Hyland Connect

Hi Ian,

also I planned to run Alfresco with CAS auth; after a lot of work trying to follow the official Alfresco approach here Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation I decied to change my way and I found your github project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl... . So I installed fresh version of Alfresco Community version 5.0.d, integrated the amp file alfresco-cas-share-amp-1.2.2.amp produced; my java-cas-client-properties is:

casServerLoginUrl=https://my-server-hostname:8444/cas-webapp/login
serverName=https://my-server-hostname:8443
ticketValidatorClass=org.jasig.cas.client.validation.Cas30ServiceTicketValidator
casServerUrlPrefix=https://my-server-hostname:8444/cas-webapp

The x509 certificate of alfresco is the default one provided with Alfresco fresh installation (under $ALFRESCO_HOME/alf_data/keystore) while the x509 certificate of CAS Server was self made with the keytool -utility (keytool -genkey -alias tomcat -keyalg RSA) and when asked the common nome i used my-server-hostname.

When I try to login in Alfresco Share I'm redirect to CAS login, successfully login on CAS but whe I'm redirect to Alfresco Share I received an error. In catalina.out the error is:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

What I'm wrong?

Could you help me to solve the problem?

Thanks in advance.

Pino

Hi Pino,

This is almost certainly down to using self signed certificates for the CAS server.

Note this is different from the Alfresco x509 certificates.

If you can, it is much the easiest to use a full certificate e.g. using Lets Encrypt - this might help Configuring Alfresco SSL by using Let's Encrypt - keensoft 

Otherwise it's a case of getting hold of the client certificate and adding it to the cacerts file used by the java that is running tomcat - which is relatively painful to do. See SSL Troubleshooting and Reference Guide - CAS User Manual - Apereo Wiki  

Hi Ian,

thanks for your reply; added the certificate to cacerts file used by tomcat JVM; now I'm receiving a new error:

ERROR [alfresco.web.site] [http-bio-8443-exec-19] javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
org.jasig.cas.client.validation.TicketValidationException: No principal was found in the response from the CAS server.
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:98)

Could you help me to solve the problem?

Thanks in advance,
Pino

I think you're going to need to debug your CAS installation - perhaps look at the CAS server logs.

You could also try enabling the CAS client debug logging in Alfresco so you can see what the server is returning

Ian, 

try to debug the error, but whitout success; one question: is your project GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl...  based on the use of mod_auth_cas described here: Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation ?

Thanks for your support.

Pino 

My project does not use mod_auth_cas at all, instead it uses the CAS client jars installed as part of the amps.

It should be quite straightforward to use my project to test your CAS installation using run.sh - you should just need to change the serverName in java-cas-client.properties to http://localhost:8080 before running it.

If you are using mod_auth_cas then you can still debug it but you need to use the Apache configuration files in order to do so

(mod_auth_cas has been updated since I last looked at it)

Hi Ian,

thanks for your fast reply; if I decide to follow your project (so without mod_auth_cas) but with a standalone version of Alfresco community which version of Alfresco you should suggest to use and which version of CAS?

Thanks for your support.

Pino

My project is built using 5.1.g for both share and repository and that is what I would recommend.

5.1.g is the only recent version of share that works so while I'd prefer to use an OOTB GA version that's not really practical (it is possible but only with patching and I think it's better not to)

I'm currently on the 4.1 version of CAS but will be looking to upgrade soon - in theory this shouldn't make any difference as the java version of the cas client is the best supported client and I'm using the most recent version.