We have a general "Solving SSL Issues" section here that may help:
http://www.ja-sig.org/products/cas/server/ssl/index.html
Also, if you have multiple JVMs on the machine, please make sure the
certificate is installed in the correct cacerts file (I've seen people
install it in the wrong one before, including myself).
-Scott
On 2/15/07, Andrew R Feller <[EMAIL PROTECTED]> wrote:
Hello everyone,
I am trying to use Yale's Java CAS client for CAS-fying a simple Hello
World app against CAS. After configuring Apache, Tomcat, and the CAS
client, I receive the following trace stack after I log into CAS. When I
was setting up SSL on Tomcat, I created a PKCS12 keystore, which works
fine. Confused by the FAQ's note accusing the server's cert was IP-based
rather than hostname-based, I attempted to create a JKS keystore based on
the SSL cert (with the output below), however all subsequent requests came
back as unable to connect whenever I changed the keystore to use the JKS
keystore.
Can anyone set me straight as to what is going on because the original
cert was issued against a hostname and the JKS keytool is not solving the
problem.
Regards,
Andrew
*Sun SSL Exception thrown after CAS authentication screen*
javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
*Creating JKS under tomcat directory from Apache SSL certificate*
[EMAIL PROTECTED] tomcat]# keytool -import -file
/etc/httpd/conf/ssl.crt/server.crt -keystore keystore.jks -alias tomcat
Enter keystore password: *******
Owner: [EMAIL PROTECTED], CN=uisshibboleth.lsu.edu,
OU=Information Technology Services, O=Louisiana State University, L=Baton
Rouge, ST=Louisiana, C=US
Issuer: [EMAIL PROTECTED], CN=uisshibboleth.lsu.edu CA,
OU=Information Technology Services CA, O=Louisiana State University CA,
L=Baton Rouge, ST=Louisiana, C=US
Serial number: 1
Valid from: Thu Nov 30 13:27:39 CST 2006 until: Fri Nov 30 13:27:39 CST
2007
Certificate fingerprints:
MD5: 65:18:44:65:98:D7:84:05:00:51:46:81:C4:54:12:DE
SHA1: 64:29:1E:72:F0:8F:6A:09:37:CE:B2:93:13:73:D1:03:34:8B:A7:75
Trust this certificate? [no]: yes
Certificate was added to keystore
[EMAIL PROTECTED] tomcat]#
*Connector entities from tomcat's conf/server.xml*
# PKCS12 Connector
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12" keystorePass="changeit"
keystoreFile="/usr/local/tomcat/keystore.p12" />
# JKS Connector
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="JKS" keystorePass="*******"
keystoreFile="/usr/local/tomcat/keystore.jks" />
Andrew R Feller, Analyst
University Information Systems
Louisiana State University
[EMAIL PROTECTED]
(office) 225.578.3737
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
