Ticket #299 (closed clarification: fixed)

Opened 2 years ago

Last modified 1 year ago

CAS ProxyTicketValidator error in plosone.log on multibox stage

Reported by: russ Assigned to: stevec
Priority: medium Milestone:
Component: ambra Version:
Keywords: cas proxyticketvalidator Cc:
Blocking: Blocked By:

Description

i've got my multicast networks all walled off, and i installed the stack on our two staging servers.

plosstage01 (webhead, cas, plosone, topaz) plosstage02 (fedora, mulgara)

i have things set up just like the production stack, following the multibox wiki.

i created a new user and confirmed it.

when i try to login, getting an error that i don't recognize from plosone.log. no other logs show any errors.

i've double checked and things seem to be configured like the production stack. am i missing something? is there something special that needs to be done with a two server stack?

Dependency Graph

Change History

03/06/07 16:14:11 changed by russ

plosone.log error: 

2003-10-18 19:14:03,135 ERROR CASReceipt> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosstage01.localdomain:10443/CasProxyServlet] ticket=[ST-3-NVXM0zoC648aFm1TmaGR] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]] [TP-Processor8 edu.yale.its.tp.cas.client.CASReceipt]
2003-10-18 19:14:03,136 ERROR CASFilter> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosstage01.localdomain:10443/CasProxyServlet] ticket=[ST-3-NVXM0zoC648aFm1TmaGR] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]] [TP-Processor8 edu.yale.its.tp.cas.client.filter.CASFilter]
2003-10-18 19:14:03,141 ERROR [default]> Servlet.service() for servlet default threw exception [TP-Processor8 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default]]
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosstage01.localdomain:10443/CasProxyServlet] ticket=[ST-3-NVXM0zoC648aFm1TmaGR] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]]
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
        at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
        at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: HTTPS hostname wrong:  should be <plosone-multi.plos.org>
        at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:917)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
        at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
        at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
        ... 17 more

03/06/07 16:16:06 changed by russ

i noticed that it was complaining at the https hostname should be plosone-multi.plos.org, so i made that change in plosOne.xml. either hostname should work, since plosone and cas are on the same box. oddly, i got the exact same error, with plosone-multi.plos.org in the proxyCallbackUrl instead of plosstage01.localdomain: 

2003-10-18 19:17:19,639 ERROR CASReceipt> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosone-multi.plos.org:10443/CasProxyServlet] ticket=[ST-0-qttBbbTc1fDeUA8rbfDQ] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]] [TP-Processor8 edu.yale.its.tp.cas.client.CASReceipt]
2003-10-18 19:17:19,640 ERROR CASFilter> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosone-multi.plos.org:10443/CasProxyServlet] ticket=[ST-0-qttBbbTc1fDeUA8rbfDQ] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]] [TP-Processor8 edu.yale.its.tp.cas.client.filter.CASFilter]
2003-10-18 19:17:19,648 ERROR [default]> Servlet.service() for servlet default threw exception [TP-Processor8 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default]]
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://plosone-multi.plos.org:7443/cas/proxyValidate] proxyCallbackUrl=[https://plosone-multi.plos.org:10443/CasProxyServlet] ticket=[ST-0-qttBbbTc1fDeUA8rbfDQ] service=[http%3A%2F%2Fplosone-multi.plos.org%3A%2Fuser%2Fsecure%2FsecureRedirect.action%3FgoTo%3D%252Fhome.action] renew=false]]]
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
        at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
        at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: HTTPS hostname wrong:  should be <plosone-multi.plos.org>
        at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:917)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
        at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
        at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
        ... 17 more

03/06/07 16:17:47 changed by russ

finally, i noticed that all of the production servers have an /etc/hosts entry for register.plos.org -> 192.168.66.xx, mapping the cas server's external hostname to its internal IP. i tried the same hosts entry on plosstage01 (plosone-multi.plos.org -> internal plosstage01 IP) but it made no difference.

thanks for any advice you have on this - is there something that changes when multiple services are on the same server?

03/06/07 16:37:00 changed by ronald

The hostname used to contact the cas server and the hostname in the cas-server's SSL certificate must match exactly. I.e. this has nothing to do with the name-to-ipaddress mapping. This message is indicating that the hostname in the certificate (CN attribute in the subject-name) is wrong, i.e. is not 'plosone-multi.plos.org'.

03/06/07 17:22:29 changed by russ

  • status changed from new to closed.
  • resolution set to fixed.

okay, this was interesting.

so, i'm pretty sure that the problem was having plosone, topaz, cas, and webhead all on a multi-homed server with an external hostname (plosone-multi.plos.org) and an internal hostname (plosstage01.localdomain).

in this case, all off the configuration files pointing to plosone, topaz, or cas have to use the external hostname.

the external hostname needs to be used when generating keystores

finally, a hosts file entry needs to exist on other servers in the stack resolving the external hostname to the internal IP.

following the above assumptions, i've got it working now on my stage server.

thanks for listening!

08/07/07 16:25:51 changed by

  • milestone deleted.

Milestone Bugs deleted