I am taking baby steps toward a clustered CAS environment. After successfully using CAS 3.3.1 on a single server for a while, I am now moving to a 1-node cluster using jBoss 5 for the node, and Apache Web Server with mod_jk for the load balancer (no application code resides on Apache). Since it is a single node, I don't have to worry (yet) about the calls going to the wrong server. Furthermore, the client apps are in the same server as CAS.
Without CAS, everything works fine. With CAS the authentication proceeds to the point where the ticket is granted, but fails during the callback to the app with the infamous "sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". I believe that I am using self signed certificates incorrectly, but it is not clear what the 'correct' way would be. The following is what I have: * Both Apache and jBoss are on: server1. Apache on port 80/443, jBoss on 8080/8443. Calls to 80/443 are transparently passed to jBoss on 8080/8443. When I add a second cluster node, it will be server2 and contain only jBoss. * I have a DNS alias 'testapps' pointed to server1. * Applications only know about testapps. They are not aware of server1 or server2. * Apache has testapps.key and testapps.crt in its conf folder and the ssl configuration points to it. These were created with open-ssl's tools, using the 'testapps' alias. * jBoss uses a server.keystore created with keytool, and containing a private key and certificate for the testapps alias - also created with keytool. * Additionally, the certificate created with keytool is also stored in java's cacerts file to deal with a possible jBoss 5 bug. * All certificates are self-signed certificates. My guess is that the problem stems from having two different certificates for testapps. I assume that removing the key and certs from server.keystore and cacerts and replacing them with the certificate from open-ssl will make things work. But more importantly, my questions regarding the certificates are: 1. Am I doing the right thing by using the testapps alias for both the load balancer and servers? 2. Or should I be using the testapps alias just for the load balancer and using the server name(s) for jBoss? If I use this approach, I assume we need to make the load balancer and jBoss server(s) trust each other. Without something like a truststore for Apache, how would you give it the server's certificate? Add the server1 .crt to Windows? 3. Or... am I completely off my rocker and I need something different? * Of course, although my questions are for a 1-node server right now, I'll need answers that work with any number of servers. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
