nkrRbEtcrt6UlHfhtLZ-20] for service [http://ca-dti-simrou:8080/sakai-login-tool/container] for user [851s555] 2007-10-17 11:01:17,716 ERROR [org.jasig.cas.util.UrlUtils] - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA12275) at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Da shoA12275) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnec tion.java:626) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:272) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(DashoA 12275) at org.jasig.cas.util.UrlUtils.getResponseCodeFromUrl(UrlUtils.java:45) at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler.authenticate (HttpBasedServiceCredentialsAuthenticationHandler.java:63) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:79) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:195) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:128) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:139) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:44) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:717) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:658) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:392) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:347) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv ejava:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv ejava:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 48) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java: 684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket. java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:684) at java.lang.Thread.run(Thread.java:534) Caused by: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator .java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.ja va:107) at sun.security.validator.Validator.validate(Validator.java:202) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Das hoA12275) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Das hoA12275) ... 41 more 2007-10-17 11:01:17,720 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler failed to authenticate the user. 2007-10-17 11:01:17,720 ERROR [org.jasig.cas.web.ServiceValidateController] - TicketException generating ticket for: https://ca-dti-simrou:8443/sakai-login-tool/CasProxyServlet org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:216) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:128) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:139) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:44) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:717) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:658) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:392) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:347) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv ejava:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv ejava:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 48) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java: 684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket. java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:684) at java.lang.Thread.run(Thread.java:534) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti on.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:101) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:195) ... 25 more I hope that you have enough details... If not write me back! Cheer's, Simon Rousseau CSSMI
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
