I may be oversimplifying, but what about changing the trustedIssuerDnPattern to “CN=.*”? It’s formally a regex pattern, so while I’ve never tried a plain asterisk there, it shouldn’t work.
-- Ne Desit Virtus, Sean R. Baker 1LT, MS United States Army Office #: (301) 319-0712 Email: sean.ba...@usuhs.edu On Aug 18, 2014, at 1:58 AM, michael maceachran <mmaceach...@yahoo.com> wrote: > I am trying to get x509 authentication working. I have followed the > instructions, and I almost have it. In my deployerConfig I have this: > > > <bean id="x509Handler" > class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler" > > > <property name="trustedIssuerDnPattern" value="CN=*"/> > <property name="maxPathLength" value="3" /> > <property name="checkKeyUsage" value="false" /> > <property name="requireKeyUsage" value="false" /> > </bean> > > <bean id="x509PrincipalResolver" > > class="org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver" > p:descriptor="$CN@$DC.$DC" /> > > Which if i understand correctly, will authenticate ANY (*) issuer DN (This > is on a dev box, I will change it when I get it working) > > Looking at the logs, I see that I am sending a cert, and it is passing > everything, except the authentication part. Here is the log: > > 2014-08-18 01:41:15,996 DEBUG > [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] > - <Certificate found in request.> > 2014-08-18 01:41:16,014 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <Evaluating CN=ORC ECA SW 5, OU=Certification Authorities, OU=ECA, O=U.S. > Government, C=US, SerialNumber=23> > 2014-08-18 01:41:16,015 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <CN=* matches CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US == false> > 2014-08-18 01:41:16,015 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <Found valid CA certificate> > 2014-08-18 01:41:16,015 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <Evaluating CN=MyName, OU=MyCompany, OU=ORC, OU=ECA, O=U.S. Government, > C=US, SerialNumber=1482> > 2014-08-18 01:41:16,015 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <.* matches CN=MyName, OU=MyCompany, OU=ORC, OU=ECA, O=U.S. Government, > C=US == true> > 2014-08-18 01:41:16,015 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <CN* matches CN=ORC ECA SW 5, OU=Certification Authorities, OU=ECA, O=U.S. > Government, C=US == false> > 2014-08-18 01:41:16,016 DEBUG > [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] > - <Found valid client certificate> > 2014-08-18 01:41:16,016 INFO > [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - > <X509CredentialsAuthenticationHandler failed authenticating CN=MyName, > OU=MyCompany, OU=ORC, OU=ECA, O=U.S. Government, C=US, SerialNumber=1482> > 2014-08-18 01:41:16,019 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: supplied credentials: [CN=MyName, OU=MyCompany, OU=ORC, OU=ECA, O=U.S. > Government, C=US, SerialNumber=1482] > ACTION: AUTHENTICATION_FAILED > APPLICATION: CAS > WHEN: Mon Aug 18 01:41:16 EDT 2014 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ============================================================= > > As you can see, everything is valid, up until the authentication bit. I have > checked, and my public key is in the tomcat keystore, and jssecacert file, > although I believe I only need the CA cert in there. > > What am I doing wrong? > -- > You are currently subscribed to cas-user@lists.jasig.org as: > sean.ba...@usuhs.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
