Try importing the keystore into the JRE keystore that Jboss references in $JAVA_HOME/jre/lib/security/cacerts...
________________________________ From: Bruno Melloni [mailto:[email protected]] Sent: Thursday, February 26, 2009 3:58 PM To: [email protected] Subject: [cas-user] CAS, jBoss and self-signed certificates I got CAS and a first application that uses it working on Tomcat 6. I am now trying to move them to jBoss and having problems with the certificates. When I installed for Tomcat, I used the instructions in step 2 of http://www.ja-sig.org/wiki/display/CASUM/Demo. Worked beautifully. HTTPS worked, CAS recognized it, and everything worked great. With jBoss I first discovered that the approach above puts the private key in the Java keystore, and the exported/imported public key in the Tomcat keystore. jBoss doesn't like that approach. It wants the private key in its keystore and does not seem to rely on an exported/imported public key. - I gave jBoss what it wanted by adding "-keystore <jboss>/conf/server.keystore" to the example line that has the -genkey. - jBoss now handles HTTPS just fine. - CAS didn't like that. Here is what happens: - The server starts fine, no errors. - I start the application. Fine, no errors. - I go to a secure page. CAS correctly intercepts and reroutes to the login screen. - I enter the username and password and hit OK. - In the logs I see a debug entry from my custom AuthenticationHandler that indicates the authentication was successful. - In the logs I also see a CAS message saying that a ticket was granted for service [https://<myServer>:8443/sso/j_spring_cas_security_check] - Immediately after, where I presume that CAS is trying to make the callback to my application, I get the exception: 15:33:51,989 ERROR [Cas20ServiceTicketValidator] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target It seems like I'm very close, but missing a critical. Any ideas? Thanks, b. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
