Re: new jcosign service produces error message at authn

[Cory Snavely <csnavely@xxxxxxxxx>]

OK, this problem is now resolved. It was certificate-related, as suspected.

So, for reference:

* The certificate used for CoSign can be signed by any CA, but that CA's 
cert must be imported as a trusted certificate *in the same keystore*.

* The Java keytool is picky about how certs are created and signed. You 
must first generate a keypair, which is stored as a self-signed cert. 
Then you must generate a certificate signing request from that, and 
finally you must re-import the signed cert from your CA *on top of* the 
self-signed cert to establish a trust chain.

* In my case, I imported the CA cert before I even created the keypair. 
Probably not necessary, but if wearing a bone in my nose would have 
helped, I would have done it. I think the important thing is that when 
the cert is imported, the CA cert already has to be trusted.

c

Cory Snavely wrote:
> I'm looking for anyone on this list with a working JCoSign configuration 
> to help me out here.
>
> Problems thus far seem to be related to my certs. After some more work 
> with this, I am seeing a Java error:
>
> java.security.cert.CertificateException: Untrusted Server Certificate
>   Chain at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>
> I am using a cert signed by the local umweb ca, and I had to import the 
> ca's cert to my Java installation's cacerts keystore in order to get my 
> cert to import. IOW, it seemed to validate the trust chain ok on import.
>
> Does anyone else use a umwebca-signed cert for JCoSign? If not, what do 
> you use? (Entrust? InstantSSL?)
>
> Thanks,
> Cory
>
> Cory Snavely wrote:
>
> > OK, I have the behavior reproducing now.
> >
> > To see it, or generate more log entries, go to
> >
> >   http://csnavely.dev.deepblue.lib.umich.edu/
> >
> > and click on any of the authentication-only options in the bottom 
> > left, like "My Deep Blue".
> >
> > You will go to cosign-test.www.umich.edu and get the error message
> >
> >   "Unable to determine referring service from query string."
> >
> > If I change the service name to something starting with "cosign-" 
> > instead, authentication will proceed but I get either a "too many 
> > redirects" from my browser or the looping page from CoSign.
> >
> > Thanks!
> >
> > Cory
> >
> > Wesley Craig wrote:
> >
> > > We don't see anything in the logs on the weblogin.umich.edu.  
> > > Perhaps  we should have you point to cosign-test.www.umich.edu?  
> > > We'll be able  to see how your server is interacting with the cosign 
> > > server better  that way.
> > >
> > > :wes
> > >
> > > On 16 Mar 2005, at 08:59, Cory Snavely wrote:
> > >
> > > > A lame attempt to solve this by setting
> > > >
> > > >   Auth.Cosign.ServiceName=cosign-deepblue.lib
> > > >
> > > > gets me further, but eventually fails with too many redirects. It  
> > > > is as if, after authenticating, that JCoSign doesn't recognize  
> > > > authentication has happened, and re-prompts (re-redirects).
> > > >
> > > > Does this make any sense to anyone? I'm sort of at a loss here, but  
> > > > have the feeling this is something simple.