Hi Scott and others,
I have recently run into this problem as well, but with a different
error message. We have a cert authority on campus, and some of the
dev machines use them. I have imported all 3 of the certs in the
chain into the cacerts file (I tried with just the root cert, and
that didn't work), but I still get errors like this:
2007-11-07 13:57:38,910 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided
the following credentials: https://studentsdev.berkeley.edu/OSL/
HelloCAS/testcerts.asp>
2007-11-07 13:57:38,911 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://studentsdev.berkeley.edu/OSL/HelloCAS/
testcerts.asp>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:271)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal
(ServiceValidateController.java:124)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest
(AbstractController.java:153)
...
I turned on debugging, and got this extra line:
2007-11-07 14:12:47,178 DEBUG
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <Attempting to resolve credentials for
https://studentsdev.berkeley.edu/OSL/HelloCAS/testcerts.asp>
then the same as above:
2007-11-07 14:12:52,234 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided
the following credentials: https://studentsdev.berkeley.edu/OSL/
HelloCAS/testcerts.asp>
2007-11-07 14:12:52,239 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://studentsdev.berkeley.edu/OSL/HelloCAS/
testcerts.asp>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
I have even pointed explicitly to the cacerts file in the tomcat
startup script, using the -Djavax.net.ssl.trustStore= and -
Djavax.net.ssl.trustStorePassword= arguments, and that does not help,
either. I have also tried importing the actual public cert that was
issued to the client, and no go.
Does anyone have an hints about what I am doing wrong? Am I missing
some xml config somewhere?
This is with CAS 3.1.0.
Thanks.
-lucas
On Oct 22, 2007, at 6:33 AM, Scott Battaglia wrote:
Simon,
If your proxied application is not using a commercial certificate,
its certificate or or the intermediary CA's certificate will need
to be added to the cacerts file of the JVM that CAS is run on.
This way CAS will trust the certificate and issue the proxy ticket.
-Scott
On 10/22/07, Simon Rousseau <[EMAIL PROTECTED]> wrote:
Hi,
We are wondering about a little details.
When we want to use CAS in proxy mode, do we need to add the
certificate from the distant server in the CAS cacert?
I'm asking this because at this time, our application can
successfully connect to the CAS server but when we read the CAS log
we see an error in it. As you can see a service ticket is granted
but in the second part an Exception is trowed on creation of the
proxy ticket.
2007-10-17 11:01:17,658 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service
ticket [ST-4-Z9y6r2ny5x1GpHF9nkrRbEtcrt6UlHfhtLZ-20] for service
[http://ca-dti-simrou:8080/sakai-login-tool/container] for user
[851s555]
2007-10-17 11:01:17,716 ERROR [org.jasig.cas.util.UrlUtils] -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake
(DashoA12275)
at sun.net.www.protocol.https.HttpsClient.afterConnect
(DashoA12275)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
DashoA12275)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream
(HttpURLConnection.java:626)
at java.net.HttpURLConnection.getResponseCode
(HttpURLConnection.java:272)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode
(DashoA12275)
at org.jasig.cas.util.UrlUtils.getResponseCodeFromUrl
(UrlUtils.java:45)
at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentia
lsAuthenticationHandler.authenticate
(HttpBasedServiceCredentialsAuthenticationHandler.java:63)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate
(AuthenticationManagerImpl.java:79)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
icket(CentralAuthenticationServiceImpl.java:195)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal
(ServiceValidateController.java:128)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest
(AbstractController.java:139)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.han
dle(SimpleControllerHandlerAdapter.java:44)
at org.springframework.web.servlet.DispatcherServlet.doDispatch
(DispatcherServlet.java:717)
at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:658)
at
org.springframework.web.servlet.FrameworkServlet.processRequest
(FrameworkServlet.java:392)
at org.springframework.web.servlet.FrameworkServlet.doGet
(FrameworkServlet.java:347)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.jasig.cas.web.init.SafeDispatcherServlet.service
(SafeDispatcherServlet.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValvejava:213)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValvejava:178)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service
(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke
(JkCoyoteHandler.java:199)
at org.apache.jk.common.HandlerRequest.invoke
(HandlerRequest.java:282)
at org.apache.jk.common.ChannelSocket.invoke
(ChannelSocket.java:754)
at org.apache.jk.common.ChannelSocket.processConnection
(ChannelSocket.java:684)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt
(ChannelSocket.java:876)
at org.apache.tomcat.util.threads.ThreadPool
$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:534)
Caused by: sun.security.validator.ValidatorException: No trusted
certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain
(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate
(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:202)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
(DashoA12275)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
(DashoA12275)
... 41 more
2007-10-17 11:01:17,720 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentia
lsAuthenticationHandler failed to authenticate the user.
2007-10-17 11:01:17,720 ERROR
[org.jasig.cas.web.ServiceValidateController] - TicketException
generating ticket for: https://ca-dti-simrou:8443/sakai-login-tool/
CasProxyServlet
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
icket(CentralAuthenticationServiceImpl.java:216)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal
(ServiceValidateController.java:128)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest
(AbstractController.java:139)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.han
dle(SimpleControllerHandlerAdapter.java:44)
at org.springframework.web.servlet.DispatcherServlet.doDispatch
(DispatcherServlet.java:717)
at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:658)
at
org.springframework.web.servlet.FrameworkServlet.processRequest
(FrameworkServlet.java:392)
at org.springframework.web.servlet.FrameworkServlet.doGet
(FrameworkServlet.java:347)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.jasig.cas.web.init.SafeDispatcherServlet.service
(SafeDispatcherServlet.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValvejava:213)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValvejava:178)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service
(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke
(JkCoyoteHandler.java:199)
at org.apache.jk.common.HandlerRequest.invoke
(HandlerRequest.java:282)
at org.apache.jk.common.ChannelSocket.invoke
(ChannelSocket.java:754)
at org.apache.jk.common.ChannelSocket.processConnection
(ChannelSocket.java:684)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt
(ChannelSocket.java:876)
at org.apache.tomcat.util.threads.ThreadPool
$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:534)
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcep
tion.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate
(AuthenticationManagerImpl.java:101)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
icket(CentralAuthenticationServiceImpl.java:195)
... 25 more
I hope that you have enough details... If not write me back!
Cheer's,
Simon Rousseau
CSSMI
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
