RE: [cas-user] PKIX path building failed: What do I have to do?

Tue, 29 Sep 2009 14:52:01 -0700 

Thank you for your help. Okay, our CAS team sent me an Intermediate CA
certificate in PEM format for VeriSign. The file is
"verisign_int_ca.cer". I made a keystore file using keytool.

$JAVA_HOME\bin>keytool -import -alias verisign_int_ca -keystore
d:\tomcat6.0\conf\.keystore -trustcacerts -file verisign_int_ca.cer

And I modified server.xml of Tomcat like this.

<Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true" 
 acceptCount="100"  maxThreads="200" scheme="https" secure="true"
SSLEnabled="true"
 keystoreFile="conf/.keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>

But, I get "jsse.invalid_ssl_conf" exception message when I start up
Tomcat. Any idea?


java.io.IOException: jsse.invalid_ssl_conf
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket
Factory.java:746)
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:451)
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:129)
        at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
        at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
        at
org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
        at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:677)
        at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
        at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Caused by: javax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled.
        at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unkn
own Source)
        at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket
Factory.java:742)
        ... 15 more
Sep 29, 2009 4:37:40 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException:  Protocol handler initialization failed:
java.io.IOException: jsse.invalid_ssl_conf
        at
org.apache.catalina.connector.Connector.initialize(Connector.java:1060)
        at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:677)
        at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
        at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)


-----Original Message-----
From: Marvin Addison [mailto:[email protected]] 
Sent: Tuesday, September 29, 2009 7:34 AM
To: [email protected]
Subject: Re: [cas-user] PKIX path building failed: What do I have to do?

> Do I need a certificate from an authorized CA?

No.

> Or is there a way to avoid this?

Yes.  Import the certificate of your CAS server, or the issuer
certificate if applicable, into the Java truststore of the CAS client
application.  There are a number of resources on the Web for doing
this if you're familiar with Java SSL setup.  I'll make my usual plug
for
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.htm
l;
this is required reading if you really want to understand the Java SSL
API.

M

-- 
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to