Hello everyone,
I am trying to use Yale's Java CAS client for CAS-fying a simple Hello
World app against CAS. After configuring Apache, Tomcat, and the CAS
client, I receive the following trace stack after I log into CAS. When
I was setting up SSL on Tomcat, I created a PKCS12 keystore, which works
fine. Confused by the FAQ's note accusing the server's cert was
IP-based rather than hostname-based, I attempted to create a JKS
keystore based on the SSL cert (with the output below), however all
subsequent requests came back as unable to connect whenever I changed
the keystore to use the JKS keystore.
Can anyone set me straight as to what is going on because the original
cert was issued against a hostname and the JKS keytool is not solving
the problem.
Regards,
Andrew
Sun SSL Exception thrown after CAS authentication screen
javax.servlet.ServletException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
Creating JKS under tomcat directory from Apache SSL certificate
[EMAIL PROTECTED] tomcat]# keytool -import -file
/etc/httpd/conf/ssl.crt/server.crt -keystore keystore.jks -alias tomcat
Enter keystore password: *******
Owner: [EMAIL PROTECTED], CN=uisshibboleth.lsu.edu,
OU=Information Technology Services, O=Louisiana State University,
L=Baton Rouge, ST=Louisiana, C=US
Issuer: [EMAIL PROTECTED], CN=uisshibboleth.lsu.edu CA,
OU=Information Technology Services CA, O=Louisiana State University CA,
L=Baton Rouge, ST=Louisiana, C=US
Serial number: 1
Valid from: Thu Nov 30 13:27:39 CST 2006 until: Fri Nov 30 13:27:39 CST
2007
Certificate fingerprints:
MD5: 65:18:44:65:98:D7:84:05:00:51:46:81:C4:54:12:DE
SHA1:
64:29:1E:72:F0:8F:6A:09:37:CE:B2:93:13:73:D1:03:34:8B:A7:75
Trust this certificate? [no]: yes
Certificate was added to keystore
[EMAIL PROTECTED] tomcat]#
Connector entities from tomcat's conf/server.xml
# PKCS12 Connector
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12" keystorePass="changeit"
keystoreFile="/usr/local/tomcat/keystore.p12" />
# JKS Connector
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="JKS" keystorePass="*******"
keystoreFile="/usr/local/tomcat/keystore.jks" />
Andrew R Feller, Analyst
University Information Systems
Louisiana State University
[EMAIL PROTECTED]
(office) 225.578.3737
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
