So after getting everything working with CAS on Tomcat, I'm now looking into proxying CAS through Apache using mod_jk. Apache and mod_jk are setup properly, however, I'm having some certificate issues and not exactly certain how Apache and mod_jk should be configured in regards to their SSL definitions. What is the proper organization of certificates in a CAS scenario where Server 1 is running Apache2, Tomcat 5.5 and mod_jk serving CAS, and Server 2 is also running Apache2, Tomcat 5.5 and mod_jk serving my application? Who should be managing what certs?
The reason I ask is because we're seeing an error that only occurs when we route traffic through Apache instead of going between Tomcat instances:
javax.servlet.ServletException: Validation threw exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException : unable to find valid certification path to requested target, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Now, Apache2 on Server 1 does have SSL enabled, however, the instance of Apache2 on Server 1 is running several VirtualHosts and has several cnames. The SSL cert for Apache2 on Server 1 is only signed for one domain (which is different from the cname CAS is running under, ex: cert is for
server1.csun.edu, however, the cname for CAS is
cas-dev.csun.edu) since there is only one IP address on the server. Also, the cert on Server 1 is an openssl PEM cert as opposed to the keytool-generated certs of Tomcat. Tomcat on Server 1 is also configured for SSL with separate certs for
cas-dev.csun.edu but is linked to Apache via mod_jk, so these certs do not come into play when handling requests originating from Apache. Apache2 and Tomcat on Server 2 are configured similarly for the servlet having been developed.
When I take Apache2 out of the mix on both sides and go from Tomcat to Tomcat, everything works fine, except that there are other hosts on the servers that require that Tomcat run on odd SSL ports (7443 as opposed to 443, for example). This requires the port be in every request between the Tomcat instances (hence, the proxying through Apache2 and mod_jk). Obviously, we'd like to avoid that. One option, being the most obvious, is to get an additional IP address for the servers dedicated to that cname... I'm looking into that. In lieu of that, are there any configuration options that would enable this setup to function properly?
Ryan Shelley
Lead Developer
ITR Web Development/Middleware
California State University, Northridge
818.677.4258
