trouble applying certificate to cas and uportal

9 messages

trouble applying certificate to cas and uportal

Reply Threaded

I've been working in a test system trying to get a self-signed
certificate applied to both cas and uportal and have a couple
questions. Since this overlaps both cas and uportal, I'm posting to
both forums.

1) Can the certificate be applied at the apache level or does it have
to be applied on the tomcat level? (I've been trying to make it work
with apache...and have been receiving the error posted below)
2) Once the ssl works, do I simply remove the
BROKEN_SECURITY_ALLOW_NON_SSL init parameter from the uportal web.xml?

------------------------------------------------------
exception

javax.servlet.ServletException:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator BROKEN SECURITY
MODE SUITABLE ONLY FOR DEMO PURPOSES
casValidateUrl=[https://portap3/cas/serviceValidate]
proxyCallbackUrl=[https://portap3/CasProxyServlet]
ticket=[ST-1-cAFdfHIiYkx1y1DY6gna-cas]
service=[https%3A%2F%2Fportap3%2FLogin] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:345)

root cause

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator BROKEN SECURITY
MODE SUITABLE ONLY FOR DEMO PURPOSES
casValidateUrl=[https://portap3/cas/serviceValidate]
proxyCallbackUrl=[https://portap3/CasProxyServlet]
ticket=[ST-1-cAFdfHIiYkx1y1DY6gna-cas]
service=[https%3A%2F%2Fportap3%2FLogin] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:54)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.getAuthenticatedUser(CASValidateFilter.java:393)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:342)

root cause

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:91)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:218)
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.getAuthenticatedUser(CASValidateFilter.java:393)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:342)

--
Curtis Garman
Web Programmer
Heartland Community College

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Marvin Addison

Re: trouble applying certificate to cas and uportal

Reply Threaded

> 1) Can the certificate be applied at the apache level or does it have
> to be applied on the tomcat level?

Neither. The exception you quoted below is an SSL trust problem with
the JVM and has nothing to do with the key/truststores used by Tomcat:

> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target

You must install the self-signed certificate of the CAS server into
the system truststore on the portal host. The default location of the
system truststore is $JAVA_HOME/jre/lib/security/cacerts.

> 2) Once the ssl works, do I simply remove the
> BROKEN_SECURITY_ALLOW_NON_SSL init parameter from the uportal web.xml?

In order to get proxy ticket validation working, the CAS server must
also trust the certificate presented by the portal. In your case
where you're using a self-signed cert for uPortal as well, you'll need
to import the portal certificate into the CAS server system
truststore. In the end you import the self-signed certs of both hosts
into the system truststores of their partners.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Jon Gorrono

Re: trouble applying certificate to cas and uportal

Reply Threaded

.....and you can set a different location than the default by using
something like this in your CATALINA_OPTS env var:

-Djavax.net.trustStore=path_to_truststore

On Mon, Oct 12, 2009 at 6:31 PM, Marvin Addison
<[hidden email]> wrote:

>> 1) Can the certificate be applied at the apache level or does it have
>> to be applied on the tomcat level?
>
> Neither. The exception you quoted below is an SSL trust problem with
> the JVM and has nothing to do with the key/truststores used by Tomcat:
>
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>
> You must install the self-signed certificate of the CAS server into
> the system truststore on the portal host. The default location of the
> system truststore is $JAVA_HOME/jre/lib/security/cacerts.
>
>> 2) Once the ssl works, do I simply remove the
>> BROKEN_SECURITY_ALLOW_NON_SSL init parameter from the uportal web.xml?
>
> In order to get proxy ticket validation working, the CAS server must
> also trust the certificate presented by the portal. In your case
> where you're using a self-signed cert for uPortal as well, you'll need
> to import the portal certificate into the CAS server system
> truststore. In the end you import the self-signed certs of both hosts
> into the system truststores of their partners.
>
> M
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>

--
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
Thawte Notary - https{www.thawte.com/cgi/personal/wot/directory.exe?node=312}
GSWoT Introducer - {GSWoT:US75 5434509D Jon P. Gorrono <jpgorrono - gswot.org>}
http{ats.ucdavis.edu}

Sent from Davis, CA, United States

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Curtis Garman

Re: trouble applying certificate to cas and uportal

Reply Threaded

In reply to this post by Marvin Addison

ok...both cas and uportal are on the same host...so if I'm reading you
right, it sounds like all I need to do is import my self-signed
certificate one time into system truststore you mentioned and the
exception should go away correct? If that is the case, my next
question is how do I install my certificate in the system truststore?

Curtis

On Mon, Oct 12, 2009 at 8:31 PM, Marvin Addison
<[hidden email]> wrote:

--
Curtis Garman
Web Programmer
Heartland Community College

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Curtis Garman

Re: trouble applying certificate to cas and uportal

Reply Threaded

In reply to this post by Jon Gorrono

Is there a reason not to use the default location?

Curtis

On Mon, Oct 12, 2009 at 9:54 PM, Jon Gorrono <[hidden email]> wrote:

> .....and you can set a different location than the default by using
> something like this in your CATALINA_OPTS env var:
>
> -Djavax.net.trustStore=path_to_truststore
>
> On Mon, Oct 12, 2009 at 6:31 PM, Marvin Addison
> <[hidden email]> wrote:
>>> 1) Can the certificate be applied at the apache level or does it have
>>> to be applied on the tomcat level?
>>
>> Neither. The exception you quoted below is an SSL trust problem with
>> the JVM and has nothing to do with the key/truststores used by Tomcat:
>>
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>> find valid certification path to requested target
>>
>> You must install the self-signed certificate of the CAS server into
>> the system truststore on the portal host. The default location of the
>> system truststore is $JAVA_HOME/jre/lib/security/cacerts.
>>
>>> 2) Once the ssl works, do I simply remove the
>>> BROKEN_SECURITY_ALLOW_NON_SSL init parameter from the uportal web.xml?
>>
>> In order to get proxy ticket validation working, the CAS server must
>> also trust the certificate presented by the portal. In your case
>> where you're using a self-signed cert for uPortal as well, you'll need
>> to import the portal certificate into the CAS server system
>> truststore. In the end you import the self-signed certs of both hosts
>> into the system truststores of their partners.
>>
>> M
>>
>> --
>> You are currently subscribed to [hidden email] as: [hidden email]
>> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
>
>
> --
> Jon Gorrono
> PGP Key: 0x5434509D -
> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
> Thawte Notary - https{www.thawte.com/cgi/personal/wot/directory.exe?node=312}
> GSWoT Introducer - {GSWoT:US75 5434509D Jon P. Gorrono <jpgorrono - gswot.org>}
> http{ats.ucdavis.edu}
>
> Sent from Davis, CA, United States
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

Marvin Addison

Re: trouble applying certificate to cas and uportal

Reply Threaded

In reply to this post by Curtis Garman

> it sounds like all I need to do is import my self-signed
> certificate one time into system truststore you mentioned and the
> exception should go away correct?

Yes.

If that is the case, my next
> how do I install my certificate in the system truststore?

keytool -import -alias your_alias -trustcacerts -file
/path/to/cert.pem -keystore /path/to/keystore -storepass changeit

I recall you are on Windows, so keytool will not likely be on your
path. It's in $JAVA_HOME/bin.

> Is there a reason not to use the default location?

It's bad practice to import self-signed certificates into the system
keystore/truststore. (One file is used for both purposes by default.)
If you have your own PKI infrastructure, then it's entirely valid to
import the root certificate of your institution's PKI into the system
truststore.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Curtis Garman

Re: trouble applying certificate to cas and uportal

Reply Threaded

what is the alias used for?...is it just the name you refer to in by
in the keystore? Also I used open ssl to generate my certificate and I
don't have a file with .perm extension...I've got my server.csr,
server.key and server.crt

also, what does the -trustcacerts do?...I'm looking at the following
page (http://www.site.uottawa.ca/~lpeyton/csi5389genkeystore.html) and
I don't see that option used.

On Tue, Oct 13, 2009 at 8:40 AM, Marvin Addison
<[hidden email]> wrote:

>> it sounds like all I need to do is import my self-signed
>> certificate one time into system truststore you mentioned and the
>> exception should go away correct?
>
> Yes.
>
> If that is the case, my next
>> how do I install my certificate in the system truststore?
>
> keytool -import -alias your_alias -trustcacerts -file
> /path/to/cert.pem -keystore /path/to/keystore -storepass changeit
>
> I recall you are on Windows, so keytool will not likely be on your
> path. It's in $JAVA_HOME/bin.
>
>> Is there a reason not to use the default location?
>
> It's bad practice to import self-signed certificates into the system
> keystore/truststore. (One file is used for both purposes by default.)
> If you have your own PKI infrastructure, then it's entirely valid to
> import the root certificate of your institution's PKI into the system
> truststore.
>
> M
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>

Marvin Addison

Re: trouble applying certificate to cas and uportal

Reply Threaded

> what is the alias used for?...is it just the name you refer to in by
> in the keystore?

Yes.

> Also I used open ssl to generate my certificate and I
> don't have a file with .perm extension...I've got my server.csr,
> server.key and server.crt

OpenSSL generates PEM-encoded files by default, so that's what you
have unless you used the -outform DER option, in which case they're
DER-encoded. keytool should be able to determine the encoding in any
case, so just use what you have.

> also, what does the -trustcacerts do?

It's not required; I'm just in the habit of including it since it's
usually what I mean in our case. See
http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html for
details.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Curtis Garman

Re: trouble applying certificate to cas and uportal

Reply Threaded

Marvin,

It worked...thanks for the link and thanks for your help!

On Tue, Oct 13, 2009 at 10:24 AM, Marvin Addison
<[hidden email]> wrote:

>> what is the alias used for?...is it just the name you refer to in by
>> in the keystore?
>
> Yes.
>
>> Also I used open ssl to generate my certificate and I
>> don't have a file with .perm extension...I've got my server.csr,
>> server.key and server.crt
>
> OpenSSL generates PEM-encoded files by default, so that's what you
> have unless you used the -outform DER option, in which case they're
> DER-encoded. keytool should be able to determine the encoding in any
> case, so just use what you have.
>
>> also, what does the -trustcacerts do?
>
> It's not required; I'm just in the habit of including it since it's
> usually what I mean in our case. See
> http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html for
> details.
>
> M
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>