Hi Allan, Thank you for your fast response. My problem is a little bit different from yours; in fact it is even easier!
I don’t have any CAS clients, I only have a CAS server e.g. https://MyCas:8446/cas/ On the same CAS server I use a proxyTicketReceptor like https://MyCas:8446/cas/proxyTicketReceptor/save. Both applications works fine. The problem is when I send a serviceValidate to MyCas and give the second URL as pgtUrl the cas server does not send any PGTIOU\PGT to the receptor! I think the reason is that CAS server does not trust the receptor! but how can this be? the receptor is on the same CAS server! I only know of two keystores 1) keystore locate din the root of may apache-tomcat-5.5.26 folder 2) cacerts in the jre\lib\security. Are there any other keystores? Mit freundlichen Grüßen / Kind regards Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter ________________________________ From: Allen Chen [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 4:17 AM To: Faris Ahmed; cas Subject: Re: FW: cas cannot find the certificates for proxy Yes, I have already resolve the problem. The web server where the cas client deploy must be configured to enable https. And you have also to add the client certificate to the cas server's truststore, so that the cas server trust the proxy client and send the pgt back to the proxy. The way I mentioned above can solve the " PKIX path building failed" exception. <javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) For further infomation you can refer to the following url, it would tell you how to import the certs. http://blogs.sun.com/andreas/entry/no_more_unable_to_find If the problem other than the "PKIX path building failed" or "bad credentials" turns up, there may be something wrong with the cas itself. Hope that it can help . Good luck! ________________________________ Allen Chen 2008-07-09 ________________________________ 发件人: Faris Ahmed 发送时间: 2008-07-09 00:10:33 收件人: [EMAIL PROTECTED] 抄送: 主题: FW: cas cannot find the certificates for proxy Dear Allan, I am wondering if you solved the SSL problem? I am working with CAS and have a similar problem. My CAS server does not the proxy callback URL, although the PGT URL is on the same CAS server! Any ideas? Mit freundlichen Grüßen / Kind regards Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Allen Chen Sent: Tuesday, May 20, 2008 12:31 PM To: cas Subject: cas cannot find the certificates for proxy I have two machine: rnd1.allen.com and rnd2.allen.com rnd1.allen.com runs cas server, and all ok! rnd2.allen.com runs the cas client, also ok when validate user and ssl is enabled at 8443 port. But when I enable the proxy for cas, the follow error I found turns up in cas server: 2008-05-20 17:40:17,493 DEBUG [org.springframework.web.servlet.view.RedirectView] - <Rendering view with name 'null' with model {} and static attributes {}> 2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://rnd2.allen.com:7000/stest/> 2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for https://rnd2.allen.com:8443/stest/proxyCallback> 2008-05-20 17:40:18,215 ERROR [org.jasig.cas.util.HttpClient] - <javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) .... at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) ... 44 more 2008-05-20 17:40:18,217 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: https://rnd2.allen.com:8443/stest/proxyCallback> 2008-05-20 17:40:18,217 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://rnd2.allen.com:8443/stest/proxyCallback> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:284) .... at java.lang.Thread.run(Thread.java:595) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113) at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:256) ... 26 more I know the error "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target " means that cas server cannot find the ca store, while I have already set the -Djavax.net.ssl.trustStore in the tomcat startup.sh JAVA_OPTS="-Djavax.net.ssl.trustStore=/export/home/ism/mycacerts $JAVA_OPTS" export JAVA_OPTS Why I do that? Because that if I don't point out the javax.net.ssl.trustStore in startup.sh, there is no way to get into the service management of cas server. And I had also import the certificates from server.crt of rnd2.allen.com into the ca certs "mycacerts" with another alias like "rnd2". So I don't know why the cas cannot find the cerficates. Any tips? Thank you ahead. ________________________________ Allen Chen 2008-05-20
<<image001.gif>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
