More on this
*<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="/path/to/keystore.jks" keystorePass="secret"
truststoreFile="/path/to/myTrustStore.jks" truststorePass="secret" />
<!-- if you do not specify a truststoreFile, then the default java
"cacerts"truststore will be used-->
*
On Tue, Sep 29, 2009 at 5:56 PM, Harikrishnan R. <[email protected]> wrote:
> Hi,
>
> The public signed certificate you have configured needs to be loaded in
> the Trust store(not in Keys store)the client server making connections to
> the CAS server.
> You can import the certificate either to the JDK's
> jre/lib/security/cacerts(default trust store) or you can create a trust
> store and specify the trust store using JVM arguments or configure it in the
> server config files.
> The details you can found in the link below
> http://www.ja-sig.org/wiki/display/CASUM/HOWTO+Configure+JBoss+for+HTTPS
> On Tue, Sep 29, 2009 at 4:51 PM, Lee, Sung <[email protected]> wrote:
>
>> Thank you for your help. Okay, our CAS team sent me an Intermediate CA
>> certificate in PEM format for VeriSign. The file is
>> "verisign_int_ca.cer". I made a keystore file using keytool.
>>
>> $JAVA_HOME\bin>keytool -import -alias verisign_int_ca -keystore
>> d:\tomcat6.0\conf\.keystore -trustcacerts -file verisign_int_ca.cer
>>
>> And I modified server.xml of Tomcat like this.
>>
>> <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
>> enableLookups="true" disableUploadTimeout="true"
>> acceptCount="100" maxThreads="200" scheme="https" secure="true"
>> SSLEnabled="true"
>> keystoreFile="conf/.keystore" keystorePass="password"
>> clientAuth="false" sslProtocol="TLS"/>
>>
>> But, I get "jsse.invalid_ssl_conf" exception message when I start up
>> Tomcat. Any idea?
>>
>>
>> java.io.IOException: jsse.invalid_ssl_conf
>> at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket
>> Factory.java:746)
>> at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
>> .java:451)
>> at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
>> tFactory.java:129)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
>> at
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
>> at
>> org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
>> at
>> org.apache.catalina.core.StandardService.initialize(StandardService.java
>> :677)
>> at
>> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
>> 95)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
>> Source)
>> at java.lang.reflect.Method.invoke(Unknown Source)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>> Caused by: javax.net.ssl.SSLException: No available certificate or key
>> corresponds to the SSL cipher suites which are enabled.
>> at
>> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unkn
>> own Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
>> at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocket
>> Factory.java:742)
>> ... 15 more
>> Sep 29, 2009 4:37:40 PM org.apache.catalina.startup.Catalina load
>> SEVERE: Catalina.start
>> LifecycleException: Protocol handler initialization failed:
>> java.io.IOException: jsse.invalid_ssl_conf
>> at
>> org.apache.catalina.connector.Connector.initialize(Connector.java:1060)
>> at
>> org.apache.catalina.core.StandardService.initialize(StandardService.java
>> :677)
>> at
>> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
>> 95)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:535)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:555)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
>> Source)
>> at java.lang.reflect.Method.invoke(Unknown Source)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>>
>>
>> -----Original Message-----
>> From: Marvin Addison [mailto:[email protected]]
>> Sent: Tuesday, September 29, 2009 7:34 AM
>> To: [email protected]
>> Subject: Re: [cas-user] PKIX path building failed: What do I have to do?
>>
>> > Do I need a certificate from an authorized CA?
>>
>> No.
>>
>> > Or is there a way to avoid this?
>>
>> Yes. Import the certificate of your CAS server, or the issuer
>> certificate if applicable, into the Java truststore of the CAS client
>> application. There are a number of resources on the Web for doing
>> this if you're familiar with Java SSL setup. I'll make my usual plug
>> for
>> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.htm
>> l;
>> this is required reading if you really want to understand the Java SSL
>> API.
>>
>> M
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
