RE: Self-Signed Certificate for Tomcat JVM and CAS

2007-08-15 Thread Lisa Tan 
I wish you would read this email earlier. I thought if I use the default
password (changeit), I don't need to have -storepass parameter. This morning
I re-read extkeytool example and tried to put the storepass parameter and it
works. After I imported my self-signed cert to JVM truststore, CAS client
can trust CAS server.

Thank all of you for providing me all the valueable links and information.

Lisa
-Original Message-
From: Morris Jones [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 15, 2007 10:48 AM
To: Tomcat Users List; [EMAIL PROTECTED]
Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS

Sorry I hadn't seen your message earlier when you posted it.  But you 
should create the keystore with a keystore password.  Did you do that?

Cheers,
Mojo

Lisa Tan wrote:
 After following the docs to generate self-signed pkcs12 key, I  failed to
import the key/certificate into my application with No password given for
keystore, integrity will not be verified. What does the reason cause this
error?
 
 I read some docs which ask to create an empty Java keystore and convert
PEM formatted key to PKCS8 format. Why do I need to create an empty
keystore?
 
 Thanks,
 
 Lisa
 
  Original message 
 Date: Fri, 10 Aug 2007 18:25:56 -0700
 From: Bill Barker [EMAIL PROTECTED]  
 Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS  
 To: users@tomcat.apache.org


 Lisa Tan [EMAIL PROTECTED] wrote in message 
 news:[EMAIL PROTECTED]
 I don't know if this is a right list to ask this question. I tried to
 configure shibboleth which uses Tomcat with CAS authentication. I
received
 an error: Unable to validate ProxyTicketValidator



 I did google search on this topic and understood the reason causing this
 problem is Tomcat JVM doesn't trust the SSL cert of the CAS server.
Since 
 I
 am still in the testing stage, I can't get a CA certificate but the
 self-signed certificate.



 If my understanding is correct, the self signed certificate via openssl
 doesn't have jks format but Tomcat JVM only accept jks format
certificate.

 If you had read the friendly manual at 
 http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know
that 
 this isn't true :).  While it talks about the keystore, the truststore
works 
 the same way.  So use openssl to create a pkcs12 file, specify this as
the 
 truststore, in whatever way you need to do from the CAS docs, and you
should 
 be good to go.

 I am just wondering if any one can give me some instruction how to
create 
 a
 self-signed certificate and private key which can be used or imported to
 both Tomcat JVM and CAS server.



 Thanks,



 Lisa









 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


-- 
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers http://www.otastro.org

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Self-Signed Certificate for Tomcat JVM and CAS

2007-08-11 Thread Lisa Tan 
After following the docs to generate self-signed pkcs12 key, I  failed to 
import the key/certificate into my application with No password given for 
keystore, integrity will not be verified. What does the reason cause this error?

I read some docs which ask to create an empty Java keystore and convert PEM 
formatted key to PKCS8 format. Why do I need to create an empty keystore?

Thanks,

Lisa

 Original message 
Date: Fri, 10 Aug 2007 18:25:56 -0700
From: Bill Barker [EMAIL PROTECTED]  
Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS  
To: users@tomcat.apache.org


Lisa Tan [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
I don't know if this is a right list to ask this question. I tried to
 configure shibboleth which uses Tomcat with CAS authentication. I received
 an error: Unable to validate ProxyTicketValidator



 I did google search on this topic and understood the reason causing this
 problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since 
 I
 am still in the testing stage, I can't get a CA certificate but the
 self-signed certificate.



 If my understanding is correct, the self signed certificate via openssl
 doesn't have jks format but Tomcat JVM only accept jks format certificate.


If you had read the friendly manual at 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that 
this isn't true :).  While it talks about the keystore, the truststore works 
the same way.  So use openssl to create a pkcs12 file, specify this as the 
truststore, in whatever way you need to do from the CAS docs, and you should 
be good to go.


 I am just wondering if any one can give me some instruction how to create 
 a
 self-signed certificate and private key which can be used or imported to
 both Tomcat JVM and CAS server.



 Thanks,



 Lisa





 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Self-Signed Certificate for Tomcat JVM and CAS

2007-08-10 Thread Lisa Tan 
I don't know if this is a right list to ask this question. I tried to
configure shibboleth which uses Tomcat with CAS authentication. I received
an error: Unable to validate ProxyTicketValidator

 

I did google search on this topic and understood the reason causing this
problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I
am still in the testing stage, I can't get a CA certificate but the
self-signed certificate.

 

If my understanding is correct, the self signed certificate via openssl
doesn't have jks format but Tomcat JVM only accept jks format certificate.

 

I am just wondering if any one can give me some instruction how to create a
self-signed certificate and private key which can be used or imported to
both Tomcat JVM and CAS server.

 

Thanks,

 

Lisa

RE: Certificate for Tomcat JVM and CAS

2007-08-09 Thread Lisa Tan 
I don't know if this is a right list to ask this question. I tried to
configure shibboleth which uses Tomcat with CAS authentication. I received
an error: Unable to validate ProxyTicketValidator

I did google search on this topic and understood the reason causing this
problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I
am still in the testing stage, I can't get a CA certificate but the
self-signed certificate.

If my understanding is correct, the self signed certificate via openssl
doesn't have jks format but Tomcat JVM only accept jks format certificate.

I am just wondering if any one can give me some instruction how to create a
self-signed certificate and private key which can be used or imported to
both Tomcat JVM and CAS server.

Thanks,

Lisa



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Failed Authentication

2007-08-03 Thread Lisa Tan 
I am trying to set up Tomcat form based authentication and received the
following error.
Failed authenticate() test ??/j_security_check -
org.apache.catalina.authenticator.AuthenticatorBase [20070802]

What I have done is:
a). in $TOMCAT/conf/server.xml, I add JNDIRealm Realm
className=org.apache.catalina.realm.JNDIRealm
   debug='55'
connectionURL=ldap://xxx:xxx;
 userBase=ou=People,dc=example,dc=edu
 userSearch=(uid={0})
 /
b). in tomcat WEB-INF/web.xml,  I add security and login blocks 
   security-constraint
 web-resource-collection
  web-resource-nametracker/web-resource-name
  url-pattern*.jsp/url-pattern
  http-methodGET/http-method
  http-methodPOST/http-method
 /web-resource-collection
 !-- Security roles referenced by this web application --
 security-role
  descriptionAll Users/description
  role-nameperson/role-name
 /security-role
  /security-constraint
  
  login-config
auth-methodFORM/auth-method
realm-nameldapRealm/realm-name
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login_error.jsp/form-error-page
/form-login-config
  /login-config
c). create login.jsp and login_error.jsp and put them in the web-app's
document root
  form action=j_security_check method=POST
LDAP AuthenticationBR
  
strongEnter UserId/strongbr
input type=text name=j_username size=22
  br
strongEnter Password/strongbr
input type=password name=j_password size=22
  
input type=submit name=Submit value=Submit
  /form
  
  login_error.jsp can be as simple as:
 
html
  body
  The system was not able to log you in.br
 form
   input type=button onclick=history.go(-1) value=Retry/
 /form
  /body
/html

Any directions will appreciate. Thanks,

Lisa


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Failed Authentication

2007-08-03 Thread Lisa Tan 
I am using apache-tomcat-5.5.17, and Apache 2.0.52 which comes with RedHat.

Thanks,

Lisa

-Original Message-
From: Propes, Barry L [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 03, 2007 4:40 PM
To: Tomcat Users List
Subject: RE: Failed Authentication

what version do you have? Of TC?

-Original Message-
From: Lisa Tan [mailto:[EMAIL PROTECTED]
Sent: Friday, August 03, 2007 9:59 AM
To: 'Tomcat Users List'
Subject: RE: Failed Authentication


I am trying to set up Tomcat form based authentication and received the
following error.
Failed authenticate() test ??/j_security_check -
org.apache.catalina.authenticator.AuthenticatorBase [20070802]

What I have done is:
a). in $TOMCAT/conf/server.xml, I add JNDIRealm Realm
className=org.apache.catalina.realm.JNDIRealm
   debug='55'
connectionURL=ldap://xxx:xxx;
 userBase=ou=People,dc=example,dc=edu
 userSearch=(uid={0})
 /
b). in tomcat WEB-INF/web.xml,  I add security and login blocks 
   security-constraint
 web-resource-collection
  web-resource-nametracker/web-resource-name
  url-pattern*.jsp/url-pattern
  http-methodGET/http-method
  http-methodPOST/http-method
 /web-resource-collection
 !-- Security roles referenced by this web application --
 security-role
  descriptionAll Users/description
  role-nameperson/role-name
 /security-role
  /security-constraint
  
  login-config
auth-methodFORM/auth-method
realm-nameldapRealm/realm-name
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login_error.jsp/form-error-page
/form-login-config
  /login-config
c). create login.jsp and login_error.jsp and put them in the web-app's
document root
  form action=j_security_check method=POST
LDAP AuthenticationBR
  
strongEnter UserId/strongbr
input type=text name=j_username size=22
  br
strongEnter Password/strongbr
input type=password name=j_password size=22
  
input type=submit name=Submit value=Submit
  /form
  
  login_error.jsp can be as simple as:
 
html
  body
  The system was not able to log you in.br
 form
   input type=button onclick=history.go(-1) value=Retry/
 /form
  /body
/html

Any directions will appreciate. Thanks,

Lisa


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]