My Oracle Support Banner

CAS ST Generated Repeatedly on User Login; CAS Fails to Validate ST When Sites configured Over HTTPS (Doc ID 2024454.1)

Last updated on MARCH 20, 2018

Applies to:

Oracle WebCenter Sites - Version 11.1.1.6.1 and later
Information in this document applies to any platform.

Symptoms

On user login (after entering credentials and clicking on the Login button), see the following in Sites appserver's access log:

User enters credentials and POST to cas on tomcat

<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cas/login;jsessionid=586E5E7DD867BA611E6161B87FAED180?service=https%3A%2F%2Fhostname%3Aport%2Fcs%2Fwem%2Ffatwire%2Fwem%2FWelcome HTTP/1.1" 302 -

cas  -> cs for authentication

<server IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cs/ContentServer?pagename=fatwire/wem/sso/ssoLogin HTTP/1.1" 200 505

cs notified cas - user is authenticated based on cas.log

YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: com.fatwire.wem.sso.cas.plugin.CSAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: fwadmin]

 

After this point, cas should respond to the browser with TGT which is stored in browser's cookie, along with a Service Ticket (ST) to allow browser to log into Sites UI. With the Service Ticket (ST), browser will try to send a request to the initial page the user tried to access. Sites will then go to cas to validate ST. CAS responds whether the ST is valid. However, it looks like CAS never validates the ST, and this process appears to be repeating after this point, e.g.:

cas.log:

YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
...

access.log:

<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1 HTTP/1.1" 302 -
...

 

The request for cas client to validate ST against cas server is "GET /cas/proxyValidate?&ticket=ST-...-cas-...-1&service=... HTTP/1.1", and this was never found in access log.

 

In sites.log with org.jasig.cas.client DEBUG and com.fatwire.wem.sso.cas.filter.CASFilter TRACE enabled, see the following:

[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] -----------[ doFilter entered ]---------------
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] GET:filter entry: /cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] isStateful=true, isStateless=false, Session=586E5E7DD867BA611E6161B87FAED180
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] multiticket=null, ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1, gateway=null
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] Request hit the protected area. Request [https://hostname:port/cs/wem/fatwire/wem/Welcome] from <client IP>
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] Ticket ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1 is being validated
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] Start reconstructing 'service' parameter, original request https://hostname:port/cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] End reconstructing 'service' parameter, service https://hostname:port/cs/wem/fatwire/wem/Welcome
[YYYY-MM-DD HH:mm:SS,sss EDT] [DEBUG] [apr-exec-3] [cas.client.validation.Cas20ProxyTicketValidator] Placing URL parameters in map.
[YYYY-MM-DD HH:mm:SS,sss EDT] [DEBUG] [apr-exec-3] [cas.client.validation.Cas20ProxyTicketValidator] Calling template URL attribute map.
[YYYY-MM-DD HH:mm:SS,sss EDT] [DEBUG] [apr-exec-3] [cas.client.validation.Cas20ProxyTicketValidator] Loading custom parameters from configuration.
[YYYY-MM-DD HH:mm:SS,sss EDT] [DEBUG] [apr-exec-3] [cas.client.validation.Cas20ProxyTicketValidator] Constructing validation url: https://hostname:port/cas/proxyValidate?&ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1&service=https%3A%2F%2Fhostname%3Aport%2Fcs%2Fwem%2Ffatwire%2Fwem%2FWelcome
[YYYY-MM-DD HH:mm:SS,sss EDT] [DEBUG] [apr-exec-3] [cas.client.validation.Cas20ProxyTicketValidator] Retrieving response from server.
[YYYY-MM-DD HH:mm:SS,sss EDT] [ERROR] [apr-exec-3] [cas.client.util.CommonUtils] sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:281)
    at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:33)
    at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
    at com.fatwire.wem.sso.cas.CASProvider.validate(CASProvider.java:310)
    at com.fatwire.wem.sso.cas.filter.CASFilter.doFilter(CASFilter.java:563)
    at com.fatwire.wem.sso.SSOFilter.doFilter(SSOFilter.java:51)
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 37 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 43 more
...
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] No ticket/multiticket parameter is present in the request. Preparing to redirect
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] Start reconstructing 'service' parameter, original request https://hostname:port/cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] End reconstructing 'service' parameter, service https://hostname:port/cs/wem/fatwire/wem/Welcome
[YYYY-MM-DD HH:mm:SS,sss EDT] [TRACE] [apr-exec-3] [sso.cas.filter.CASFilter] No ticket/multiticket parameter is present in the request. Sending redirect to [https://hostname:port/cas/login?service=https%3A%2F%2Fhostname%3Aport%2Fcs%2Fwem%2Ffatwire%2Fwem%2FWelcome]. Request [https://hostname:port/cs/wem/fatwire/wem/Welcome] from <client IP>

 

Changes

Sites/CAS is configured to use HTTPS. Certificates are imported into a custom keystore, which is not the default JVM keystore.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.