Hello dears,
I'm dealing with the same ore similar problems when running cas an the application on different maschines In fact, I will try to set a cipher-suite to the SSLConnectionFactory, because stacktrace shows explicitely, that this is missing. Problem occures only, if running cas on a different maschine than the application to be secured. May be, my hint doesn't help you because you have another use case, but... Good luck Volker _____ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Mike Crawford Gesendet: Mittwoch, 28. Februar 2007 17:09 An: Yale CAS mailing list Betreff: Re: Web server on different machine to CAS server Adding the key didn't work. Cheers, Mike On 2/28/07, Mike Crawford <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hi again, I'm pretty sure the problem is caused by 'webserver1' not being in the keystore, because it works fine if the web application is on the same server as the authentication server. In my keystore on the authentication server I have a key entry for the authentication server with alias 'tomcat'. I was going to try adding another key for webserver1, but can I just call it 'webserver1' and add it into my store? Thanks, Mike On 2/28/07, Mike Crawford < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote: Hi Scott, I think this is the problem (from the tomcat log): Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException : unable to find valid certification path to requested target Here is the full paste with the servers and webapp name changed: SEVERE: Servlet.service() for servlet default threw exception edu.yale.its.tp.cas.client.CASAuthenticationException : Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ https://authenticationserver.com/cas/serviceValidate <https://authenticationserver.com/cas/serviceValidate> ] ticket=[ST-2-RN7yyvC4XXMKUEED6VOlfsnT40SOzMu7o42-20] service=[http%3A%2F%2Fwebserver1.com%3A8080%2Fmywebapp%2F] renew=false]]] at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java:52) at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.j ava:455) at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va :213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126 ) at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC onnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav a :527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo rkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:684) at java.lang.Thread.run (Thread.java:619) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Handshaker.java:182) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh aker.java:975) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (ClientHandshaker.java:123) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (SSLSocketImpl.java:817) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket Impl.java:1029) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java :1056) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java :1040) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection .java:981) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLCon nectionImpl.java :234) at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketVali dator.java:212) at edu.yale.its.tp.cas.client.CASReceipt.getReceipt (CASReceipt.java:50) ... 16 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) at sun.security.validator.Validator.validate(Validator.java :218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI mpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru stManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru stManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh aker.java:954) ... 30 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui lder.java :174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ... 36 more Thanks, Mike On 2/28/07, Scott Battaglia <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Mike, Is there any other messages in the log file? Exceptions, etc.? Thanks -Scott On 2/26/07, Mike Crawford < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote: Hi, I am trying to run a web server on one machine which redirects to a CAS server running on another machine. When I try to change the client.filter.serverName to redirect back to the web server I get a 'Unable to validate ProxyTicketValidator' message. Does this have something to do with proxyList? I've pasted an excerpt from client.filter.CASFilter with what I'm trying to achieve. Ultimately there will be many web servers pointing to the same authentication server. Thanks for your help, Mike Crawford <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value> https://authenticationserver.com/cas/login <https://authenticationserver.com/cas/login> </param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value> https://authenticationserver.com/cas/serviceValidate <https://authenticationserver.com/cas/serviceValidate> </param-value> </init-param> <init-param> <param-name> edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>webserver1.com:8080 <http://webserver1.com:8080> </param-value> </init-param> _______________________________________________ Yale CAS mailing list [email protected] <mailto:[email protected]> http://tp.its.yale.edu/mailman/listinfo/cas <http://tp.its.yale.edu/mailman/listinfo/cas> _______________________________________________ Yale CAS mailing list [email protected] <mailto:[email protected]> http://tp.its.yale.edu/mailman/listinfo/cas <http://tp.its.yale.edu/mailman/listinfo/cas>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
