Hi, The public signed certificate you have configured needs to be loaded in the Trust store(not in Keys store)the client server making connections to the CAS server. You can import the certificate either to the JDK's jre/lib/security/cacerts(default trust store) or you can create a trust store and specify the trust store using JVM arguments or configure it in the server config files. The details you can found in the link below http://www.ja-sig.org/wiki/display/CASUM/HOWTO+Configure+JBoss+for+HTTPS On Tue, Sep 29, 2009 at 4:51 PM, Lee, Sung <[email protected]> wrote:
> Thank you for your help. Okay, our CAS team sent me an Intermediate CA > certificate in PEM format for VeriSign. The file is > "verisign_int_ca.cer". I made a keystore file using keytool. > > $JAVA_HOME\bin>keytool -import -alias verisign_int_ca -keystore > d:\tomcat6.0\conf\.keystore -trustcacerts -file verisign_int_ca.cer > > And I modified server.xml of Tomcat like this. > > <Connector port="8443" minSpareThreads="5" maxSpareThreads="75" > enableLookups="true" disableUploadTimeout="true" > acceptCount="100" maxThreads="200" scheme="https" secure="true" > SSLEnabled="true" > keystoreFile="conf/.keystore" keystorePass="password" > clientAuth="false" sslProtocol="TLS"/> > > But, I get "jsse.invalid_ssl_conf" exception message when I start up > Tomcat. Any idea? > > > java.io.IOException: jsse.invalid_ssl_conf > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket > Factory.java:746) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory > .java:451) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke > tFactory.java:129) > at > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503) > at > org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) > at > org.apache.catalina.connector.Connector.initialize(Connector.java:1058) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java > :677) > at > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7 > 95) > at org.apache.catalina.startup.Catalina.load(Catalina.java:535) > at org.apache.catalina.startup.Catalina.load(Catalina.java:555) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > Caused by: javax.net.ssl.SSLException: No available certificate or key > corresponds to the SSL cipher suites which are enabled. > at > com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unkn > own Source) > at > com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source) > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket > Factory.java:742) > ... 15 more > Sep 29, 2009 4:37:40 PM org.apache.catalina.startup.Catalina load > SEVERE: Catalina.start > LifecycleException: Protocol handler initialization failed: > java.io.IOException: jsse.invalid_ssl_conf > at > org.apache.catalina.connector.Connector.initialize(Connector.java:1060) > at > org.apache.catalina.core.StandardService.initialize(StandardService.java > :677) > at > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7 > 95) > at org.apache.catalina.startup.Catalina.load(Catalina.java:535) > at org.apache.catalina.startup.Catalina.load(Catalina.java:555) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > > > -----Original Message----- > From: Marvin Addison [mailto:[email protected]] > Sent: Tuesday, September 29, 2009 7:34 AM > To: [email protected] > Subject: Re: [cas-user] PKIX path building failed: What do I have to do? > > > Do I need a certificate from an authorized CA? > > No. > > > Or is there a way to avoid this? > > Yes. Import the certificate of your CAS server, or the issuer > certificate if applicable, into the Java truststore of the CAS client > application. There are a number of resources on the Web for doing > this if you're familiar with Java SSL setup. I'll make my usual plug > for > http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.htm > l; > this is required reading if you really want to understand the Java SSL > API. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
