Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Share with mod_auth_cas not working

jmwarfe
Champ in-the-making
Champ in-the-making

‎10-27-2009 05:28 PM

I'm in the process of trying to get Community Edition 3.2r to talk with my university's CAS server. So far I have followed the wiki page instructions for external authentication and can now log into the Alfresco explorer using SSO however Share gives me the following error below. I'm wondering if my shared/classes/alfresco/web-extension/webscript-framework-config-custom.xml is configured properly and being read or if there is an issue with my SSL certificates. Any thoughts as to what might be the problem?

Thanks in advance!

Tomcat Error: 

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:146)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:117)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to retrieve user from repository
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:252)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:176)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

org.json.JSONException: A JSONObject text must begin with '{' at character 1 of <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>…..</html>
   org.json.JSONTokener.syntaxError(Unknown Source)
   org.json.JSONObject.<init>(Unknown Source)
   org.json.JSONObject.<init>(Unknown Source)
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:165)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:176)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)



webscript-framework-config-custom.xml:
<alfresco-config>
   
   <!– Overriding endpoints to reference a remote Alfresco server –>
   <!–
   <config evaluator="string-compare" condition="Remote">
      <remote>

         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://yourserver:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
      </remote>
   </config>
   –>
   
   <!– Overriding endpoints to reference an Alfresco server with external SSO or NTLM enabled –>
   <!– NOTE: For NTLM, the NTLM Authentication Filter must also be enabled in share web.xml –>
   <!– NOTE: if utilising a load balancer between web-tier and repository cluster, the "sticky –>
   <!–       sessions" feature of your load balancer must be used –>
   <config evaluator="string-compare" condition="Remote" replace="true">
        <remote>
            <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
            <keystore>
                <path>/opt/Alfresco/tomcat/shared/classes/alfresco/web-extension/alfresco-system.p12</path>
                <type>pkcs12</type>
                <password>alfresco</password>
            </keystore>
         
            <connector>
                <id>alfrescoCookie</id>
                <name>Alfresco Connector</name>
                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                <class>org.alfresco.connector.AlfrescoConnector</class>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoCookie</connector-id>
                <endpoint-url>http://<hostname removed>/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
            
        </remote>
    </config>
</alfresco-config>
Labels:
0 Kudos
28 REPLIES 28

cybertoast
Champ in-the-making
Champ in-the-making

‎11-05-2009 08:56 AM

matthias, yes, I've always been able to log in with CAS and see my Remote User as the user I signed in with. Sorry, I guess I was unclear about that. I've had this working with both simpleTestUsernamePassword handler (where username matches password), and with LDAP (using active directory).
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎11-05-2009 02:39 PM

FYI I've just tried the latest code on HEAD with my mod_auth_cas VM and it still seems to work for me. I did spot some errors in the Wiki instructions (you need to point VIRTUAL_TOMCAT_HOME to somewhere other than your tomcat home or "ant incremental-tomcat" will mess up your tomcat installation with virtualization stuff). I've updated the Wiki.

cybertoast. It looks like the main differences are due to the way the SSL virtual host is configured differently in Ubuntu. It looks like apache isn't sending through the certificate data to tomcat. To get this to work on Red Hat it was VERY important to add this directive to ssl.conf.

SSLOptions +StdEnvVars +ExportCertData

and the ordering of directives is very important too. In tomcat, /etc/httpd/conf.d is processed in alphabetical order so the ordering would be mod_auth_cas.conf, mod_jk.conf, ssl.conf.

So good luck! It sounds like it's just a matter of getting the httpd config right for Ubuntu.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎11-05-2009 02:40 PM

By the way, I'm closing the bug, since you are both working on a different platform, and it still appears to work on Red Hat with HEAD.
0 Kudos

cybertoast
Champ in-the-making
Champ in-the-making

‎11-05-2009 05:43 PM

I can barely believe it, but it seems that something in the certificate creation instructions (which I followed blindly) is incorrect for Ubuntu (or I did something wrong - I'll check on this and update the wiki as necessary). I went back to basics and created the CA, certs and pkcs12 using CA.pl and things are in much better shape than they were.

Now when I load alfresco-system.p12 into the browser and go to snoop.jsp I get a prompt to select the certificate. Better yet, my cas.log says that it found a certificate to load:

2009-11-05 17:23:07,779 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Action 'X509CertificateCredentialsNonInteractiveAction' beginning execution>
2009-11-05 17:23:07,781 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificate found in request.>
2009-11-05 17:23:07,781 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create TicketGrantingTicket for org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentials@4a2dd4>
2009-11-05 17:23:07,781 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <–examining cert[14653026945918949920] CN=alfresco-system, O="Vitech Systems Group, Inc.", L=Manhattan, ST=New York, C=US" from issuer "EMAILADDRESS=foo@bar.com, CN=Sundar CA, O="Vitech Systems Group, Inc.", ST=New York, C=US">
2009-11-05 17:23:07,781 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <certificate is valid>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <Pattern Match: true [EMAILADDRESS=foo@bar.com, CN=Sundar CA, O="Vitech Systems Group, Inc.", ST=New York, C=US] against [^.*CN=Sundar CA.*$].>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <certificate was issued by trusted issuer>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <this is an end-user certificate>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <Pattern Match: true [CN=alfresco-system, O="Vitech Systems Group, Inc.", L=Manhattan, ST=New York, C=US] against [.*].>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <cert[14653026945918949920] ok, setting as credentials candidate>
2009-11-05 17:23:07,782 INFO [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - <authentication OK; SSL client authentication data meets criteria for cert[14653026945918949920]>
2009-11-05 17:23:07,782 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentials@4a2dd4>
2009-11-05 17:23:07,782 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver] - <Attempting to resolve a principal…>
2009-11-05 17:23:07,782 INFO [org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver] - <Creating principal for: CN=alfresco-system, O="Vitech Systems Group, Inc.", L=Manhattan, ST=New York, C=US>

But the X509CertificateCredentialsToIdentifierPrincipalResolver is not happy and throws a rather ugly error (sorry for the long dump here, but it may be helpful):


HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.webflow.engine.ActionExecutionException: Exception thrown executing [AnnotatedAction@b4b0a4 targetAction = org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction@b90a6e, attributes = map[[empty]]] in state 'startAuthenticate' of flow 'login-webflow' – action execution attributes were 'map[[empty]]'; nested exception is java.lang.ArrayIndexOutOfBoundsException: 1
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:583)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
   org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48)
   org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

root cause

org.springframework.webflow.engine.ActionExecutionException: Exception thrown executing [AnnotatedAction@b4b0a4 targetAction = org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction@b90a6e, attributes = map[[empty]]] in state 'startAuthenticate' of flow 'login-webflow' – action execution attributes were 'map[[empty]]'; nested exception is java.lang.ArrayIndexOutOfBoundsException: 1
   org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:64)
   org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:156)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107)
   org.springframework.webflow.engine.Flow.onEvent(Flow.java:534)
   org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205)
   org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Flow.start(Flow.java:521)
   org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:193)
   org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:177)
   org.springframework.webflow.executor.FlowExecutorImpl.launch(FlowExecutorImpl.java:187)
   org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:125)
   org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165)
   org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
   org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
   org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48)
   org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

root cause

java.lang.ArrayIndexOutOfBoundsException: 1
   org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver.resolvePrincipalInternal(X509CertificateCredentialsToIdentifierPrincipalResolver.java:56)
   org.jasig.cas.adaptors.x509.authentication.principal.AbstractX509CertificateCredentialsToPrincipalResolver.extractPrincipalId(AbstractX509CertificateCredentialsToPrincipalResolver.java:24)
   org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver.resolvePrincipal(AbstractPersonDirectoryCredentialsToPrincipalResolver.java:42)
   org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:124)
   org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:417)
   org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction.doExecute(AbstractNonInteractiveCredentialsAction.java:80)
   org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:192)
   org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.java:146)
   org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:59)
   org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:156)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:54)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Transition.execute(Transition.java:212)
   org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107)
   org.springframework.webflow.engine.Flow.onEvent(Flow.java:534)
   org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205)
   org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161)
   org.springframework.webflow.engine.State.enter(State.java:191)
   org.springframework.webflow.engine.Flow.start(Flow.java:521)
   org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:193)
   org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:177)
   org.springframework.webflow.executor.FlowExecutorImpl.launch(FlowExecutorImpl.java:187)
   org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:125)
   org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165)
   org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
   org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:807)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:571)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
   org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48)
   org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

I decided to see what /share might do with the certificate, and basically I get "org.alfresco.web.site.exception.UserFactoryException: Unable to retrieve user from repository". So I suspect the X509 Principal is not being resolved into a LDAP principal.

So a couple of questions:
1. In the wiki there's a line that says:
For the subject name, use alfresco-system. We will later configure Alfresco to trust that this subject is the Share application.
. I did not see anything that explicitly trusts the CN of alfresco-system in the instructions. Did I miss something?
2. The wiki instructions for the deployerConfixContext.xml says
<bean
               class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">
               <property name="identifier" value="$CN" />
            </bean>
Is this still correct even for Active Directory's LDAP?

Thanks much.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎11-06-2009 05:59 AM

1. The external subsystem is preconfigured to trust alfresco-system.
2. Yes. This part doesn't have anything to do with LDAP and is just the configuration for how it extracts a user ID from the certificate.

Looking at the stack trace, I think the problem is now in the CAS server. It seems the way that it parses the DN in a certificate can be broken if one of the components contains a comma. Can you please try certificates without the comma in "Vitech Systems Group, Inc."?
0 Kudos

cybertoast
Champ in-the-making
Champ in-the-making

‎11-06-2009 09:02 AM

dward, i owe you a few beers (wonder if Bolaji can make that happen)! Removing the comma from the DN did the trick. Thanks so much for your help. I'm pretty sure I would not have found this problem.

In any case, I'm going to spend some time today adding Ubuntu instructions to the wiki so that the next poor soul has a better chance Smiley Happy
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎11-06-2009 10:10 AM

Thanks. We appreciate your contribution too.
0 Kudos

skyfredox
Champ in-the-making
Champ in-the-making

‎01-18-2010 01:23 PM

Hello everyone,
thanks for all this help

I am trying to go one step further and use Certificats issued by a free Certificat Security issuer (let's call it XXX)  (they aren't that many…)

Everythink is fine with my self signed certificates
but with XXX signed certificates, I have this error in my CAS log
[org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - Certificates not found in request.

in my vhost definition I have

   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /etc/ssl/certs/mysite_be_https.crt
   SSLCertificateKeyFile /etc/ssl/private/mysite_be_https.key
   SSLCertificateChainFile /etc/ssl/certs/sub.class1.XXX.server.ca.pem
   SSLCACertificateFile /etc/ssl/certs/XXX-ca.pem
  
   SSLVerifyClient optional
   SSLOptions +StdEnvVars +ExportCertData


subject of my alfresco-system certificate contained in my alfresco-system.p12 not being alfresco-system but share.mysite.be
I have set
external.authentication.proxyUserName=share.mysite.be
in alfresco-global.properties

alfresco-system.p12 is at the right place and readable by all

all certificate are in java central keystore

and I have tried the DN of the CA cert of XXX and of the intermediate cert of XXX in CAS deployerConfigContext.xml

Would you have a suggestion ?

Thank you very much
0 Kudos

skyfredox
Champ in-the-making
Champ in-the-making

‎02-07-2010 06:02 AM

I have solved my problem with Intermediate Certificate. Here is how…

I had
[org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - Certificates not found in request.
error in cas.log

I found more details about this error in apache log (the one of my https virtual host)

There were
1.
"Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)" error

solved by adding
SSLVerifyDepth 2
to apache configuration of https vhost

2.
[error] Certificate Verification: Error (26): unsupported certificate purpose

due to limitation of trust on the Certificate I had obtained from a SSL Certificate Issuer

to test this, you can use
openssl verify -CAfile ca.pem -purpose sslclient alfresco-system.crt
answer should be "OK" (with no error)

Intermediate Certificate Purpose has probably to be adequate for client also. This can be seen with
openssl x509 -purpose -in intermediate_certificate.pem
SSL Client CA should be "Yes"


I solved it by using S/MIME Client Certificate Issued by the SSL Certificate Issuer
adaptating the trustedIssuerDnPattern in webapps/cas/WEB-INF/deployerConfigContext.xml
and setting
external.authentication.proxyUserName=[string used as certificate CN]
in alfresco-global.properties
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC