[cas-user] SLO within browser context
Hey guys, I just ran into the SLO + loadbalancer issue as some of our CAS clients are clustered. Now, I wonder if it is possible to send the POST logout requests to the services participating at the current SSO session from within the browser/from client side instead of sending them from the CAS server. If that is possible, I expect the load balancer issue is solved without further adjustments as it will redirect the request to the correct node in case of a clustered CAS client. What are your thougts? Cheers, Paul -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/95830dcf-aa6a-44df-8c7e-7d84d517f83an%40apereo.org.
Re: [cas-user] CAS newbie 1st time install on RHEL problems with connection to LDAP server
You can use the following config to specify the cert of the CA, if that is what is needed: cas.authn.ldap[0].trustCertificates=file:/etc/cas/ca_ldaps_cert.crt On Tue, Jun 16, 2020 at 3:10 PM David Curry wrote: > The CAS server (Tomcat) cannot validate the TLS certificate being returned > by your LDAP server. This could be for a few different reasons: > >1. The LDAP server's TLS certificate is not for the host name you're >using to access the LDAP server (walnut.wccnet.edu) >2. The LDAP server's TLS certificate requires an intermediate >certificate that it's not providing itself (by concatenating certificates) >and the Tomcat server doesn't have the intermediate certificate either >3. Same as #2, but for the root certificate > > Check #1 first; if that's not it, #2 is probably the issue, and it can be > fixed by having the LDAP server return a concatenated certificate > (basically, instead of just providing the server certificate, provide the > server cert, the intermediate cert, and [optionally] the root cert all > together). > > --Dave > > P.S. - The tip-off is this line: > > org.ldaptive.ConnectException: javax.net.ssl.SSLException: > javax.net.ssl.SSLHandshakeException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > and then you just read backwards to see what it's trying to connect to > when the error occurs. > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR • INFORMATION SECURITY & PRIVACY* > THE NEW SCHOOL • INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 646 909-4728 • david.cu...@newschool.edu > > > On Tue, Jun 16, 2020 at 4:01 PM David Lacerte wrote: > >> At Washtenaw Community College Ann Arbor Michigan I am working to replace >> a old CAS 3.x server with a new CAS 6.2 server running on RHEL 8.1 >> >> We have encountered an error when we perform a 'gradlew run' command in >> which we see this error: >> >> >> AS Version: 6.2.0-SNAPSHOT >> CAS Branch: master >> CAS Commit Id: 4ac819eb72848f0ca995bb369526727479fa8cbf >> CAS Build Date/Time: 2020-06-16T19:16:54Z >> Spring Boot Version: 2.2.8.RELEASE >> Spring Version: 5.2.6.RELEASE >> Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64 >> Java Vendor: Oracle Corporation >> Java Version: 11.0.7 >> JVM Free Memory: 409 MB >> JVM Maximum Memory: 2 GB >> JVM Total Memory: 478 MB >> JCE Installed: Yes >> OS Architecture: amd64 >> OS Name: Linux >> OS Version: 4.18.0-147.5.1.el8_1.x86_64 >> OS Date/Time: 2020-06-16T15:56:59.381046 >> OS Temp Directory: /tmp >> Apache Tomcat Version: Apache Tomcat/9.0.36 >> >> >> >> 2020-06-16 15:02:49,204 INFO >> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] >> - > [/etc/cas/config/cas.properties]]] unde r >> profile(s) [[standalone]]> >> 2020-06-16 15:02:49,381 INFO [org.apereo.cas.web.CasWebApplication] - >> >> 2020-06-16 15:02:52,616 INFO >> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - >> > successfully.> >> 2020-06-16 15:03:00,848 INFO >> [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] >> - < >> >> Using generated security password: xx >> > >> 2020-06-16 15:03:01,045 INFO >> [org.springframework.security.web.access.channel.ChannelProcessingFilter] - >> >> 2020-06-16 15:03:01,063 INFO >> [org.springframework.security.web.DefaultSecurityFilterChain] - > filter chain: any request, >> [org.springframework.security.web.access.channel.ChannelProcessingFilter@1a6d >> c5ea, >> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3d88ce0e, >> org.springframework.security.web.context.SecurityContextPersistenceFilter@31b741e2, >> org.springframework >> .security.web.savedrequest.RequestCacheAwareFilter@28f05b0c, >> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5fdb7394, >> org.springframework.security.web.authentication.Anon >> ymousAuthenticationFilter@31f7eb8, >> org.springframework.security.web.session.SessionManagementFilter@1846ad0f, >> org.springframework.security.web.access.ExceptionTranslationFilter@432c0f1, >> org.springframework.s >> ecurity.web.access.intercept.FilterSecurityInterceptor@70884875]> >> 2020-06-16 15:03:02,145 ERROR >> [org.ldaptive.transport.netty.NettyConnection] - > for org.ldaptive.transport.netty.NettyConnection@193667460 >> ::ldapUrl=[org.ldaptive.LdapURL@-120939274::sc >> heme=ldaps, hostname=walnut.wccnet.edu, port=636, baseDn=null, >> attributes=null, scope=null, filter=null, inetAddress=null], isOpen=false, >> connectTime=null, connectionConfig=[org.ldaptive.ConnectionConfig@697 >> 975769::ldapUrl=ldaps://walnut.wccnet.edu:636, connectTimeout=PT5S, >> responseTimeout=PT5S, reconnectTimeout=PT2M, autoReconnect=true, >>
Re: [cas-user] CAS newbie 1st time install on RHEL problems with connection to LDAP server
The CAS server (Tomcat) cannot validate the TLS certificate being returned by your LDAP server. This could be for a few different reasons: 1. The LDAP server's TLS certificate is not for the host name you're using to access the LDAP server (walnut.wccnet.edu) 2. The LDAP server's TLS certificate requires an intermediate certificate that it's not providing itself (by concatenating certificates) and the Tomcat server doesn't have the intermediate certificate either 3. Same as #2, but for the root certificate Check #1 first; if that's not it, #2 is probably the issue, and it can be fixed by having the LDAP server return a concatenated certificate (basically, instead of just providing the server certificate, provide the server cert, the intermediate cert, and [optionally] the root cert all together). --Dave P.S. - The tip-off is this line: org.ldaptive.ConnectException: javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target and then you just read backwards to see what it's trying to connect to when the error occurs. -- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • david.cu...@newschool.edu On Tue, Jun 16, 2020 at 4:01 PM David Lacerte wrote: > At Washtenaw Community College Ann Arbor Michigan I am working to replace > a old CAS 3.x server with a new CAS 6.2 server running on RHEL 8.1 > > We have encountered an error when we perform a 'gradlew run' command in > which we see this error: > > > AS Version: 6.2.0-SNAPSHOT > CAS Branch: master > CAS Commit Id: 4ac819eb72848f0ca995bb369526727479fa8cbf > CAS Build Date/Time: 2020-06-16T19:16:54Z > Spring Boot Version: 2.2.8.RELEASE > Spring Version: 5.2.6.RELEASE > Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64 > Java Vendor: Oracle Corporation > Java Version: 11.0.7 > JVM Free Memory: 409 MB > JVM Maximum Memory: 2 GB > JVM Total Memory: 478 MB > JCE Installed: Yes > OS Architecture: amd64 > OS Name: Linux > OS Version: 4.18.0-147.5.1.el8_1.x86_64 > OS Date/Time: 2020-06-16T15:56:59.381046 > OS Temp Directory: /tmp > Apache Tomcat Version: Apache Tomcat/9.0.36 > > > > 2020-06-16 15:02:49,204 INFO > [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] > - [/etc/cas/config/cas.properties]]] unde r > profile(s) [[standalone]]> > 2020-06-16 15:02:49,381 INFO [org.apereo.cas.web.CasWebApplication] - following profiles are active: standalone> > 2020-06-16 15:02:52,616 INFO > [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - > successfully.> > 2020-06-16 15:03:00,848 INFO > [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] > - < > > Using generated security password: xx > > > 2020-06-16 15:03:01,045 INFO > [org.springframework.security.web.access.channel.ChannelProcessingFilter] - > > 2020-06-16 15:03:01,063 INFO > [org.springframework.security.web.DefaultSecurityFilterChain] - filter chain: any request, > [org.springframework.security.web.access.channel.ChannelProcessingFilter@1a6d > c5ea, > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3d88ce0e, > org.springframework.security.web.context.SecurityContextPersistenceFilter@31b741e2, > org.springframework > .security.web.savedrequest.RequestCacheAwareFilter@28f05b0c, > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5fdb7394, > org.springframework.security.web.authentication.Anon > ymousAuthenticationFilter@31f7eb8, > org.springframework.security.web.session.SessionManagementFilter@1846ad0f, > org.springframework.security.web.access.ExceptionTranslationFilter@432c0f1, > org.springframework.s > ecurity.web.access.intercept.FilterSecurityInterceptor@70884875]> > 2020-06-16 15:03:02,145 ERROR > [org.ldaptive.transport.netty.NettyConnection] - for org.ldaptive.transport.netty.NettyConnection@193667460 > ::ldapUrl=[org.ldaptive.LdapURL@-120939274::sc > heme=ldaps, hostname=walnut.wccnet.edu, port=636, baseDn=null, > attributes=null, scope=null, filter=null, inetAddress=null], isOpen=false, > connectTime=null, connectionConfig=[org.ldaptive.ConnectionConfig@697 > 975769::ldapUrl=ldaps://walnut.wccnet.edu:636, connectTimeout=PT5S, > responseTimeout=PT5S, reconnectTimeout=PT2M, autoReconnect=true, > autoReconnectCondition=org.ldaptive.ConnectionConfig$$Lambda$953/0x000 > 8408e9840@ccd000e, autoReplay=true, > sslConfig=[org.ldaptive.ssl.SslConfig@1604700367::credentialConfig=null, > trustManagers=null, > hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@d7055be, > enabledCiph erSuites=null,
[cas-user] CAS newbie 1st time install on RHEL problems with connection to LDAP server
At Washtenaw Community College Ann Arbor Michigan I am working to replace a old CAS 3.x server with a new CAS 6.2 server running on RHEL 8.1 We have encountered an error when we perform a 'gradlew run' command in which we see this error: AS Version: 6.2.0-SNAPSHOT CAS Branch: master CAS Commit Id: 4ac819eb72848f0ca995bb369526727479fa8cbf CAS Build Date/Time: 2020-06-16T19:16:54Z Spring Boot Version: 2.2.8.RELEASE Spring Version: 5.2.6.RELEASE Java Home: /usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64 Java Vendor: Oracle Corporation Java Version: 11.0.7 JVM Free Memory: 409 MB JVM Maximum Memory: 2 GB JVM Total Memory: 478 MB JCE Installed: Yes OS Architecture: amd64 OS Name: Linux OS Version: 4.18.0-147.5.1.el8_1.x86_64 OS Date/Time: 2020-06-16T15:56:59.381046 OS Temp Directory: /tmp Apache Tomcat Version: Apache Tomcat/9.0.36 2020-06-16 15:02:49,204 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - 2020-06-16 15:02:49,381 INFO [org.apereo.cas.web.CasWebApplication] - 2020-06-16 15:02:52,616 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - 2020-06-16 15:03:00,848 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - < Using generated security password: xx > 2020-06-16 15:03:01,045 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - 2020-06-16 15:03:01,063 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - 2020-06-16 15:03:02,145 ERROR [org.ldaptive.transport.netty.NettyConnection] - org.ldaptive.ConnectException: javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid cer tification path to requested target So far GOOGLE-FU has failed to reveal the solution to resolving this problem... i see HINTS that it might be related to an SSL cert java keystore issue, but my attempts to follow various 'solutions' so far are not working. Any ideas or suggestions would be appreciated. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27f5546e-d1e1-4715-932a-7e5a274d9157o%40apereo.org.
