Hello all,
We have a Shibboleth IdP running the Java CAS Client. Accessing an SP results
in correct redirection to the CAS server. After login, redirection to the IdP
occurs (https://IDPURL/idp/Authn/RemoteUser?ticket=######) and the process
fails with the "PKIX path building failed" error in the Shib Idp process log.
No errors appear in the CAS logs.
Both the IdP and CAS servers in this case use our wildcard certificate for SSL.
In addition, CAS-Shib authentication succeeds when using another CAS
development server that has a typical SSL certificate (non-wildcard).
I have tried importing the PKCS12 wildcard into the java keystore
($JAVA_HOME/jre/lib/security/cacerts) just in case.
Does anyone have any suggestions on what to check next?
Thank you,
Benjamin Mosior
Shippensburg University
The IdP error (I can post the full trace if this isn't sufficient):
ERROR [org.jasig.cas.client.util.CommonUtils:340] -
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
~[na:1.6.0_22]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
~[na:1.6.0_22]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258)
~[na:1.6.0_22]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252)
~[na:1.6.0_22]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
~[na:1.6.0_22]
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
~[na:1.6.0_22]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
~[na:1.6.0_22]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
~[na:1.6.0_22]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
~[na:1.6.0_22]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
~[na:1.6.0_22]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
~[na:1.6.0_22]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
~[na:1.6.0_22]
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440)
~[na:1.6.0_22]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
~[na:1.6.0_22]
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139)
~[na:1.6.0_22]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
~[na:1.6.0_22]
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
[cas-client-core-3.2.1.jar:3.2.1]
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
[cas-client-core-3.2.1.jar:3.2.1]
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
[cas-client-core-3.2.1.jar:3.2.1]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
