This error message:
Error is [sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target]
means that your Java keystore does not contain the root CA certificate for
the host dcis.hhs.gov. The Java keystore is typically in
${JAVA_HOME}/jre/lib/security/cacerts. You can use keytool to list the
certificates in it:
${JAVA_HOME}/bin/keytool -list -keystore
${JAVA_HOME}/jre/lib/security/cacerts -storepass changeit
Look for your root CA certificate in there.
My Oracle Java7 keystore has your root CA:
digicerthighassuranceevrootca, Apr 16, 2008, trustedCertEntry,
Certificate fingerprint (SHA1):
5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25
Does yours?
If the CAS server cannot contact the CAS clients, then SLO will not be
performed.
Andy
On Fri, 2 Oct 2015, Chris Cheltenham wrote:
I thank you for your help Misagh,
However, what we have is that the SLO is not able to reach the web server
apache session in /tmp/cas using mod_auth_cas.
I don't understand why it is saying the certificate for apahe is not valid.
I have it imported the CAS cert, same as the one in tomcat server.xml to the
CACerts file.
The affect if the user session is still active until the apache /tmp/cas
session is removed.
Unless the user completely close the browser, the session is still open.
We have a requirement that the user have to authenticate whenever they logout
and it is not working unless you close the browser.
Does anyone know a way to fix that?
If the answer is turning SLO off, I do not see where you do that in this file:
/cas/cas-server-3.5.2.1/cas-server-core/src/main/java/org/jasig/cas/ticket/registry/support/DefaultTicketRegistryCleaner.java
From: Misagh Moayyed [mailto:[email protected]]
Sent: Wednesday, September 30, 2015 1:53 AM
To: [email protected]
Subject: RE: [cas-user] cas 3.5.2 catalina logs
You have an app at https://dcis.hhs.gov/main.php whose certificate is
considered invalid, and your CAS has SLO turned on, and CAS is trying to send
SLO notifications to the app, and it fails.
Reference:
http://jasig.github.io/cas/4.1.x/installation/Troubleshooting-Guide.html#pkix-path-building-failed
From: Chris Cheltenham [mailto:[email protected]]
Sent: Tuesday, September 29, 2015 4:56 PM
To: [email protected]<mailto:[email protected]>
Subject: [cas-user] cas 3.5.2 catalina logs
Hello,
I see this in my tomcat6 logs.
Does anyone know why something is trying to write back to main/php which does
not live on this server?
2015-09-29 19:53:21,363 WARN [org.jasig.cas.util.HttpClient] - <Error Sending
message to url endpoint [https://dcis.hhs.gov/main.php].
Error is [sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderExc
eption: unable to find valid certification path to requested target]>
root@acquisitions-reports1:/var/log/tomcat6 >
Thank You;
Chris Cheltenham
[email protected]<mailto:[email protected]>
SwainTechs
10 Walnut Grove Rd
Suite 110
Horsham, PA
19044
888-905-5767 / X407
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
