Hi all,
I have a Tomcat 5.5 serving the cas 3.0.7 context , and I would like to use
it through an Apache 2 server with mod_jk . All works fine if I configure
the cas client to do the validation directly to tomcat on SSL port 8443, but
if I configure mod_jk to serve that content through AJP13 I get this
exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:975)
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(
ClientHandshaker.java:123)
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:884)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
SSLSocketImpl.java:1096)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java
:1123)
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java
:1107)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
AbstractDelegateHttpsURLConnection.java:166)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(
HttpURLConnection.java:977)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
HttpsURLConnectionImpl.java:234)
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
ServiceTicketValidator.java:212)
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
CASFilter.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
It seems that there is some dotted IP address reference to the cas server,
but I didn't find that... Do I have to configure something else? mod_jk is
working well for the other contexts...
This is my mod_jk configuration:
httpd.conf:
JkExtractSSL On
<VirtualHost *:443>
ServerName portale.inca.it
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
JkMount /status status
JkMount /cas cas
JkMount /cas/* cas
</VirtualHost>
workers.properties:
# Define list of workers that will be used
# for mapping requests
# The configuration directives are valid
# for the mod_jk version 1.2.18 and later
#
worker.list=cas,portal,status
# Define cas
worker.cas.port=8009
worker.cas.host=cas # cas is referenced in /etc/hosts as
192.168.10.40
worker.cas.type=ajp13
tomcat server.xml:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="192.168.10.40"
enableLookups="false" redirectPort="443" protocol="AJP/1.3"
/> <!-- 443 is apache SSL port -->
<!-- HTTP and HTTPS connectors are disabled -->
<Engine name="Catalina" defaultHost="localhost" jvmRoute="cas" >
Am I forgetting something?
--
Claudio Tassini
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
