- - [24/Oct/2008:10:16:46 +0800] "GET /cas/login?service=https%3a%2f%2fsp.permis.pku.edu.cn%2fcasprotect%2f HT TP/1.1" 200 5029 - - [24/Oct/2008:10:16:46 +0800] "GET /cas/css/cas.css HTTP/1.1" 304 - - - [24/Oct/2008:10:16:46 +0800] "GET /cas/js/common_rosters.js HTTP/1.1" 304 - - - [24/Oct/2008:10:16:46 +0800] "GET /cas/css/ie_cas.css HTTP/1.1" 304 - - - [24/Oct/2008:10:16:46 +0800] "GET /cas/images/ja-sig-logo.gif HTTP/1.1" 304 - - - [24/Oct/2008:10:16:52 +0800] "POST /cas/login?service=https%3a%2f%2fsp. permis.pku.edu.cn%2fcasprotect%2f H TTP/1.1" 302 -
It seems the request was successfully redirected to the resource, but the 401 page still shows, I am checking my cert to figure it out. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Ralph Feller, afelle1 Sent: Thursday, October 23, 2008 8:30 PM To: Yale CAS mailing list Subject: Re: 答复: 答复: MOD_AUTH_CAS: Could notperform SSL handshake There should be no problems CAS-protecting an application running on the CAS server, so I would assume that you have the CASCertificatePath pointing to the same SSL certificate used by Apache HTTP server, correct? If you are using pre-httpd 2.2, mod_jk is the only way I'm aware to front end Tomcat with HTTP server. If you are using httpd 2.2, you can also use mod_proxy_ajp. Everything in your configuration seems correct, so I'm boggled why there are SSL problems or connectivity. Try this: Enable AccessLogValve Valve that comes disabled by default in Tomcat's server.xml and confirm that you are getting requests forwarded from HTTP server. What error messages are appearing in your Tomcat and HTTP log files whenever you request the CAS protected resource? On 10/22/08 11:48 PM, "lobatt" <[EMAIL PROTECTED]> wrote: > Thank you Andrew, sorry I didn't make it clear earlier, I deployed my CAS > Server and mod_auth_cas in the same server, is that a problem? > > And I am using apache and jk to proxy requests to CAS server, is there any > specific configuration I need to apply? > > Best Regards, > > Li Cheng > > -----邮件原件----- > 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代 > 表 Andrew Ralph Feller, afelle1 > 发送时间: 2008年10月22日 20:41 > 收件人: Yale CAS mailing list > 主题: Re: 答复: MOD_AUTH_CAS: Could not perform SSL handshake > > Hrmmmm, the CASCertificatePath should point to the SSL certificate of the > CAS server you are trying to communicate with and not the SSL certificate of > the machine, correct? Can you confirm the SSL certificate used is that of > the CAS server or the application being protected? > > If you have openssl and the client installed on a machine, the following > command will request the certificate being used by the machine: > > openssl s_client -showcerts -connect "example.com:443" > example.crt > > In the file, the top certificate should be the one owned by the server. I > usually just get rid of everything else and use that. > > HTH, > A- > > > On 10/22/08 7:25 AM, "David Whitehurst" <[EMAIL PROTECTED]> wrote: > >> You might setup your certificate file with Apache and see if a plain > HTTPS >> request works? I agree with Matt above that you should check > permissions >> too. > > > David > > On 10/22/08, lobatt <[EMAIL PROTECTED]> wrote: >> Thank you for your >> time. >> >> I checked my configuration, there is no space ,it's must be a typo, >> I >> replaced my domain name for security reason. >> Below is my real >> configuration: >> #******************************CAS client >> integration************** >> LoadModule auth_cas_module >> modules/mod_auth_cas.so >> CASCookiePath /tmp/cas/ >> CASloginURL >> https://sp.permis.pku.edu.cn/cas/login >> CASValidateURL >> https://sp.permis.pku.edu.cn/cas/serviceValidate >> CASCertificatePath >> >> /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt >> <Location >> "/casprotect/"> >> AuthType CAS >> Require valid-user >> </Location> >> >> #******************************************************************* >> >> I >> turned debug level of apache to DEBUG and modified my log4j.properties >> like >> below >> log4j.logger.org.jasig.cas.web.flow=DEBUG >> >> log4j.logger.org.jasig.cas.authentication=DEBUG >> >> log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG> >> log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG >> >> log4j.logger.org.jasig.cas.services=DEBUG >> >> and here is my log: >> httpd >> error_log: >> [Wed Oct 22 14:25:19 2008] [error] [client ] >> MOD_AUTH_CAS: >> Could not perform SSL handshake with sp.permis.pku.edu.cn >> (check >> CASCertificatePath), referer: >> >> > https://sp.permis.pku.edu.cn/cas/login?service=https%3a%2f%2fsp.permis.pku.e >> >> du.cn%2fcasprotect%2f >> >> cas.log: (also in attchment) >> 2008-10-22 >> 14:25:10,088 DEBUG >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - >> Action >> 'InitialFlowSetupAction' beginning execution >> 2008-10-22 >> 14:25:10,091 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] >> - Setting >> path for cookies to: /cas >> 2008-10-22 14:25:10,099 DEBUG >> >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in >> >> FlowScope: https://sp.permis.pku.edu.cn/casprotect/ >> 2008-10-22 14:25:10,100 >> DEBUG >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action >> >> 'InitialFlowSetupAction' completed execution; result is 'success' >> 2008-10-22 >> 14:25:10,132 DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - >> Action >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 >> 14:25:10,135 DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - >> Executing setupForm >> 2008-10-22 14:25:10,136 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form >> >> object with name 'credentials' >> 2008-10-22 14:25:10,136 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new > instance >> >> of form object class [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] >> >> 2008-10-22 14:25:10,137 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object >> >> of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> >> Flow with name 'credentials' >> 2008-10-22 14:25:10,137 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form >> >> errors for object with name 'credentials' >> 2008-10-22 14:25:10,148 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> >> registrar set, no custom editors to register >> 2008-10-22 14:25:10,152 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors >> >> instance in scope Flash >> 2008-10-22 14:25:10,153 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:10,153 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:10,153 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:18,436 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:18,437 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing >> bind >> 2008-10-22 14:25:18,437 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form >> >> object with name 'credentials' of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> >> Flow >> 2008-10-22 14:25:18,437 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> >> registrar set, no custom editors to register >> 2008-10-22 14:25:18,442 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding allowed >> >> request parameters in map['lt' -> >> >> > '_c3E31A0C0-C329-DA8A-DDD2-9DB286EBDE0E_k20927939-E9B9-269E-9619-CE6C38036F8 >> >> 7', 'service' -> 'https://sp.permis.pku.edu.cn/casprotect/', '_eventId' -> >> >> 'submit', 'password' -> '12345', 'submit' -> '??????', 'username' -> > 'roey'] >> >> to form object with name 'credentials', pre-bind formObject toString = >> >> [username: null] >> 2008-10-22 14:25:18,443 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - (Any field is >> >> allowed) >> 2008-10-22 14:25:18,447 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding completed > for >> >> form object with name 'credentials', post-bind formObject toString = >> >> [username: roey] >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] > errors, >> >> details: [] >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing > validation >> >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invoking validator> >> [EMAIL PROTECTED] >> >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Validation > completed >> >> for form object >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] > errors, >> >> details: [] >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors >> >> instance in scope Flash >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:18,452 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing >> form >> object with name 'credentials' of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> >> Flow >> 2008-10-22 14:25:19,270 INFO >> >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> >> AuthenticationHandler: >> >> org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler > successfully >> >> authenticated the user which provided the following credentials: > [username: >> >> roey] >> 2008-10-22 14:25:19,271 DEBUG >> >> > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip >> >> alResolver] - Attempting to resolve a principal... >> 2008-10-22 14:25:19,271 >> DEBUG >> >> > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip >> >> alResolver] - Creating SimplePrincipal for [roey] >> 2008-10-22 14:25:19,283 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:19,283 DEBUG >> >> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action >> >> 'SendTicketGrantingTicketAction' beginning execution >> 2008-10-22 14:25:19,284 >> DEBUG >> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action >> >> 'SendTicketGrantingTicketAction' completed execution; result is 'success'> >> 2008-10-22 14:25:19,284 DEBUG >> >> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action >> >> 'GenerateServiceTicketAction' beginning execution >> 2008-10-22 14:25:19,286 >> INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket >> [ST-1-ZDZ5aL4YpjVdRxWJenD3-cas] for service >> >> [https://sp.permis.pku.edu.cn/casprotect/] for user [roey] >> 2008-10-22 >> 14:25:19,287 DEBUG >> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - >> Action >> 'GenerateServiceTicketAction' completed execution; result is >> 'success' >> >> >> -----邮件原件----- >> 发件人: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] 代 >> 表 Smith, Matthew J. >> 发送时间: 2008年10 >> 月21日 20:27 >> 收件人: Yale CAS mailing list >> 主题: Re: MOD_AUTH_CAS: Could not >> perform SSL handshake >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> Perhaps it is simply the copy & paste into the email, but I notice a few >> >> spaces in the paths of your config. Could you verify that those are not >> in >> your real configuration? >> >> Is mydomain.crt the signing CA for your CAS >> server's certificate? >> >> Is mydomain.crt readable by the user the Apache >> daemon is running as? >> >> Could you enable CAS debugging and Apache debugging, >> and send the extra >> debugging information here? >> >> >> - -Matt >> >> lobatt >> wrote: >>> Dear list: >>> >>> I have deployed a testing CAS server to >> protect a httpd >>> Location, I can login in CAS server successfully, but >> after being >>> automatically redirected to the protect location, it always >> return a 401 >>> error page to me. >>> >>> >>> >>> I checked my log: >>> >>> >> In http log: >>> >>> - - [21/Oct/2008:14:07:40 +0800] "GET >>> >> /casprotect/?ticket=ST-24-L3WtJybA9GIJNa4ASyYJ-cas HTTP/1.1" 401 564 >>> >>> >> In cas log: >>> >>> 2008-10-21 14:07:40,151 INFO >>> >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >>> ticket >> [ST-24-L3WtJybA9GIJNa4 >>> >>> ASyYJ-cas] for service >> [https://sp.permis.pku.edu.cn/casprotect/] for >>> user [Roey] >>> >>> >> 2008-10-21 14:22:08,272 INFO >>> >> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - >>> >> Starting cleaning of expi >>> >>> red tickets from ticket registry at [Tue Oct >> 21 14:22:08 CST 2008] >>> >>> >>> >>> my mod_auth_cas configuration: >>> >>> >> LoadModule auth_cas_module modules/mod_auth_cas.so >>> >>> CASCookiePath >> /tmp/cas/ >>> >>> CASloginURL https://mydomain /cas/login >>> >>> >> CASValidateURL https:// mydomain /cas/serviceValidate >>> >>> >> CASCertificatePath /home/ncpku/common/httpd-2.0.59/conf/ mydomain.crt >>> >>> >> <Location "/casprotect/"> >>> >>> AuthType CAS >>> >>> Require valid-user >> >>> >>> </Location> >>> >>> >>> >>> I checked my CertificatePath, and I am sure >> that is right. >>> >>> Is there any other possibility? >>> >>> >>> >>> Best >> regards, >>> >>> Li Cheng >>> >>> >>> >> ------------------------------------------------------------------------ >>> >> >>> _______________________________________________ >>> Yale CAS mailing list >> >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> - >> -- >> Matthew J. Smith >> University of Connecticut ITS >> [EMAIL PROTECTED] >> >> PGP KeyID: 0xE9C5244E >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 >> (GNU/Linux) >> >> >> iD8DBQFI/cqmGP63pOnFJE4RApgoAKCvr6dwN9JJ9UoB6Kswyz46G04ptwCfchdd >> >> kISrC2dQDweyubCquluMLLU= >> =VZuH >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Yale CAS mailing list >> >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> _______________________________________________ >> Yale CAS mailing list >> >> [email protected] >> >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> > ____________________________ >> ___________________ > Yale CAS mailing >> list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax)
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
