Apologies to all who have answered these questions a billion times, but...
I'm trying to get tomcat/spring/acegi to talk to CAS. I've gotten it
working to some degree, but am now stuck on the following error:
[Fatal Error] :1:1: Content is not allowed in prolog.
May 17, 2007 2:06:14 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[ [edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://secure.its.yale.edu/cas/servlet/validate]
ticket=[ST-11059954-4vXxKMmEaRychGbtR62b]
service=[http%3A%2F%2Fyag-client-36.art.yale.edu%3A8080%2Fyuagit%2Fsecure%2Ftest.jsp]
renew=false
entireResponse=[yes
<my netid>
]]]]
I've gone through all the online references I can find, but can't get
past this error. Clearly I'm getting a valid ticket & login succeeds,
so I'm assuming that this has something to do with SSL & Tomcat. I've
followed all the posts related to keytool, but still no luck.
Here's how things are configured:
JVM: JAVA_HOME=C:\jdk1.6.0
TOMCAT: CATALINA_HOME=C:\tomcat
server.xml was modified to enable SSL, and keystore & trust are
explicitly defined:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\DOCUME~1\<my netid>\.keystore"
keystorePass="changeit"
truststoreFile="C:/jdk1.6.0/jre/lib/security/cacerts"
/>
KEYSTORE: I created a batch file since I had to run this more than once:
@echo off
set USERKEYSTORE=C:\DOCUME~1\tms64\.keystore
set JVMKEYSTORE=%JAVA_HOME%\jre\lib\security\cacerts
keytool -delete -alias tomcat -keystore "%USERKEYSTORE%" \
-keypass changeit -storepass changeit -keyalg RSA
keytool -delete -alias tomcat -keystore "%JVMKEYSTORE%" \
-keypass changeit -storepass changeit -keyalg RSA
keytool -genkey -alias tomcat -keystore %USERKEYSTORE% \
-validity 9999 -keypass changeit -storepass changeit -keyalg RSA \
-dname "CN=<mymachinename>.art.yale.edu, OU=artgallery, O=yale,
L=newhaven, S=ct, C=us"
keytool -export -alias tomcat -keystore %USERKEYSTORE% \
-file server.crt -keypass changeit -storepass changeit -keyalg RSA
keytool -import -file server.crt -alias tomcat -keystore %JVMKEYSTORE% \
-keypass changeit -storepass changeit -keyalg RSA
All references I found on this process were somewhat vague. For example
http://www.ja-sig.org/products/cas/server/ssl/index.html shows:
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file
%FILE_NAME%
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
It's not clear from this example whether %FILE_NAME% and server.crt are
intended to be the same files, though after reading
http://tp.its.yale.edu/pipermail/cas-dev/2007-April/001751.html it would
appear that that is the intention.
I'm sure I've missed a critical point somewhere, but I'm not at all
familiar with ssl setup so it's not obvious. I'm fairly sure that the
remainder of the setup is correct, but I can provide gory details of the
webapp configuration, spring, acegi, etc.
Any help will be much appreciated!
Tim
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
