It don't see where you are declaring the certificate file for the CA that issued the certificate. This could explain the "unable to find valid certification path" error.
Brady McClenon Senior Server Administrator Applications Research & Development Information Technology Services SUNY College at Oneonta 607-436-3203 "Quotes found on the internet are not always accurate." - Abraham Lincoln From: Guy Thomas [mailto:[email protected]] Sent: Tuesday, October 09, 2012 9:59 AM To: [email protected] Subject: [cas-user] Does CAS support a Tomcat APR setup of SSL instead of a JSSE setup? I set up on localhost: - a Tomcat for CAS - a Tomcat with two simple services (successfully registered in a persistent store using the hibernate config I found on the CAS site.) Both Tomcats use the same JRE and both use the APR runtime library. For the CAS Tomcat SSL is configured as follows: <Connector port="11143" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" clientAuth="false" sslProtocol="all" SSLCertificateFile="${catalina.home}/tomcatcert.pem" SSLCertificateKeyFile="${catalina.home}/tomcatkey.pem" SSLPassword="******" SSLVerifyClient="none" /> A similar config exists for the services Tomcat. I also created a self-signed certificate in DER-format and imported it in the JRE cacerts file. - Accessing a service and being rerouted to the CAS login: no problem - Logging in with the correct credentials: successfully rerouted to the service - On the service index page I inserted a link to the CAS logout action - When logging out, I end up on the CAS logout page. - However: o After logging out, I can still access the service (without being rerouted to the CAS login page) o In the logging I find the following error: "Error Sending message to url endpoint [https://localhost:11043/additionservice/]. Error is [sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" This seems to be pointing at a certificate not being stored in the JRE's keystore (although it is). My question is if CAS can be set up with the APR runtime library. Is the above error caused by using APR? Another question: when I want to move away from localhost and start using a "real" URL (for example, "www.vlaamsbrabant.be/cas<http://www.vlaamsbrabant.be/cas>") where in the CAS config do I have to replace localhost with the "real" URL? These are the places I'm thinking of: - In the services db - In cas.properties: server.name<http://server.name>=https://localhost:11143 - In classes/protocol_views.properties: casSamlServiceSuccessView.issuer=localhost - In spring-configuration/uniqueIdGenerators.xml: <constructor-arg index="0" value="localhost:11143" /> Guy Thomas Analist-Programmeur Dienst Projecten en Ontwikkelingen Provinciehuis Provincieplein 1 3010 Leuven Tel: 016267945 ________________________________ Aan dit bericht kunnen geen rechten worden ontleend. Alle berichten naar dit professioneel e-mailadres kunnen door de werkgever gelezen worden. In het kader van de vervulling van onze taak van openbaar belang nemen wij uw relevante persoonlijke gegevens op in onze bestanden. U kunt deze inzien en verbeteren conform de Wet Verwerking Persoonsgegevens van 8 december 1992. Het ondernemingsnummer van het provinciebestuur is 0253.973.219 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
