Java isn't really my area of expertise, but I'll give you the high level overview from memory.
Try to browse to your app server's fully qualified domain name (ex. https://yourapp.yourdomain.com/) and to your CAS server's fully qualified domain name (ex. https://yourcasserver.yourdomain.com/) in your browser. Inspect the SSL certificate chains. You should be able to inspect and export the public key for the root level certificate from your browser on both sides (.cer or .der files). I'd recommend using the root level if you trust the root CA (if it's in organization-wide CA or a cheap but reputable SSL company. Otherwise, just export the lowest level one (the most specific one that matches your domain name). Avoid using https://hostname/anywhere in your config. They should always be fully-qualified. If you don't need proxy ticket support, you should be able to just export the root certificate from your CAS server and configure the environment where your app is running. You'll need to use keytool to import it into the keystore that corresponds to the JVM that's running your app server (e.g. tomcat). You should be able to figure out what jvm instance is running using ps (linux) or task manager (windows). I think each version of Java has it's own keystore, so getting the right one is important. If you need to get the CAS server to trust your app (proxy ticket support), you'd need to do the same thing on the jvm that's running your CAS server to trust your app's certificate. The instructions are slightly different if your app host is using OpenSSL, but the concept is the same. Either Java (typically via keytool) or OpenSSL (via openssl) needs to trust the certificate on the other side. -ScottH On Tue, Jul 2, 2013 at 11:36 AM, Lee Flaxington <[email protected]>wrote: > Thanks - yes my suspicion was that it is a certificate issue & I have > tried various ways of creating/naming the certs but no combination has > worked so far. I would have more confidence that it is the certificate > setup if the logs were showing any errors but they aren't (the logs are > showing ssl information using -Djavax.net.debug=ssl in setenv.sh). > > Have you any ideas of further debug logging I could add that would show > any certificate errors? > > Much appreciated > Lee > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
