Technical platform server CAS : CasToolBox 3.3.1 Authentification on Active
Directory ; Plate-forme serveur CAS : CentOs5.2, Tomcat 6.0.18,jdk1.6.0_12
Technical platform server Www : Débian LENNY avec Apache 2.2.9, Php5 (with
Curl, Openssl, Dom, Zlib) Mysql5.0. Lib PHPCAS
version 1.0.2RC1
On this server I modified my file: / etc. / php5 / apache2 / php.ini as this :
include_path = ".:/php/includes:/usr/share/php/PEAR"
require_once "/usr/share/php/DB.php";
And I also activated the mode Debug for PHPCAS in the file:
/usr/share/php/PEAR/CAS/CAS.php
phpCAS::setDebug ("/mon/chemin/pour/phpcas.log");
For the application JOOMLA: the component for the CAS server authenticates
correctly my users.
For all other applications which use PHPCAS I obtain this error:
"CAS Authentication failed!
You were not authenticated.
You may submit your request again by clicking here.
If the problem persists, you may contact the administrator of this site.
--------------------------------------------------------------------------------
phpCAS 1.0.2RC1 utilisant le serveur https://mon.cas.lan:443/cas/login/ (CAS
2.0)"
If I click the last line: " phpCAS 1.0.2RC1 using the server
https://mon.cas.lan:443/case/ login/ (CASE 2.0) " the authentification on the
CAS server made a success.
Here is the file of LOG of PHPCAS :
88D7 .START ****************** [CAS.php:414]
88D7 .=> phpCAS::client('2.0', 'mon.cas.lan', 443, '/cas/login', false)
[cas.inc.php:43]
88D7 .| => CASClient::CASClient('2.0', false, 'mon.cas.lan', 443,
'/cas/login', false) [CAS.php:315]
88D7 .| | ST or PT 'ST-2-hEcdG40jd6joaEzkMcvd-cas' found [client.php:594]
88D7 .| <= ''
88D7 .<= ''
88D7 .=> phpCAS::setNoCasServerValidation() [cas.inc.php:52]
88D7 .<= ''
88D7 .=> phpCAS::forceAuthentication() [cas.inc.php:53]
88D7 .| => CASClient::forceAuthentication() [CAS.php:911]
88D7 .| | => CASClient::isAuthenticated() [client.php:686]
88D7 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:791]
88D7 .| | | | no user found [client.php:895]
88D7 .| | | <= false
88D7 .| | | PT `ST-2-hEcdG40jd6joaEzkMcvd-cas' is present
[client.php:812]
88D7 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:813]
88D7 .| | | | => CASClient::getURL() [client.php:396]
88D7 .| | | | <= 'http://mon.www.lan/grr/index.php'
88D7 .| | | | =>
CASClient::readURL('https://mon.cas.lan:443/cas/login/proxyValidate?service=http%3A%2F%2Fmon.www.lan%2Fgrr%2Findex.php&ticket=ST-2-hEcdG40jd6joaEzkMcvd-cas',
'', NULL, NULL, NULL) [client.php:2081]
88D7 .| | | | | curl_exec() failed [client.php:1845]
88D7 .| | | | <= false
88D7 .| | | | could not open URL
'https://mon.cas.lan:443/cas/login/proxyValidate?service=http%3A%2F%2Fmon.www.lan%2Fgrr%2Findex.php&ticket=ST-2-hEcdG40jd6joaEzkMcvd-cas'
to validate (CURL error #35: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message)
[client.php:2082]
88D7 .| | | | => CASClient::authError('PT not validated',
'https://mon.cas.lan:443/cas/login/proxyValidate?service=http%3A%2F%2Fmon.www.lan%2Fgrr%2Findex.php&ticket=ST-2-hEcdG40jd6joaEzkMcvd-cas',
true) [client.php:2085]
88D7 .| | | | | => CASClient::getURL() [client.php:2266]
88D7 .| | | | | <= 'http://mon.www.lan/grr/index.php'
88D7 .| | | | | CAS URL:
https://mon.cas.lan:443/cas/login/proxyValidate?service=http%3A%2F%2Fmon.www.lan%2Fgrr%2Findex.php&ticket=ST-2-hEcdG40jd6joaEzkMcvd-cas
[client.php:2267]
88D7 .| | | | | Authentication failure: PT not validated
[client.php:2268]
88D7 .| | | | | Reason: no response from the CAS server
[client.php:2270]
88D7 .| | | | | exit()
88D7 .| | | | | -
88D7 .| | | | -
88D7 .| | | -
88D7 .| | -
88D7 .| -
--------------------------------------------------------------
Command executed on my Www : curl --verbose https://mon.cas.lan
About to connect() to mon.cas.lan port 443 (#0)
* Trying 10.100.25.11... connected
* Connected to mon.cas.lan (10.100.25.11) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
--------------------------------------------------------------
Here is the step which I use to create certificates:
Generation of the containing keystore bi-key, and of the request of
certification:
keytool -genkey -alias mon.cas.lan -keyalg RSA -keystore
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9.keystore
keytool -certreq -alias mon.cas.lan -keystore
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9.keystore -file
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9.csr
I passes on the demand of certification "cas9.csr" for an AC in this particular
case " verisign.com " which proposes free certificate SSL for tests.
The successful certificate I name it "cas9-chain.crt" to verify it I make this :
# keytool -printcert -file cas9-chain.crt
Propriétaire : CN=mon.cas.lan, OU="Member, VeriSign Trust
Network", OU=Authenticated by VeriSign, OU=Terms of use at
www.verisign.fr/cps/testca (c)05, OU=Education Nationale, O=College
Joseph-Anglade, L=Lezignan Corbieres, ST=Aude, C=FR
Ãmetteur : CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at
https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No
assurances.", O="VeriSign, Inc.", C=US
Numéro de série : 606b4016605939f751db9a14f7a387fe
Valide du : Thu Mar 05 01:00:00 CET 2009 au : Fri Mar 20 00:59:59 CET
2009
Empreintes du certificat :
MD5Â : C8:35:E0:15:D7:A6:BE:2F:4C:41:34:3F:1A:DD:C4:A5
SHA1Â : 22:AF:9C:86:12:A7:B8:4C:FB:BE:5B:AE:4A:A7:77:B9:33:BD:2A:36
Nom de lalgorithme de signature : {7}
Version : {8}
Extensions :
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName:
http://SVRSecure-aia.verisign.com/SVRTrial2005-aia.cer]
]
#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-crl.verisign.com/SVRTrial2005.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.21]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 23 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65
.#https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 2F 74 risign.com/cps/t
0020: 65 73 74 63 61 estca
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 66 22 8E 81 E0 31 59 DD 2A 7F AB 46 C5 36 02 06 f"...1Y.*..F.6..
0010: 70 27 87 5A p'.Z
]
]
Importation du certificat et de la chaine de certification :
keytool -import -alias cas -file
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9-chain.crt -trustcacerts
-keystore /usr/share/apache-tomcat-6.0.18/keystore_0/root_Verisign.crt
-storepass
MonPass
keytool -import -alias cas -file
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9-chain.crt -trustcacerts
-keystore
/usr/share/apache-tomcat-6.0.18/keystore_0/root_Intermediary_Verisign.crt
-storepass
MonPass
keytool -import -alias cas -file
/usr/share/apache-tomcat-6.0.18/keystore_0/cas9-chain.crt -trustcacerts
-keystore /usr/share/apache-tomcat-6.0.18/keystore_0/mon.cas.lan.crt -storepass
MonPass
You can help me to put on phpcas please ?
Sorry for my English
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
