That fixed it. I guess apps that I've dealt with in the past had the trustStore and keyStore set to the same file perhaps.
thanks, Jason On Tue, Oct 15, 2013 at 1:13 PM, Marvin S. Addison <[email protected] > wrote: > Maybe it is just Monday and I'm missing something simple, but I assumed >> I would just use 'openssl s_client -connect ldap.domain.edu:636 >> <http://ldap.domain.edu:636>', grab the ldaps cert, import it into the >> >> keystore that my tomcat/cas is using (with the trustcacerts option) and >> it would solve the problem. It didn't. >> > > Wrong trust store -- that one affects the Tomcat http connector components > exclusively. You need to define the following in the Tomcat setenv.sh > environment configuration script: > > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$**TRUSTSTORE" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.**trustStoreType=BKS" > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.** > trustStorePassword=changeit" > > Where $TRUSTSTORE is the path to the truststore containing your LDAP > server certificate (chain). > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
