I have posted the question on the forum at this location:
http://jasig.275507.n4.nabble.com/PKIX-path-building-failed-sun-security-provider-certpath-SunCertPathBuilderException-unable-to-find-s-td4660131.html
Thank you Eddu . But without cas client, *Can't we directly access the
services url of the server in browser to test it ?*
*In my case, my client is also same windows machine, it can be the same
tomcat or can be a different tomcat.* So basically configured to use same
localhost SSL certificate.
I have imported the cert into the System's
JAVA_HOME/jre/lib/security/cacerts.
Thank you Marvin!
I have followed the SSL Reference guide:
But still getting the issue, when trying to access the services url in my
browser.
I have setup tomcat, to have the setenv.bat file as follows:
# Uncomment the next 4 lines for custom SSL keystore
# used by all deployed applications
set KEYSTORE="C:\tomcat6-CAS\conf\ssl\openssl\localhostServerKeystore.jks"
set CATALINA_OPTS=%CATALINA_OPTS%" -Djavax.net.ssl.keyStore=%KEYSTORE%"
set CATALINA_OPTS=%CATALINA_OPTS%" -Djavax.net.ssl.keyStoreType=JKS"
set CATALINA_OPTS=%CATALINA_OPTS%"
-Djavax.net.ssl.keyStorePassword=changeit"
# Uncomment the next 4 lines to allow custom SSL trust store
# used by all deployed applications
set TRUSTSTORE="C:\Java\jdk1.6.0_24\jre\lib\security\cacerts"
set CATALINA_OPTS=%CATALINA_OPTS%" -Djavax.net.ssl.trustStore=%TRUSTSTORE%"
set CATALINA_OPTS=%CATALINA_OPTS%" -Djavax.net.ssl.trustStoreType=JKS"
set CATALINA_OPTS=%CATALINA_OPTS%"
-Djavax.net.ssl.trustStorePassword=changeit"
# Uncomment the next line to print SSL debug trace in catalina.out
set CATALINA_OPTS=%CATALINA_OPTS%" -Djavax.net.debug=ssl"
Now, I don't know where to look for the SSL trace, it neither generate any
logs in the cas.log file nor on the tomcat's console.
*Where to look for the SSL trace ? Or am I missing any thing.*
Thanks
Shib
www.DonSarkar.com
On Thu, Jul 4, 2013 at 10:52 PM, Eddú Meléndez Gonzales <
[email protected]> wrote:
> Hi
>
> You have generated ssl certificate in cas serve which must be installed in
> your client application. I think that in your case is other server.
> On Jul 4, 2013 10:58 AM, "shibaram" <[email protected]> wrote:
>
>> Hi All,
>>
>> I have successfully deployed cas server (version
>> cas-server-3.5.2)
>> on tomcat 6.x with Java 1.6., Windows Xp machine.
>> I have followed https://wiki.jasig.org/display/CASUM/Demo
>> <https://wiki.jasig.org/display/CASUM/Demo> and other tutorials and
>> configured cas correctly.
>> I have Used JPATicketRegistry and all the ticket related database tables
>> got
>> created automatically and tickets are being inserted.
>>
>> *I can use https (ssl) to login to CAS server using JDBC to mysql db and I
>> get the successfully logged in message too.
>> But while trying to access the https://localhost:8443/cas/services/
>> <https://localhost:8443/cas/services/> *
>> I get this error:
>>
>> <http://jasig.275507.n4.nabble.com/file/n4660131/2013-07-04_21_08_10.png>
>>
>>
>> And getting below exception stacktrace:
>>
>> [code]
>> ERROR [org.jasig.cas.client.util.CommonUtils] -
>> *<sun.security.validator.ValidatorException: PKIX
>> path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification pa
>> th to requested target>*
>> *javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.
>> provider.certpath.SunCertPathBuilderException: unable to find valid
>> certification path to requested target*
>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> Source)
>> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
>> Source)
>> at
>>
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
>> Source)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
>> Source)
>> at
>>
>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
>> at
>>
>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
>> at
>>
>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(Abstrac
>> tCasProtocolUrlBasedTicketValidator.java:50)
>> at
>>
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java
>> :207)
>> at
>>
>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationPr
>> ovider.java:140)
>> at
>>
>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvi
>> der.java:126)
>> at
>>
>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
>> at
>>
>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.ja
>> va:242)
>> at
>>
>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthe
>> nticationProcessingFilter.java:194)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistence
>> Filter.java:87)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
>> at
>>
>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>> at
>>
>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>>
>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>>
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> at
>>
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>> at
>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>> at
>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> at
>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
>> at
>>
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>> at java.lang.Thread.run(Unknown Source)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertP
>> athBuilderException: unable to find valid certification path to requested
>> target
>> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>> at sun.security.validator.PKIXValidator.engineValidate(Unknown
>> Source)
>> at sun.security.validator.Validator.validate(Unknown Source)
>> at
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
>> at
>>
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> Source)
>> at
>>
>> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
>> Source)
>> ... 44 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to reques
>> ted target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>> Source)
>> at java.security.cert.CertPathBuilder.build(Unknown Source)
>> ... 50 more
>> Jul 4, 2013 8:47:49 PM org.apache.catalina.core.StandardWrapperValve
>> invoke
>> SEVERE: Servlet.service() for servlet default threw exception
>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path bu
>> ilding failed: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to re
>> quested target
>> at
>>
>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
>> at
>>
>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
>> at
>>
>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(Abstrac
>> tCasProtocolUrlBasedTicketValidator.java:50)
>> at
>>
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java
>> :207)
>> at
>>
>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationPr
>> ovider.java:140)
>> at
>>
>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvi
>> der.java:126)
>> at
>>
>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
>> at
>>
>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.ja
>> va:242)
>> at
>>
>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthe
>> nticationProcessingFilter.java:194)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistence
>> Filter.java:87)
>> at
>>
>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>> at
>>
>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
>> at
>>
>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>> at
>>
>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>>
>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>>
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>>
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> at
>>
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>> at
>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>> at
>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> at
>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
>> at
>>
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>> at java.lang.Thread.run(Unknown Source)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed: su
>> n.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
>> Source)
>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> Source)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
>> Source)
>> at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
>> Source)
>> at
>>
>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
>> Source)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
>> at
>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
>> Source)
>> at
>>
>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
>> ... 31 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertP
>> athBuilderException: unable to find valid certification path to requested
>> target
>> at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>> [/code]
>>
>>
>> I have followed this post also:
>>
>> http://jasig.275507.n4.nabble.com/Problema-SSL-no-CAS-Single-Sign-On-ajuda-td2305419.html#a2305431
>> <
>> http://jasig.275507.n4.nabble.com/Problema-SSL-no-CAS-Single-Sign-On-ajuda-td2305419.html#a2305431
>> >
>>
>> *But, I am getting no ssl trace in logs or on tomcat's console.*
>>
>> I have tried the solutions in below posts also:
>>
>> http://stackoverflow.com/questions/14947517/pkix-path-building-failed-sun-security-provider-certpath-suncertpathbuilderexce
>> <
>> http://stackoverflow.com/questions/14947517/pkix-path-building-failed-sun-security-provider-certpath-suncertpathbuilderexce
>> >
>>
>> http://stackoverflow.com/questions/13123083/cas-sslhandshakeexception-validatorexception-pkix-path-building-failed-u
>> <
>> http://stackoverflow.com/questions/13123083/cas-sslhandshakeexception-validatorexception-pkix-path-building-failed-u
>> >
>>
>> But none is working for me in my Single server, windows environment.
>>
>> Please help.
>>
>>
>>
>> --
>> View this message in context:
>> http://jasig.275507.n4.nabble.com/PKIX-path-building-failed-sun-security-provider-certpath-SunCertPathBuilderException-unable-to-find-s-tp4660131.html
>> Sent from the CAS Users mailing list archive at Nabble.com.
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
