	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new jcosign service produces error message at authn

To: cosign-discuss@xxxxxxxxx
Subject: Re: new jcosign service produces error message at authn
From: Cory Snavely <csnavely@xxxxxxxxx>
Date: Mon, 28 Mar 2005 17:12:09 -0500
In-reply-to: <424435CA.3040702@umich.edu>
Organization: UM Library IT Core Services
References: <42320B98.3090406@umich.edu> <4A21B481-4C17-46B0-A6F7-85D0791C95CA@umich.edu> <4235F49C.9070201@umich.edu> <4E729043-529C-41DF-B0D1-31B1A2DA3467@umich.edu> <42383BCF.9000709@umich.edu> <D4AEED96-367B-4092-9042-4C6726BAF109@umich.edu> <424435CA.3040702@umich.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050105 Debian/1.7.5-1

I'm looking for anyone on this list with a working JCoSign configuration to help me out here.

Problems thus far seem to be related to my certs. After some more work with this, I am seeing a Java error:

java.security.cert.CertificateException: Untrusted Server Certificate
  Chain at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)

I am using a cert signed by the local umweb ca, and I had to import the ca's cert to my Java installation's cacerts keystore in order to get my cert to import. IOW, it seemed to validate the trust chain ok on import.

Does anyone else use a umwebca-signed cert for JCoSign? If not, what do you use? (Entrust? InstantSSL?)

Thanks,
Cory

Cory Snavely wrote:

OK, I have the behavior reproducing now.

To see it, or generate more log entries, go to

http://csnavely.dev.deepblue.lib.umich.edu/

and click on any of the authentication-only options in the bottom left, like "My Deep Blue".

You will go to cosign-test.www.umich.edu and get the error message

"Unable to determine referring service from query string."

If I change the service name to something starting with "cosign-" instead, authentication will proceed but I get either a "too many redirects" from my browser or the looping page from CoSign.

Thanks!

Cory

Wesley Craig wrote:

We don't see anything in the logs on the weblogin.umich.edu. Perhaps we should have you point to cosign-test.www.umich.edu? We'll be able to see how your server is interacting with the cosign server better that way.

:wes

On 16 Mar 2005, at 08:59, Cory Snavely wrote:

A lame attempt to solve this by setting

Auth.Cosign.ServiceName=cosign-deepblue.lib

gets me further, but eventually fails with too many redirects. It is as if, after authenticating, that JCoSign doesn't recognize authentication has happened, and re-prompts (re-redirects).

Does this make any sense to anyone? I'm sort of at a loss here, but have the feeling this is something simple.

Follow-Ups:
- Re: new jcosign service produces error message at authn
  - From: Cory Snavely

References:
- new jcosign service produces error message at authn
  - From: Cory Snavely
- Re: new jcosign service produces error message at authn
  - From: Wesley D Craig
- Re: new jcosign service produces error message at authn
  - From: Cory Snavely
- Re: new jcosign service produces error message at authn
  - From: Wesley D Craig
- Re: new jcosign service produces error message at authn
  - From: Cory Snavely
- Re: new jcosign service produces error message at authn
  - From: Wesley Craig
- Re: new jcosign service produces error message at authn
  - From: Cory Snavely

Prev by Date: Wanted: somewhat complicated cosign configs for apache 1.3.x
Next by Date: Re: new jcosign service produces error message at authn
Previous by thread: Re: new jcosign service produces error message at authn
Next by thread: Re: new jcosign service produces error message at authn
Index(es):
- Date
- Thread