cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new jcosign service produces error message at authn
OK, this problem is now resolved. It was certificate-related, as suspected.
So, for reference:
* The certificate used for CoSign can be signed by any CA, but that CA's
cert must be imported as a trusted certificate *in the same keystore*.
* The Java keytool is picky about how certs are created and signed. You
must first generate a keypair, which is stored as a self-signed cert.
Then you must generate a certificate signing request from that, and
finally you must re-import the signed cert from your CA *on top of* the
self-signed cert to establish a trust chain.
* In my case, I imported the CA cert before I even created the keypair.
Probably not necessary, but if wearing a bone in my nose would have
helped, I would have done it. I think the important thing is that when
the cert is imported, the CA cert already has to be trusted.
Cory Snavely wrote:
I'm looking for anyone on this list with a working JCoSign configuration
to help me out here.
Problems thus far seem to be related to my certs. After some more work
with this, I am seeing a Java error:
java.security.cert.CertificateException: Untrusted Server Certificate
Chain at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
I am using a cert signed by the local umweb ca, and I had to import the
ca's cert to my Java installation's cacerts keystore in order to get my
cert to import. IOW, it seemed to validate the trust chain ok on import.
Does anyone else use a umwebca-signed cert for JCoSign? If not, what do
you use? (Entrust? InstantSSL?)
Cory Snavely wrote:
OK, I have the behavior reproducing now.
To see it, or generate more log entries, go to
and click on any of the authentication-only options in the bottom
left, like "My Deep Blue".
You will go to cosign-test.www.umich.edu and get the error message
"Unable to determine referring service from query string."
If I change the service name to something starting with "cosign-"
instead, authentication will proceed but I get either a "too many
redirects" from my browser or the looping page from CoSign.
Wesley Craig wrote:
We don't see anything in the logs on the weblogin.umich.edu.
Perhaps we should have you point to cosign-test.www.umich.edu?
We'll be able to see how your server is interacting with the cosign
server better that way.
On 16 Mar 2005, at 08:59, Cory Snavely wrote:
A lame attempt to solve this by setting
gets me further, but eventually fails with too many redirects. It
is as if, after authenticating, that JCoSign doesn't recognize
authentication has happened, and re-prompts (re-redirects).
Does this make any sense to anyone? I'm sort of at a loss here, but
have the feeling this is something simple.