Srikar- You don't need CASAuthNHeader. This allows you to change which header contains the user name. If you just want to use request.getRemoteUser(), mod_auth_cas sets "REMOTE_USER" automatically.
-Matt -----Original Message----- From: [EMAIL PROTECTED] on behalf of Srikar Kummamuri Sent: Thu 2008-01-10 16:54 To: [email protected] Subject: RE: mod_auth_cas-1.0.6 released I am trying to get the user from header by enabling CASAuthNHeader. But I am getting the error. "CASAuthNHeader not allowed here" My httpd.conf CASCookiePath cache/ CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt CASValidateServer on CASAuthNHeader on <Location /MGS-Reporting > AuthType CAS Require valid-user </Location> Any idea? Thanks Srikar. ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 1:32 PM To: Srikar Kummamuri; '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Matt, I did not deviate from the instruction except in the Operating System. I am on XP Pro. Other than that, Visual C++ 2008 Express Edition Apache_2.0.61-win32-x86-openssl-0.9.7m.msi Win32OpenSSL-0_9_8g.exe ..Srikar ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 12:57 PM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Here is a small tutorial like post to resolve SSL issues on MOD_AUTH_CAS 1. Follow all the instructions given in the Mod_auth_Cas -1.0.6. In this, I followed the instruction in readme.win32 since I am working on windows. 2. Go to the CAS Server machine and export the crt file from the keystore. With the command keytool -export -alias tomcarcert -keystore keystore -file exported-der.crt 3. Now copy this exported-der.crt to the client machine where the Apache mod_auth_cas is running. 4. Open the open ssl. C:/openssl/bin and type openssl. 5. issue the command x509 -out C:\ssl\cas_sslcrt\exported-pem.crt -outform pem -in C:\ssl\cas_sslcrt\server-export.crt -inform der 6. Change the httpd.conf file and add this crt there. I followed the steps to convert the crt file t PEM from here http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips My httpd.conf file CASCookiePath cache/ CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt CASValidateServer on <Location /secured > AuthType CAS Require valid-user </Location> So when I give the url patter /secured/.. u get redirected to CAS login and everything works fine. Thanks to Matt, Scott, Phillip and all for the help. Srikar ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 12:25 PM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Got it. Changed the CASCookiePath. CASCookiePath cache/ Thanks a lot to Matt and Scott and others for the help. I really appreciate the help. ..Srikar ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 12:15 PM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Ok, Now, I used the export option to export the crt form key store on the server and followed the same steps as described bellow. Seems like one step forward. Now the log is, [error] [client 10.6.2.145] MOD_AUTH_CAS: Unable to clean cache entry 'C:/ssl/cas_sslcrt' [Thu Jan 10 12:11:15 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Unable to clean cache entry 'C:/ssl/certs' [Thu Jan 10 12:11:15 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Unable to clean cache entry 'C:/ssl/cookie' I believe, this is not SSL now. Will post the progress again. We may turn all this in to a nice documents later. Thanks Srikar. ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 11:57 AM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Here is what I did with no success. Went on to CAS Server machine, taken (copied) the server.crt file that was generated for the CAS Server mehine using keytool to the client machine. Came back to the client machine. Openend the OpenSSL prompt. OpenSSL> x509 -noout -text -in C:\ssl\cas_sslcrt\server.crt -inform der Certificate: Data: Version: 1 (0x0) Serial Number: 1193950368 (0x472a3ca0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, CN=alx-dev-wrk04.wwre.org Validity Not Before: Nov 1 20:52:48 2007 GMT Not After : Jan 30 20:52:48 2008 GMT Subject: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, CN=alx-dev-wrk04.wwre.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:93:94:15:eb:da:b2:82:4e:9e:7b:06:0d:3a:eb: a9:a8:84:87:72:f5:f1:de:bc:5b:b9:f6:db:a6:ea: ef:45:33:e0:87:bd:29:30:17:56:6e:72:be:8c:b5: b1:47:d6:e1:4c:d4:5f:02:39:4b:81:4e:a1:75:41: 2c:34:8e:87:97:e8:55:96:8a:b5:ec:e1:7f:66:4b: 28:61:7c:84:ca:28:f7:9f:f0:2a:91:49:62:12:13: fa:44:2d:de:23:7f:3f:fb:61:f7:6e:29:5c:38:cc: f5:6a:63:ce:1d:80:0d:64:b5:29:31:f2:7d:83:42: 1c:af:28:ea:e4:9c:e4:4b:25 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 5c:e5:64:8f:ea:d8:ff:eb:3d:ae:1d:57:ce:13:fe:1c:a6:4a: 11:6f:b6:21:41:2b:bf:ba:8a:2d:ce:f8:d5:23:1b:09:1b:09: 3d:cf:97:fb:de:10:12:9a:60:8b:d3:ff:c1:3a:7f:c6:a7:26: 8a:35:cf:30:d6:70:ae:f7:7d:e0:a8:aa:c2:56:02:d2:61:f5: 72:2b:36:fe:63:6e:9b:73:f5:f7:4d:4b:f8:8d:ed:91:fb:00: 2e:fa:d5:d5:a4:11:6a:c8:77:17:32:7b:0f:ef:2d:92:c5:a2: fb:25:13:6a:b2:18:c6:e6:c0:bb:54:a1:c6:31:aa:d5:21:a5: 1a:7a OpenSSL> The above shows the correct information of the cas server" alx-dev-wrk04.wwre.org" Now I converted it to PEM format. OpenSSL> x509 -out exported-pem.crt -outform pem -in C:\ssl\cas_sslcrt\server.crt -inform der I changed the httpd.conf CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt Now the error.log is not compligning saying that it can not load the crt file but still HandShake is failing. [Thu Jan 10 11:49:56 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could not perform SSL handshake with alx-dev-wrk04.wwre.org (check CASCertificatePath) ...Srikar ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 10:41 AM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Scott, I tried to place the exact file in the path of CASCertificatePath. Now I gaeve the crt file directly in the path. CASCookiePath C:/ssl/ CASCertificatePath C:/ssl/cas_sslcrt/server.crt CASValidateServer on And the error is, [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could not load CA certificate file: C:/ssl/cas_sslcrt/server.crt [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could not create an SSL connection to alx-dev-wrk04.wwre.org ..Srikar ________________________________ From: Srikar Kummamuri Sent: Thursday, January 10, 2008 10:05 AM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released Matt, I change the httpd.conf and problem still continues. Let me tell you what I did exactly. On the Apache (Mod_auth_cas) machine, I generated a CRT file with the keytool (given the CAS Server name in the first , last names argument of Keytool) same way that I did on the cas server. Now as you noted, I modified the httpd.conf file in both way with relative path and absolute path. CASCertificatePath C:\ssl\cas_sslcrt (In this directory crt file and .keystore were there) But the problem continues. My doubt is, Is this method (Generating the crt file with Keytool) is good for the apacge (Mod_auth_Cas) ???? Or do I need to look into certificate generation methods of OpenSsl?? Any documents/links/help?? Thanks a lot. Srikar. ________________________________ From: Srikar Kummamuri Sent: Wednesday, January 09, 2008 5:32 PM To: '[email protected]' Subject: RE: mod_auth_cas-1.0.6 released When the request comes back to Apache from the CAS server with the ticket (using mod_auth_cas), apache is throwing error. "Could not perform SSL handshake with alx-dev-wrk04.wwre.org (check CASCertificatePath)" In my config, httpd.conf calls the ssl.conf and the ssl.conf has the following line. SSLCertificateFile conf/sslcrt/server.crt Now the serer.crt is the file generated for the CAS Server by the key tool (with the cas server machine name). What am I doing wrong here? Do I need to import this crt into something else? Or can same body give me the clue to get this certificate into JVM on the apache server having mod_auth_cas? I resolved the same issue on a tomcat server running the CAS client but on this Apache (MOD_AUTH_CAS) I am not getting the idea of where to configure the self signed certificate. Thanks a lot Srikar. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
