This problem may be due to following possibilities:
1. have u configured SSL?
2. Have u created keystore using "keytool" ?
3. The SSL certificate CN created using "keytool" is not matching the hostname from which request comes. DNS matters !!..
4. For java web application, the self signed certificate must go into jre directory.
5. Obvious situation, have u restarted tomcat after doing all these?..
Here are some steps to avoid this error: ( I did this for a simple java web app)
$ keytool -genkey -alias tomcat -keyalg RSA
$ keytool -export -alias tomcat > /tmp/cert
as root,
# keytool -import -trustcacerts -alias tomcat -file /tmp/cert -keystore /ohome/jdk1.5.0_07/jre/lib/security/cacerts
Clean slate is probably best (worked for me). Here are some step-by-step instructions for a Windows XP based demo environment. This may be useful for other folks since I see this ProxyTicketValidator error a lot on CAS message boards. Basically, started fresh with on a Windows XP professional computer with no JDK/JRE or Tomcat. Using Microsoft Internet Explorer Version 7.0.5730.11. Possible sources of error are highlighted in RED. Step 1: Install JDK Version 1.5.0_11
a. Downloaded jdk-1_5_0_11-windows-i586-p.exe b. Conducted a typical installation, doing next, next, nextc. set JAVA_HOME system environment variable to C:\Program Files\Java\jdk1.5.0_11 Step 2: Used keytool to self-author certificate for DEMO
Reference: http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
which is more readable than http://www.ja-sig.org/products/cas/server/ssl/index.html\\ The entire Command Prompt Dialog is below...(critical for SSL newbees to follow this): Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\ukari>cd program*The filename, directory name, or volume label syntax is incorrect. C:\Documents and Settings\ukari>cd{color} C:\>cd program* C:\Program Files>cd java C:\Program Files\Java>cd jdk* C:\Program Files\Java\jdk1.5.0_11>cd bin C:\Program Files\Java\jdk1.5.0_11\bin>keytool -genkey -alias tomcat -keypass changeit -keyalg RSAEnter keystore password: changeitWhat is your first and last name? [Unknown]: localhost (this is critical...must be accurate server name...I am using this because this is where the request will come from...otherwise change it to wherever the request will come from)What is the name of your organizational unit? [Unknown]: Information SystemsWhat is the name of your organization? [Unknown]: PacificDisasterCenterWhat is the name of your City or Locality? [Unknown]: KiheiWhat is the name of your State or Province? [Unknown]: HIWhat is the two-letter country code for this unit? [Unknown]: USIs CN=localhost, OU=Information Systems, O=PacificDisasterCenter, L=Kihei, ST=HI, C=US correct? [no]: yes C:\Program Files\Java\jdk1.5.0_11\bin>keytool -export -alias tomcat -keypass changeit -file server.crtEnter keystore password: changeitCertificate stored in file <server.crt> C:\Program Files\Java\jdk1.5.0_11\bin>keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacertsEnter keystore password: changeitOwner: CN=localhost, OU=Information Systems, O=PacificDisasterCenter, L=Kihei, ST=HI, C=USIssuer: CN=localhost, OU=Information Systems, O=PacificDisasterCenter, L=Kihei, ST=HI, C=USSerial number: 462030d8Valid from: Fri Apr 13 15:39:36 HST 2007 until: Thu Jul 12 15:39:36 HST 2007Certificate fingerprints: MD5: CC:3B:FB:FB:AE:12:AD:FB:3E
5:98:CB:2E:3B:0A:AD SHA1: A1:16:80:68:39:C7:58:EA:2F:48:59:AA:1D:73:5F:56:78:CE:A4:CETrust this certificate? [no]: yesCertificate was added to keystore C:\Program Files\Java\jdk1.5.0_11\bin> At this stage we have a .keystore file created in (typically) C:\Documents and Settings\<user> and the %JAVA_HOME%\jre\lib\security\cacerts file with the corresponding certificate. Step 3: Install Tomcat a. Selected the Windows Installer version at b. When prompted for directory, changed default it to C:\tomcat5.5.23c. When prompted for applications, I added all examples, webapps etc.the next step was probably very critical (God only knows what my previous tomcat was pointing to)d. When prompted for JRE, changed default to %JAVA_HOME%/jre (home of new cacerts) " rel="nofollow">http://tomcat.apache.org/download-55.cgi#5.5.23b. When prompted for directory, changed default it to C:\tomcat5.5.23c. When prompted for applications, I added all examples, webapps etc.the next step was probably very critical (God only knows what my previous tomcat was pointing to)d. When prompted for JRE, changed default to %JAVA_HOME%/jre (home of new cacerts) e. Clicked finish and verified tomcat running as a service, also by doing http://localhost:8080 and finally the logs look very clean as well. Step 4: Configure Tomcat server.xml a. Uncommented connector element for port 8443b. added the parameters for keystoreFile, keystorePass, truststoreFile c. bounced tomcat <!
- Define a SSL HTTP/1.1 Connector on port 8443 -> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:/Documents and Settings/ukari/.keystore" keystorePass="changeit" truststoreFile="C:/Program Files/Java/jdk1.5.0_11/jre/lib/security/cacerts" /> Step 5: CASify HelloWorld Servlet within the standard examples a. verified that http://localhost:8080/servlets-examples/servlet/HelloWorldExample works.b. added the following to web.xml of the servlets-examples context.Reference: http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://localhost:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://localhost:8443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>localhost:8080</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/servlet/HelloWorldExample</url-pattern> </filter-mapping> Step 6: Drop CAS Client jar into the servlets-examples contextURL: http://www.ibiblio.org/maven/cas/jars/ a. created the lib directory under servlets-examples/WEB-INFb. Download that casclient-2.1.1.zip from the URL http://www.ibiblio.org/maven/cas/jars/ into C:\Tomcat5.5.23\webapps\servlets-examples\WEB-INF\libc. RENAME the zip file to jar file. Step 7: Download and Deploy CAS URL: http://www.ja-sig.org/products/cas/downloads/index.html a. Download the cas-server-3.0.7.zip file. b. Extract it all to c:\cas-server-3.0.7 directory.c. copy cas.war from C:\cas-server-3.0.7\cas-server-3.0.7\target to C:\Tomcat5.5.23\webapps (this deploys cas if tomcat is running...but just to be sure...step 8) Step 8. Clean start a. Stop tomcat, clear all logs, start tomcatb. Examine logs stdout_20070413.log (looks "normal"): 2007-04-13 16:32:02,082 INFO [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <No PasswordEncoder set. Using default: org.jasig.cas.authentication.handler.PlainTextPasswordEncoder>2007-04-13 16:32:02,082 INFO [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <No Class to Support set. Using default: org.jasig.cas.authentication.principal.UsernamePasswordCredentials>2007-04-13 16:32:02,082 WARN [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler is only to be used in a testing environment. NEVER enable this in a production environment.>2007-04-13 16:32:02,129 INFO [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <No UniqueTicketIdGenerator specified for org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using org.jasig.cas.util.DefaultUniqueTicketIdGenerator>2007-04-13 16:32:04,316 INFO [org.jasig.cas.web.ServiceValidateController] - <No successView specified. Using default of casServiceSuccessView>2007-04-13 16:32:04,316 INFO [org.jasig.cas.web.ServiceValidateController] - <No failureView specified. Using default of casServiceFailureView>2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No authentication specification class set. Defaulting to org.jasig.cas.validation.Cas20ProtocolValidationSpecification>2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No successView specified. Using default of casServiceSuccessView>2007-04-13 16:32:04,363 INFO [org.jasig.cas.web.ServiceValidateController] - <No failureView specified. Using default of casServiceFailureView>2007-04-13 16:32:04,473 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <FormObjectClass not set. Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.>2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting cleaning of expired tickets from ticket registry at [Fri Apr 13 16:32:22 HST 2007]>2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found to be removed. Removing now.>2007-04-13 16:32:22,223 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished cleaning of expired tickets from ticket registry at [Fri Apr 13 16:32:22 HST 2007]> catalina.2007-04-13.log (looks "normal"): Apr 13, 2007 4:31:56 PM org.apache.catalina.core.AprLifecycleListener lifecycleEventINFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Tomcat5.5.23\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGLApr 13, 2007 4:31:57 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8080Apr 13, 2007 4:31:58 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8443Apr 13, 2007 4:31:58 PM org.apache.catalina.startup.Catalina loadINFO: Initialization processed in 2859 msApr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardService startINFO: Starting service CatalinaApr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardEngine startINFO: Starting Servlet Engine: Apache Tomcat/5.5.23Apr 13, 2007 4:31:58 PM org.apache.catalina.core.StandardHost startINFO: XML validation disabledApr 13, 2007 4:32:00 PM org.apache.catalina.startup.HostConfig deployWARINFO: Deploying web application archive cas.warApr 13, 2007 4:32:06 PM org.apache.coyote.http11.Http11BaseProtocol startINFO: Starting Coyote HTTP/1.1 on http-8080Apr 13, 2007 4:32:07 PM org.apache.coyote.http11.Http11BaseProtocol startINFO: Starting Coyote HTTP/1.1 on http-8443Apr 13, 2007 4:32:07 PM org.apache.jk.common.ChannelSocket initINFO: JK: ajp13 listening on /0.0.0.0:8009Apr 13, 2007 4:32:07 PM org.apache.jk.server.JkMain startINFO: Jk running ID=0 time=0/47 config=nullApr 13, 2007 4:32:07 PM org.apache.catalina.storeconfig.StoreLoader loadINFO: Find registry server-registry.xml at classpath resourceApr 13, 2007 4:32:07 PM org.apache.catalina.startup.Catalina startINFO: Server startup in 8891 ms localhost.2007-04-13.log (looks "normal"): Apr 13, 2007 4:32:04 PM org.apache.catalina.core.ApplicationContext logINFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com\], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com\], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org\]\]Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext logINFO: ContextListener: contextInitialized()Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: contextInitialized()Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext logINFO: ContextListener: contextInitialized()Apr 13, 2007 4:32:05 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: contextInitialized() All other log files stderr, admin, host-manager, jakarta_service, manager are of size 0K. Checked stderr to make sure!! step 9. TRY IT a. Use fresh browser session to accesshttp://localhost:8080/servlets-examples/servlet/HelloWorldExample b. Get past all browser alerts/warnings to CAS login pagec. Logged in as uday/uday (just need to ensure userid is same as password) d. Again all sorts of alerts/warnings e. See Hello World...success. Logs stdout_20070413.log (three new records): 2007-04-13 16:39:01,238 INFO [org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - <Setting ContextPath for cookies to: /cas>2007-04-13 16:39:18,271 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: uday>2007-04-13 16:39:18,286 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-V03EdNba1e3cMxeoEbEHwXfoefftIeeRxuO-20] for service [http://localhost:8080/servlets-examples/servlet/HelloWorldExample] for user [uday]> localhost.2007-04-13.log (new records): Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: sessionCreated('6ED4CFE9A5D7BA592372A3E67DF7D6E8')Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.didGateway', 'true')Apr 13, 2007 4:38:51 PM org.apache.catalina.core.ApplicationContext logINFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, filterClass=filters.ExampleFilter]): 31 millisecondsApr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.user', 'uday')Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: attributeAdded('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.receipt', '[edu.yale.its.tp.cas.client.CASReceipt userName=[uday] casValidateUrl=[https://localhost:8443/cas/serviceValidate] proxyCallbackUrl=[null] pgtIou=[null] casValidateUrl=[https://localhost:8443/cas/serviceValidate] proxyList=[[]]]')Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext logINFO: SessionListener: attributeRemoved('6ED4CFE9A5D7BA592372A3E67DF7D6E8', 'edu.yale.its.tp.cas.client.filter.didGateway', 'true')Apr 13, 2007 4:39:19 PM org.apache.catalina.core.ApplicationContext logINFO: InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, filterClass=filters.ExampleFilter]): 860 milliseconds All other logs unchanged. Done (Success). Well sorta. At least no ProxyTicketValidator exceptions this time! Still need to CAS-ify some other application and see if it works between two applications on separate machines.