Ex: Re: : CAS proxy validation failure - Configured TLS trust engine was not used
Paul B. Henson
henson at cpp.edu
Tue Aug 18 19:15:29 UTC 2020
> From: Cantor, Scott
> Sent: Tuesday, August 18, 2020 5:34 AM
>
> No, Brent has to look at it. But if we can't reproduce it, we might have to come
> back and try and set up a test against the system that's failing.
Cool, thanks. I can do whatever testing/debugging you guys need, I'm just not sure what to look at at this point. I tried setting the pool size to 1 to see what would happen, but it seems I also still have that bug where the proxy callbacks get stuck in CLOSE_WAIT forever:
java 26375 jetty 189u IPv6 713763 0t0 TCP beric-dev.unx.cpp.edu:55628->davos.unx.cpp.edu:https (CLOSE_WAIT)
So that didn't work out. Is there any way to create an instance of httpclient that uses the org.apache.commons.httpclient.SimpleHttpConnectionManager instead of the pooled one? That would work around the wedged socket bug and I would also be curious what would happen with this validation issue bug in that case. It looks like the vanilla factory is org.apache.http.impl.client.HttpClientBuilder? But I'm not quite sure how to instantiate it with XML, all of the examples I can find do it with actual Java code.
> It does happen that our shibboleth.net IdP is on CentOS 8 and so forth. I have no
> experience with CAS. Maybe you could help us set up a test case if we enable
> that server and maybe have you set up the necessary CAS client to point at it
> for testing?
Sure, it's pretty simple to set up; you just need to add a few beans to the relying party definition:
CAS.LoginConfiguration
CAS.ProxyConfiguration
CAS.ValidateConfiguration
A CAS MetadataProvider:
<MetadataProvider id="cpp-cas"
xsi:type="FilesystemMetadataProvider"
metadataFile="%{idp.home}/metadata/cpp-cas.xml"
indexesRef="shibboleth.CASMetadataIndices">
</MetadataProvider>
And a little bit of metadata:
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="https://idm.unx.cpp.edu/">
<SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://dev.idm.unx.cpp.edu/cas/"
index="1"/>
</SPSSODescriptor>
</EntityDescriptor>
<EntityDescriptor entityID="https://www.idm.unx.cpp.edu/">
<SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>
MIIHIjCCBgqgAwIBAgIRALDzEQuRZmzq1Gjign3NtgQwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTgxMjIwMDAwMDAwWhcNMjAxMjE5
MjM1OTU5WjCBxjELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTkxNzY4MQswCQYDVQQI
EwJDQTEPMA0GA1UEBxMGUG9tb25hMSAwHgYDVQQJExczODAxIFdlc3QgVGVtcGxl
IEF2ZW51ZTE4MDYGA1UEChMvQ2FsaWZvcm5pYSBTdGF0ZSBQb2x5dGVjaG5pYyBV
bml2ZXJzaXR5LCBQb21vbmExEzARBgNVBAsTCkNTVSBQb21vbmExGDAWBgNVBAMT
D2lkbS51bnguY3BwLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALmSldoaZVqwowOmYc5e6kWiG+HT28hZS71uwBcjNlc+Ue3BSGIbg9eaByke6eH+
PxLwhBYjRxar1H3v1DHZkG3yiaCCcdn5dpI6GTrE7iRyLcXllnCSI+edEVI3X6yq
W8JvzEAt64+tCoxMePNfv1SKh2u/POS1uHoRjBqaAkljul6WeqwjGhMEX8jhSBc/
QHOXtBSS9ev2K3d+chslx6MjPgr6r4QVy+y3IJnpYsF1y1I/GLTjeIt51v8YaqhQ
EDyuZxU3E2iuTPQ10YwOROH8QZbEeA+teduA2jdAYZmnSsCqX/KY64QO5RSYevGb
iIT/xeqtd2uTKpefqdaYq8UCAwEAAaOCA1gwggNUMB8GA1UdIwQYMBaAFB4Fo3eP
bJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBRufELQRWjJOPqVgQaB+SBIbzJ8fzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggrBgEF
BQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9yeS9j
cHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny
bC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsG
AQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3QuY29t
L0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9v
Y3NwLnVzZXJ0cnVzdC5jb20wLQYDVR0RBCYwJIIPaWRtLnVueC5jcHAuZWR1ghEq
LmlkbS51bnguY3BwLmVkdTCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHYAu9nf
vB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFnzdNLRQAABAMARzBFAiEA
imcn0rv5MwqT0OU9vOzLau1IVijh6FdkC93QGCwo+OMCIAIY2asHP5NPPql0WIQo
WrN5gT424lYpIN8ctM0HcYhgAHUAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1
loFxRVgAAAFnzdNLhAAABAMARjBEAiAnwjiJcEfARe6Zwb5KYv05o0jz1I50EZq4
DAZAftP3pAIgYPdEtV/C6MRO/Mh8dgkiwzz468ppVFimSboeGqlVSHwAdwDwlaRZ
8gDRgkAQLS+TiI6tS/4dR+OZ4dA0prCoqo6ycwAAAWfN00uRAAAEAwBIMEYCIQCc
NZ+rvIgZsHnBkxRXSr8q6KXB6fHSP1mqoSky43tn4AIhANwznNQmYLh8cTAs3+K8
fSfTlMjNtiMv6Wg/0Y6IgIGDMA0GCSqGSIb3DQEBCwUAA4IBAQAQYFyMQg9cZzsK
IuykMOBTGzTmpj9Ukpqxrwfb80ejeL02GZUGaJWaBj256MqXBV4JvJtRKbXcgCen
8YKoFkXcQKpK37FeM1/Ok4BMaCbf/6X90xrus25aLGvz4v8pmpCJH8JBxl/VA0G2
h1jYsOBuFrlC1LLw+WzXmtu+mwgG0gDlc5oOGQVWhnYUb/R8Q9k0a2Gt3bg9ynzj
jSyK1tOE2nU5dkJVKM4h8Lw6dbxoVc9a1hPyz3RKqbbdQ6HjC+xgsHoyQAg20693
LCfv9ErgkQvWQTuTSeCZyBT/sajCC4hSB3rbwJwcCpavj4E/GXnnuJf0PoCHjNgF
AavrNF35
</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login"
Location="https://www.idm.unx.cpp.edu/"
index="1"/>
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/proxy"
Location="https://www.idm.unx.cpp.edu/cas_pgt"
index="2"/>
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
More information about the users
mailing list