Hi Jeff, Is your Tomcat configured to use OpenSSL or JSSE for the SSL on Tomcat? That determines what keystore you'll need to install to. If it's openssl, you can add the CA cert via the openssl command. Otherwise, you'll need to use the keytool app to install it to the certificate store associated with the JRE that's running Tomcat and/or the keystoreFile defined in Tomcat's server.xml file. I think I ran into the same problems as you until I realized that the keystoreFile wasn't enough--it also needed to be in the JRE's cacerts keystore (default pw is changeit I think).
The experience is coming from getting Tomcat setup on Windows so I could test the DotNetCasClient. It may or may not be relevant for the Linux configuration. -ScottH > -----Original Message----- > From: Jeff Chapin [mailto:[email protected]] > Sent: Monday, April 05, 2010 3:59 PM > To: [email protected] > Subject: Re: [cas-user] SSL Error > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marvin, > > Thanks for your help, but I am still running into trouble. I have tried > importing the Digicert Global CA from the website, as well as the CA > file provided to us in the bundle we got when we registered for a SSL. > I > imported these both into .keystore in my users home dir, as there is no > reference to a keystore in the tomcat configuration file, and I still > see the same error. > > Any more advice would be appreciated. > > Jeff > > Marvin Addison wrote: > >> ... > >> > org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:195) > >> at > >> > org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160) > >> at > >> java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) > >> at java.util.concurrent.FutureTask.run(FutureTask.java:138) > >> at > >> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecut > or.java:886) > >> ... > > > > From the stack trace it looks like this is occurring on single > > sign-out where CAS sends the LogoutMessage to clients. In that case > > it is the CAS _server_ that doesn't trust your DigiCert certificate > on > > the client. Import the DigiCert CA cert into your CAS server > > truststore and this should go away. > > > > M > > > > > - -- > Jeff Chapin, > Assistant Systems/Applications Administrator > ITS-IS, University of Northern Iowa > Phone: 319-273-3162 Email: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAku6QOkACgkQQiaEUfQoY7QCCgCfZqfwKB8uKuArOeyMb0DR+ZLz > CikAn3vIzQ6evSBI/jhQrjImWH+tjxnk > =tGUp > -----END PGP SIGNATURE----- > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
