/status/dashboard - page not found
352 views
Skip to first unread message
Carlos Eduardo Santos
Feb 2, 2018, 7:54:00 AM2/2/18
to CAS Community
/ status / dashborad - Page not found.
Hello everyone, I have been trying to configure the CAS server for a few days (following all the information from "the new school"). The information is very clear, but I could not access anything ahead of / status /.
To the status page I can visualize the dashboard, for example, nothing.
Below the configuration of cas.properties
cas.server.name = http: // xxxxxxxxxxxxxx
cas.server.prefix = $ {server.name} / cas
cas.tgc.secure = true
cas.tgc.encryptionKey = DCETkZ33-A7TETvjgZ24J_o2xQkyQxc0FCFa725ubnY
cas.tgc.signingKey = 8y-RtN0Ny3VF9DAkNQPvIeXXkHtTetFu9bEcG5G7F95ckmSdvE9ZdMSbVCRvBEmwJv_Bbr7wBIfsCrXdo-IytQ
cas.webflow.crypto.signing.key = J4qjH74TlZY5Ic6GTnblZbwKN4Ye1mBuMEr-a3_DNpakNbmkX0LUmXGQ30oetbf8N_dNXsG_rdjWyXUOen1mEA
cas.webflow.crypto.encryption.key = dE1URfP5K6nvFtnUgBppQw ==
cas.authn.accept.users =
logging.config = file: /etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location = file: / etc / cas / services
cas.authn.accept.users =
cas.authn.ldap [0] .order = 0
cas.authn.ldap [0] .name = Active Directory
cas.authn.ldap [0] .type = AUTHENTICATED
cas.authn.ldap [0] .ldapUrl = ldap: //10.1.0.48:389
cas.authn.ldap [0] .userFilter = sAMAccountName = {user}
cas.authn.ldap [0] .useSsl = false
cas.authn.ldap [0] .baseDn = OU = CNANET, DC = cna, DC = org, DC = br
cas.authn.ldap [0] .dnFormat = uid =% s, ou = people, dc = example, dc = org
cas.authn.ldap [0] .subtreeSearch = true
cas.authn.ldap [0] .bindDn = cn = xxxxx, cn = Users, dc = xxx, dc = org, dc = br
cas.authn.ldap [0] .bindCredential = xxxxxxx
cas.adminPagesSecurity.actuatorEndpointsEnabled = true
cas.monitor.endpoints.enabled = true
endpoints.enabled = true
cas.adminPagesSecurity.ip = ^ 10 \\. 1 \\. (3 \\. [0-9] {1,3} | 0 \\. [12] 0) $
cas.monitor.endpoints.sensitive = false
endpoints.sensitive = false
cas.adminPagesSecurity.loginUrl = $ {cas.server.prefix} / login
cas.adminPagesSecurity.service = $ {cas.server.prefix} / status / dashboard
cas.adminPagesSecurity.users = file: /etc/cas/config/admusers.properties
cas.adminPagesSecurity.adminRoles [0] = ROLE_ADMIN
##############
I'm trying to free cas.adminPagesSecurity.ip for the 10.1.3.0/24 network. but I do not know if that's the right way.
I've tried to follow another topic that talks about it but without success.
Please, can someone help me !!!
Thank you.
Bergner, Arnold
Feb 2, 2018, 8:28:55 AM2/2/18
to cas-...@apereo.org
Maybe a dumb question, but you have tried /cas/status/dashboard, right?
From a quick glance, I cannot find any problems in the config.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeed34f4-003b-45ed-9221-264c6f45ea04%40apereo.org.
David Curry
Feb 2, 2018, 8:30:27 AM2/2/18
to cas-...@apereo.org
Carlos,
The only mistake I see here is that on the second line, cas.server.prefix should be getting set to ${cas.server.name}/cas, not ${server.name}/cas.
As for the adminPages configuration, based on what you've provided, you should be able to access
http[s]://your.cas.server/cas/status
from any IP address in 10.1.3.0/24 or from 10.1.0.10, or from 10.1.0.20. You should be able to do this using either a web browser or even just curl, without any further authentication required, and get a small plain-text page back that contains the server status, version, etc. The result should look something like this:
Health: OK1.SessionMonitor: OK - 1 sessions. 0 service tickets.2.MemoryMonitor: OK - 1452.29MB free (79.77%), 368.32MB used, 1820.61MB total.Host: casdev-srv01Server: https://casdev.newschool.eduVersion: 5.2.2
Does that part work? If so, move on to the next part. If not, set <Property name="cas.log.level" >debug</Property> near the top of log4j2.xml, restart the server, and check cas.log.
If the above is working, then you should also be able to access
http[s]://your.cas.server/cas/status/dashboard
and have the CAS login page appear. Don't forget that in order for this to work, you need to create an entry in the service registry for the dashboard URL:
"serviceId" : "^https://your.cas.server/cas/status/dashboard(\\z|/.*)",
Does that part work? If so, move on to the next part. If not, it's probably a service registry problem.
If the above is working, then you should authenticate to the CAS server as a user you've listed in admusers.properties. This file should have lines like
username=passwordnotused,ROLE_ADMIN
Where username is the user's LDAP user name (sAMAccountName in your setup). The user should use his/her LDAP password.
Does that part work? If not, check the debug logs, or report back here with the error message(s) you're seeing.
Good luck,
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Carlos Eduardo Santos
Feb 2, 2018, 9:32:07 AM2/2/18
to CAS Community
Hi David,
I can only have the / status /
now the dashboard and cas-management are giving error "ERR_CONNECTION_REFUSED" I have the firewalld disabled and SELINUX tbm so I have no problem with that.
I can not identify where the mistake is.
- cas-management.log is not registering anything.
- The admusers.properties file is with the 2 users below.
gnarls = passwordnotused, ROLE_ADMIN
carlos.alves = passwordnotused, ROLE_ADMIN
- The CASAdminDashboard-1517507674.json service is as described below.
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^ https: //scna-cas.cna.org.br/cas/status/dashboard (\\ z | /.*)",
"name": "CAS Admin Dashboard",
"id": 1517507674,
"description": "CAS dashboard and administrative endpoints",
"evaluationOrder": 5000
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
David Curry
Feb 2, 2018, 9:37:10 AM2/2/18
to cas-...@apereo.org
The dashboard and cas-management are two completely different things; I suggest focusing on one at a time.
If you're getting ERR_CONNECTION_REFUSED, that means there is nothing listening on the server/port you're trying to connect to.
Are you using HTTPS or HTTP?
The config file you posted before had "http", but your service registry has "https". You need to be using the same thing everywhere, and then connecting to the right port.
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015990e-68d9-4477-992b-fc2d2c19040d%40apereo.org.
Carlos Eduardo Santos
Feb 2, 2018, 9:56:55 AM2/2/18
to CAS Community
I'm using https on all files, as can be seen below
Do you have any records that I can see if the service registry is working properly?
CASServiceManagement-1517578442.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://scna-cas.cna.org.br/cas-management(\\z|/.*)",
"name" : "CAS Services Management",
"id" : 1517578442,
"description" : "CAS services management webapp",
"evaluationOrder" : 5500
}
CASAdminDashboard-1517507674.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://scna-cas.cna.org.br/cas/status/dashboard(\\z|/.*)",
"name" : "CAS Admin Dashboard",
"id" : 1517507674,
"description" : "CAS dashboard and administrative endpoints",
"evaluationOrder" : 5000
}
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015990e-68d9-4477-992b-fc2d2c19040d%40apereo.org.
David Curry
Feb 2, 2018, 10:22:23 AM2/2/18
to cas-...@apereo.org
Carlos,
Can you confirm that your CAS server is otherwise working -- you can use it to authenticate other services besides the dashboard and services management webapp? Or is nothing working?
If you are getting ERR_CONN_REFUSED, then your client (browser or whatever) is trying to connect to a host/port where nothing is listening. What do you see if you run
sudo netstat -plnt
on the CAS server?
Based on some of your settings, it looks like perhaps you're following the steps in my "Deploying Apereo CAS" documentation. Is that the case? And if it is, did you follow the document from the beginning, including setting up a load balancer in front of the server?
Because by default, Tomcat/CAS listens on port 8443 (not 443). My document installs a load balancer in front of multiple CAS servers; the load balancer listens on port 443 and connects to a CAS server on port 8443. If you skipped over the part about installing a load balancer (or a proxy) to do the 443->8443 translation, then your CAS server URLs should start with
https://scna-cas.cna.org.br:8443/cas/....
(Or you could change the Tomcat configuration to listen on port 443 instead of 8443.)
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/67740b15-321a-4baf-b2ad-1f981c399c0d%40apereo.org.
Carlos Eduardo Santos
Feb 2, 2018, 12:05:08 PM2/2/18
to CAS Community
Yes David, I'm following the steps of your documentation and yes, I did not do the loadbalance part.
I could not create other services, these two mentioned would be the basic for me to try to create others through the web interface.
David, without the loadbalance you say that the services would have to stay this way?
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^ https: //scna-cas.cna.org.br: 8443 / cas-management (\\ z | /.*)",
"name": "CAS Services Management",
"id": 1517578442,
"description": "CAS services management webapp",
"evaluationOrder": 5500
}
would have to change in cas.properties the server to
cas.server.name = scna-cas.cna.org.br: 8443
I tried with the change of service in the way above and it did not work too.
below from the netstat command.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1193/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1902/master
tcp6 0 0 :::22 :::* LISTEN 1193/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1902/master
tcp6 0 0 :::8443 :::* LISTEN 19813/jsvc.exec
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/67740b15-321a-4baf-b2ad-1f981c399c0d%40apereo.org.
David Curry
Feb 2, 2018, 1:38:35 PM2/2/18
to cas-...@apereo.org
Hi Carlos,
The document was written to take a "baby steps" approach of getting one feature/function working at a time to make it easier to understand what's going on and to diagnose problems. You've jumped ahead several steps, which you can of course do, but you might want to go back and review earlier sections to make sure you have performed all the configuration steps that the later sections assume have been done.
BUT... to try and get what you already have working, I think these steps should get you most of the way there:
1. Open the server firewall to allow TCP connections on Port 443.
2. If you haven't already done so, create/obtain a TLS/SSL certificate and install it in Tomcat's keystore.
3. Adjust cas.properties to contain:
cas.server.prefix = ${cas.server.name}/cas
4. Change the service registry file for the dashboard to contain
"serviceId" : "^https://scna-cas.cna.org.br:8443/cas/status/dashboard(\\z|/.*)",
5. Change the service registry file for the management webapp to contain
"serviceId" : "^https://scna-cas.cna.org.br:8443/cas-management(\\z|/.*)",
6. Direct your web browser (or curl) to
If that still doesn't work, it honestly might be easier to go back and work step-by-step from the beginning. Instructions (as well as examples you can copy-and-paste to edit) for creating service registry files without the webapp, etc. are all provided.
You don't have to set up a load balancer or proxy (although that's the environment the document assumes); you can configure the firewall to forward 443 to 8443 instead with something like
firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8443
or you can configure Tomcat to do it.
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2e1a7a-3d75-481e-9e24-487d7aea8a5e%40apereo.org.
Carlos Eduardo Santos
Feb 2, 2018, 2:20:24 PM2/2/18
to CAS Community
I followed the document leaving only the stage of loadbalance, but it seems to leave some more things behind.
now access the page, but look at the error that is presenting on both pages.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2e1a7a-3d75-481e-9e24-487d7aea8a5e%40apereo.org.
David Curry
Feb 2, 2018, 2:55:14 PM2/2/18
to cas-...@apereo.org
That's not a CAS-specific problem; it looks like something is wrong with your TLS/SSL certificate or your keystore.
Does your server certificate have "scna-cas.cna.org.br" as its host name (CN)?Did you include any/all intermediate/root certificates in the cetificate you imported into the keystore?Did you name the certificate "tomcat" in the keystore?Did you configure Tomcat's HTTPS connector to use the keystore that contains your certificate?
This is all covered here: https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-tlsssl-settings.html
Note that those instructions assume you're going to use a "real" certificate signed by a certificate authority, not a self-signed certificate. You can use self-signed certificates if you really want to, but if you do, you can skip all the steps in the first two sections of the link above ("Generate a private key..." and "Import the certificate...") and just do something like this instead:
# cd /opt/tomcat# keytool -genkey -alias tomcat -keyalg RSA -validity 365 –keystore keystore.jksEnter keystore password: changeitRe-enter new password: changeitWhat is your first and last name?[Unknown]: scna-cas.cna.org.br(enter the fully qualified domain name of your server here)What is the name of your organizational unit?[Unknown]: TestWhat is the name of your organization?[Unknown]: TestWhat is the name of your City or Locality?[Unknown]: TestWhat is the name of your State or Province?[Unknown]: TestWhat is the two-letter country code for this unit?[Unknown]: TestIs CN=scna-cas.cna.org.br, OU=Test, O=Test, L=Test, ST=Test, C=Testcorrect?[no]: yesEnter key password for <tomcat>(RETURN if same as keystore password): (press RETURN)#
Then continue with the "Configure Tomcat server settings" section of the page linked above.
If you can't or don't want to purchase a "real" certificate from a certificate authority, you might also consider using a certificate from Let's Encrypt, which is free (but must be renewed every 90 days). This will behave more like a "real" certificate and avoid many of the annoyances that you'll experience with self-signed certificates. Google "lets encrypt tomcat 8" for guidance on how to do that.
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a504b3-1be5-4adc-a63a-3df2c70029a7%40apereo.org.
Carlos Eduardo Santos
Feb 5, 2018, 2:28:40 PM2/5/18
to CAS Community
I did the procedure that indicated but I still receive the "500: Internal Server Error" I will try now with the Let's Encrypt certificate to see if it works.
2018-02-05 17:02:15,397 ERROR [org.jasig.cas.client.util.CommonUtils] - <sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_161]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:1.8.0_161]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) ~[?:1.8.0_161]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:1.8.0_161]
...
Can you identify with this passage what the problem with the certificate really is ?
thanks again !! :(
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a504b3-1be5-4adc-a63a-3df2c70029a7%40apereo.org.
David Curry
Feb 5, 2018, 3:16:44 PM2/5/18
to cas-...@apereo.org
> Can you identify with this passage what the problem with the certificate really is ?
I'm GUESSING here, but "unable to find valid certification path to requested target" suggests to me that the server cannot find one or more of the certificates in the chain between the certificate authority and your certificate.
If you're using a self-signed certificate, that probably means it can't find the certificate itself. (If you were using a "real" certificate from a certificate authority, it would probably mean that you haven't loaded one or more of the CA's intermediate certificates.)
Did you give the certificate the "tomcat" alias when you installed it in your keystore?
You might want to check the directions here:
(Skip over the first blue box that shows an openssl command, and start reading at the paragrap beginning "To create a new JKS keystore from scratch...")
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8af99ef5-6027-4581-8521-1d9e5105cd62%40apereo.org.
Carlos Eduardo Santos
Feb 6, 2018, 6:39:29 AM2/6/18
to CAS Community
Sirs, I was able to create a certificate by the windows server with a "real" certificate for the "scna-cas.pfx" served, I saw that I can only change the format for p12.
Now can I give it the nickname of tomcat and add it to the keystore, so tomcat / cas can use it?
Is this problem not linked to the "thekeystore" configured in application.properties?
Attached the cas.log with the complete error.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8af99ef5-6027-4581-8521-1d9e5105cd62%40apereo.org.
David Curry
Feb 6, 2018, 8:33:48 AM2/6/18
to cas-...@apereo.org
You need to get the certificate into whatever keystore Tomcat is using, and it MUST have the alias "tomcat" associated with it. The link I included before:
should contain instructions for doing that. Keytool does understand .p12 certificates, so that should be fine.
Also, if your certificate requires an intermediate certificate between it and the root certificate (I don't remember if Let's Encrypt certs do or not, if that's what you're using), you'll need to combine the certificates, in the correct order, before you import them into the keystore. I provided instructions for combining certificates in my documentation here:
But that assumes PEM certificates and a Linux environment with OpenSSL; I don't know the equivalent Windows commands (although if you've got OpenSSL on your Windows server they should be similar; Google should be able to help).
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/69723a80-1b26-4bdd-be35-a0be66a2c003%40apereo.org.
Carlos Eduardo Santos
Feb 6, 2018, 1:12:35 PM2/6/18
to CAS Community
Thank you gentlemen for all the help. Thank you David !
I was able to solve the certificate problem, I had problem with admusers.properties but I was able to resolve and access the dashboard.
As a solution, I had to create a new certificate with the domain certificates we have, following the steps of the excellent documentation provided by David.
Now I'm accessing the dashboard and other options and also cas-management.
Thank you one more time !!
David Curry
Feb 6, 2018, 1:17:57 PM2/6/18
to cas-...@apereo.org
Glad to hear you got it working.
--Dave
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/49ce8b1c-a86b-41e1-b1c3-d86ec4f06659%40apereo.org.
arti wavale
Mar 25, 2021, 7:23:19 AM3/25/21
to CAS Community, Carlos Eduardo Santos
Hello,
I am facing same issue so can you tell me how you created certificate and share your admusers.properties file once
ISSUE:
CAS is unable to process this request: "500:Internal Server Error"
org.pac4j.core.exception.TechnicalException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:170)
at org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65)
at org.pac4j.springframework.web.SecurityInterceptor$$FastClassBySpringCGLIB$$efdcf9fe.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673)
at org.pac4j.springframework.web.SecurityInterceptor$$EnhancerBySpringCGLIB$$577bc7b.preHandle(<generated>)
at org.apereo.cas.config.CasSecurityContextConfiguration$CasAdminStatusInterceptor.preHandle(CasSecurityContextConfiguration.java:155)
at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:28)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:245)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:111)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:117)
at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:61)
at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:92)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:110)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:324)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:69)
at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:458)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.pac4j.cas.credentials.authenticator.CasAuthenticator.validate(CasAuthenticator.java:62)
at org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:68)
at org.pac4j.cas.client.direct.DirectCasClient.retrieveCredentials(DirectCasClient.java:37)
at org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:44)
at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:115)
... 90 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:444)
... 97 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:156)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 113 more
Ray Bon
Mar 25, 2021, 12:50:22 PM3/25/21
to cas-...@apereo.org
Arti,
'subject alternative name' is part of your SSL certificate.
See, https://apereo.github.io/cas/6.3.x/installation/Troubleshooting-Guide.html#no-subject-alternative-names, for some trouble shooting.
Ray
On Thu, 2021-03-25 at 04:23 -0700, arti wavale wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
arti wavale
Mar 27, 2021, 2:14:55 AM3/27/21
to cas-...@apereo.org
Hello Ray Bon,
Thanks for your response
Thanks and Regards
Arti
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/87c3f463042323bbf3bd152629ac03ec02a5a401.camel%40uvic.ca.
arti wavale
Mar 30, 2021, 2:54:16 AM3/30/21
to CAS Community, Ray Bon
Hello,
Created ssl certificate in CAS 5.2 server system
1] keytool -genkey -keyalg RSA -alias thekeystore -keystore thekeystore -storepass changeit -validity 360 -keysize 2048 -ext san=ip:192.168.07.111
2] keytool -export -alias thekeystore -keypass changeit -file cas.crt -keystore thekeystore -storepass changeit
3] keytool -import -file cas.crt -alias thekeystore -keypass changeit -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
created ssl certificate in Apache client system
1] openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.crt
How can I connect cas server 5.2 to Apache client
Apache client side, I can redirected to cas server login page but after entered username and password then it is show "Unauthorized " error page
which certificate i need to pass from server to client /etc/ssl/certs path
how can i connect server and client to each other
Thanks and Regards
Arti
Ray Bon
Mar 30, 2021, 11:30:47 AM3/30/21
to artiw...@gmail.com, cas-...@apereo.org
Arti,
When using self signed certificates, both ends need to know about the other certificate. You can create one certificate and add it to both apache and cas or you can install both certificates in the client and in the server. If both applications are running
on the same computer, the one certificate approach will be sufficient (create the one for apache first and import it into keytool).
Also, check your logs to see why 'Unauthorized' is displayed.
Ray
P.S. the -alias property should be a name for your application that you would use to search in keytool.
Reply all
Reply to author
Forward
0 new messages