Am 23.05.2011 22:53, schrieb Marvin Addison:
If I change the tomcat https connector to use JSSE (java keystore certificates)
and disable APR listener, all work fine without any further change.
I missed something?
This is a ticket validation problem. As far as I can tell the root
cause is requring client authentication in the connector with the
following directive:
SSLVerifyClient="require"
I'm not aware of any use case for client auth with ticket validation,
so I'd recommend turning it off or configuring another connector for
ticket validation that doesn't require it.
This is not exactly true. At least at the university in darmstadt we had
a dual authentication stack allowing either x509 smartcards or ldap
password lookups.
But indeed it's a rare use case and Gabriel is probably not wanting the
client verification by certificates.
But then there is also another error: SSLCACertificateFile is the chain
used to validate clients but Gabriel probably only wants to
SSLCertificateChainFile to share the server chain.
@Gabriel: Please try a config like below.
Regards,
Joachim
<Connector address="${sso.ip}" port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
sslProtocol="TLSv1"
SSLCipherSuite="AES:RC4:CAMELLIA:!ADH:!aNULL:!DH:!EDH:!eNULL:!LOW:!SSLv2:!EXP:!NULL"
SSLCertificateFile="${tomcat.confdir}/certs/${sso.shortname}.pem"
SSLCertificateKeyFile="${tomcat.confdir}/certs/${sso.shortname}.key"
SSLPassword="xxxxxx"
SSLCertificateChainFile="${tomcat.confdir}/certs/server-chain.pem"
URIEncoding="UTF-8"
compression = "on"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,application/x-javascript,application/javascript,text/css"
compressionMinSize="1024" />
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
