You mean I must configure Apache to use the same certificate that was used by Tomcat?
2007/8/23, Mike Kennedy <[EMAIL PROTECTED]>: > > Claudio, > > It looks like when you put Apache/mod_jk in front of your cas server you > used a different SSL certificate than what was originally used for > standalone tomcat installation running on 8443. > > Either you need to use the same certificate or add the new certificate > to the keystore that the cas client uses. > > Mike > > On Thu, 2007-08-23 at 00:32 +0200, Claudio Tassini wrote: > > Hi all, > > > > > > I have a Tomcat 5.5 serving the cas 3.0.7 context , and I would like > > to use it through an Apache 2 server with mod_jk . All works fine if I > > configure the cas client to do the validation directly to tomcat on > > SSL port 8443, but if I configure mod_jk to serve that content through > > AJP13 I get this exception: > > > > > > > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target > > > > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java > :1591) > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:975) > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage( > ClientHandshaker.java:123) > > > > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) > > > > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java > :454) > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java > :884) > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake( > SSLSocketImpl.java:1096) > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1123) > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1107) > > > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java > :405) > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect > (AbstractDelegateHttpsURLConnection.java :166) > > > > sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:977) > > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( > HttpsURLConnectionImpl.java :234) > > > > edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) > > > > edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > ServiceTicketValidator.java:212) > > > > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) > > > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > CASFilter.java:455) > > > > edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) > > > > > > > > > > > > It seems that there is some dotted IP address reference to the cas > > server, but I didn't find that... Do I have to configure something > > else? mod_jk is working well for the other contexts... > > > > > > This is my mod_jk configuration: > > > > > > httpd.conf: > > JkExtractSSL On > > <VirtualHost *:443> > > ServerName portale.inca.it > > SSLEngine on > > SSLCertificateFile /usr/local/apache2/conf/server.crt > > SSLCertificateKeyFile /usr/local/apache2/conf/server.key > > JkMount /status status > > JkMount /cas cas > > JkMount /cas/* cas > > </VirtualHost> > > > > > > > > > > workers.properties: > > # Define list of workers that will be used > > # for mapping requests > > # The configuration directives are valid > > # for the mod_jk version 1.2.18 and later > > # > > worker.list=cas,portal,status > > > > > > # Define cas > > worker.cas.port=8009 > > worker.cas.host=cas # cas is referenced > > in /etc/hosts as 192.168.10.40 > > worker.cas.type=ajp13 > > > > > > > > > > > > > > tomcat server.xml: > > <!-- Define an AJP 1.3 Connector on port 8009 --> > > <Connector port="8009" address="192.168.10.40" > > enableLookups="false" redirectPort="443" > > protocol="AJP/1.3" /> <!-- 443 is apache SSL port --> > > <!-- HTTP and HTTPS connectors are disabled --> > > <Engine name="Catalina" defaultHost="localhost" jvmRoute="cas" > > > > > > > > > > > Am I forgetting something? > > > > > > > > > > -- > > Claudio Tassini > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Claudio Tassini
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
