Re: Does I need CAS ?

Fri, 27 Jun 2008 05:07:09 -0700 

Michael Ströder a écrit :

Julien Garnier wrote:

Wath I want to do :
- automatic login if someone comes with a certificate of My own compagnie and his mail is in my ldap server. I've troubles to set up this authentication, cause I've some certificates errors that I can't solve. 

Can you elaborate on the problems you have?

  

When I set access to cas with auth=true, I've got a 500 error :

*exception*

javax.servlet.ServletException: Unable to validate ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] 
[edu.yale.its.tp.cas.client.ServiceTicketValidator 
casValidateUrl=[https://sso.dr13.cnrs.fr/cas/serviceValidate] 
ticket=[ST-35-3T0ZQ2S1cFqWCPYkSagH-cas] 
service=[https%3A%2F%2Fsso.dr13.cnrs.fr%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
 renew=false]]]
        edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
        filters.ExampleFilter.doFilter(ExampleFilter.java:102)

*cause mère*


edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate 
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator 
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator 
casValidateUrl=[https://sso.dr13.cnrs.fr/cas/serviceValidate] 
ticket=[ST-35-3T0ZQ2S1cFqWCPYkSagH-cas] 
service=[https%3A%2F%2Fsso.dr13.cnrs.fr%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
 renew=false]]]
        edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
        
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
        edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        filters.ExampleFilter.doFilter(ExampleFilter.java:102)

*cause mère*

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1650)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1428)
        
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
        
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:591)
        
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698)
        
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624)
        
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
        com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116)
        
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100)
        
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
        
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
        
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
        
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
        edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
        
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
        edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
        
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
        edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        filters.ExampleFilter.doFilter(ExampleFilter.java:102)


If auth=want, works perfectly ...

  

I've read many tutorials but any of them are realy clear for me 
on how to set up with my own certificate authority.
    



First you have to import your CA cert as trusted in the Java key store. 
Whether it works also depends on whether your CA was correctly set up 
(e.g. regarding certificate profile: naming, X.509v3 extensions). YOu 
have to be familiar with SSL/TLS client authentication.
  

I was thinking I do that ...

My server.xml :
<Connector address="sso.dr13.cnrs.fr" port="443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="true" sslProtocol="TLS"
              keystoreFile="/etc/tomcat/sso.dr13.cnrs.fr.jks"
              keystorePass="password"
              truststoreFile="/etc/tomcat/truststore.jks"
              truststorePass="password"
       />

If I read the truststore and key store:
(sso.dr13.cnrs.fr is the cas server)


keytool -list -v -keystore 
/etc/tomcat/sso.dr13.cnrs.fr                              
.jks

Tapez le mot de passe du Keystore :  password

Type Keystore : jks
Fournisseur Keystore : SUN

Votre Keystore contient 1 entrée(s)

Nom d'alias : sso.dr13.cnrs.fr
Date de création : 16 avr. 2008
Type d'entrée : keyEntry
Longueur de chaîne du certificat : 3
Certificat[1]:

Propriétaire : [EMAIL PROTECTED], CN=sso.dr13.cnrs.fr, 
OU=MOY1300, O=CNRS, C=FR

Ãmetteur : CN=CNRS-Standard, O=CNRS, C=FR
Numéro de série : 5cbe
Valide du : Tue Jul 10 12:18:29 UTC 2007 au : Thu Jul 09 12:18:29 UTC 2009
Empreintes de certificat :
        MD5 :  67:1A:BE:9C:BF:BE:A1:33:3F:F6:F6:C4:24:32:19:A9
        SHA1: 57:F8:BA:7E:9D:37:3B:77:DC:12:77:AF:1D:00:CE:67:C9:E8:EF:6F
Certificat[2]:
Propriétaire : CN=CNRS-Standard, O=CNRS, C=FR
Ãmetteur : CN=CNRS, O=CNRS, C=FR
Numéro de série : 2
Valide du : Fri Apr 27 05:46:49 UTC 2001 au : Mon Apr 25 05:46:49 UTC 2011
Empreintes de certificat :
        MD5 :  CE:89:05:3D:B7:3D:8F:6E:5B:DF:58:16:3B:E0:88:CF
        SHA1: 41:F6:1C:59:C7:01:A9:10:F4:6E:7E:FA:9B:FD:15:BD:FB:B4:44:D5
Certificat[3]:
Propriétaire : CN=CNRS, O=CNRS, C=FR
Ãmetteur : CN=CNRS, O=CNRS, C=FR
Numéro de série : 0
Valide du : Fri Apr 27 05:44:36 UTC 2001 au : Thu Apr 22 05:44:36 UTC 2021
Empreintes de certificat :
        MD5 :  92:1E:3C:80:4A:95:65:6C:9E:A2:F2:1E:12:BF:EF:6D
        SHA1: 22:61:81:6A:9D:F6:86:6E:76:CE:8A:AC:6E:6F:52:3D:8B:09:32:D1


*******************************************
*******************************************


keytool -list -v -keystore /etc/tomcat/keytool -list -v -keystore 
/etc/tomcat/truststore.jks

Tapez le mot de passe du Keystore :  password

Type Keystore : jks
Fournisseur Keystore : SUN

Votre Keystore contient 4 entrée(s)

Nom d'alias : cnrs-standard
Date de création : 29 avr. 2008
Type d'entrée : trustedCertEntry

Propriétaire : CN=CNRS-Standard, O=CNRS, C=FR
Ãmetteur : CN=CNRS, O=CNRS, C=FR
Numéro de série : 2
Valide du : Fri Apr 27 05:46:49 UTC 2001 au : Mon Apr 25 05:46:49 UTC 2011
Empreintes de certificat :
        MD5 :  CE:89:05:3D:B7:3D:8F:6E:5B:DF:58:16:3B:E0:88:CF
        SHA1: 41:F6:1C:59:C7:01:A9:10:F4:6E:7E:FA:9B:FD:15:BD:FB:B4:44:D5


*******************************************
*******************************************
Nom d'alias : cnrs
Date de création : 29 avr. 2008
Type d'entrée : trustedCertEntry

Propriétaire : CN=CNRS, O=CNRS, C=FR
Ãmetteur : CN=CNRS, O=CNRS, C=FR
Numéro de série : 0
Valide du : Fri Apr 27 05:44:36 UTC 2001 au : Thu Apr 22 05:44:36 UTC 2021
Empreintes de certificat :
        MD5 :  92:1E:3C:80:4A:95:65:6C:9E:A2:F2:1E:12:BF:EF:6D
        SHA1: 22:61:81:6A:9D:F6:86:6E:76:CE:8A:AC:6E:6F:52:3D:8B:09:32:D1


*******************************************
*******************************************
Nom d'alias : cnrs-plus
Date de création : 30 avr. 2008
Type d'entrée : trustedCertEntry

Propriétaire : CN=CNRS-Plus, O=CNRS, C=FR
Ãmetteur : CN=CNRS, O=CNRS, C=FR
Numéro de série : 1
Valide du : Fri Apr 27 05:45:28 UTC 2001 au : Mon Apr 25 05:45:28 UTC 2011
Empreintes de certificat :
        MD5 :  CB:12:3C:95:D1:3B:E4:C6:E0:23:AC:E8:F9:C2:79:88
        SHA1: 60:FC:FB:84:D4:DD:58:5D:4E:42:B9:01:44:E8:2E:B2:C4:76:53:B8


*******************************************
*******************************************
Nom d'alias : sso
Date de création : 30 avr. 2008
Type d'entrée : trustedCertEntry


Propriétaire : [EMAIL PROTECTED], CN=sso.dr13.cnrs.fr, 
OU=MOY1300, O=CNRS, C=FR

Ãmetteur : CN=CNRS-Standard, O=CNRS, C=FR
Numéro de série : 5cbe
Valide du : Tue Jul 10 12:18:29 UTC 2007 au : Thu Jul 09 12:18:29 UTC 2009
Empreintes de certificat :
        MD5 :  67:1A:BE:9C:BF:BE:A1:33:3F:F6:F6:C4:24:32:19:A9
        SHA1: 57:F8:BA:7E:9D:37:3B:77:DC:12:77:AF:1D:00:CE:67:C9:E8:EF:6F




I think the problem is that I've two certificate authority : CNRS and 
CNRS-Standard

  

- If no certificate, login against the ldap server.

    


That's possible. You have to tweak login-webflow.xml to achieve this.

  

I've read this, thanks

  

But after login, how can I know what can acces this user ? For example 
user1 has acces to webmail and wiki but user 2 has only acces to webmail 
...
    



You should probably use the Services Manager to implement such 
application-level access control:


http://www.ja-sig.org/wiki/display/CASUM/Services+Management

Ciao, Michael.

  


Thanks, I'll take a look ...

Juju




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas






















					Reply via email to