Yes, that's correct. When the cas client does the ticket verification it requires that the SSL certificate for the HTTPS server (whether its tomcat directly or apache) to be present in its keystore.
Mike On Thu, 2007-08-23 at 01:32 +0200, Claudio Tassini wrote: > You mean I must configure Apache to use the same certificate that was > used by Tomcat? > > 2007/8/23, Mike Kennedy <[EMAIL PROTECTED]>: > Claudio, > > It looks like when you put Apache/mod_jk in front of your cas > server you > used a different SSL certificate than what was originally used > for > standalone tomcat installation running on 8443. > > Either you need to use the same certificate or add the new > certificate > to the keystore that the cas client uses. > > Mike > > On Thu, 2007-08-23 at 00:32 +0200, Claudio Tassini wrote: > > Hi all, > > > > > > I have a Tomcat 5.5 serving the cas 3.0.7 context , and I > would like > > to use it through an Apache 2 server with mod_jk . All works > fine if I > > configure the cas client to do the validation directly to > tomcat on > > SSL port 8443, but if I configure mod_jk to serve that > content through > > AJP13 I get this exception: > > > > > > > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path > building failed: > > sun.security.provider.certpath .SunCertPathBuilderException: > unable to > > find valid certification path to requested target > > > > > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > > > > > com.sun.net.ssl.internal.ssl > .SSLSocketImpl.fatal(SSLSocketImpl.java:1591) > > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) > > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) > > > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975) > > > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123) > > > > > com.sun.net.ssl.internal.ssl > .Handshaker.processLoop(Handshaker.java:516) > > > > > > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java :884) > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107) > > > > > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405) > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConne > ction.connect(AbstractDelegateHttpsURLConnection.java :166) > > > > > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:977) > > > > > sun.net.www.protocol.https.HttpsURLConnectionImpl > .getInputStream(HttpsURLConnectionImpl.java :234) > > > > > edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) > > > > > > edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java > :212) > > > > > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) > > > > > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) > > > > > edu.yale.its.tp.cas.client > .filter.CASFilter.doFilter(CASFilter.java:378) > > > > > > > > > > > > It seems that there is some dotted IP address reference to > the cas > > server, but I didn't find that... Do I have to configure > something > > else? mod_jk is working well for the other contexts... > > > > > > This is my mod_jk configuration: > > > > > > httpd.conf: > > JkExtractSSL On > > <VirtualHost *:443> > > ServerName portale.inca.it > > SSLEngine on > > > SSLCertificateFile /usr/local/apache2/conf/server.crt > > > SSLCertificateKeyFile /usr/local/apache2/conf/server .key > > JkMount /status status > > JkMount /cas cas > > JkMount /cas/* cas > > </VirtualHost> > > > > > > > > > > workers.properties: > > # Define list of workers that will be used > > # for mapping requests > > # The configuration directives are valid > > # for the mod_jk version 1.2.18 and later > > # > > worker.list=cas,portal,status > > > > > > # Define cas > > worker.cas.port=8009 > > worker.cas.host=cas # cas is referenced > > in /etc/hosts as 192.168.10.40 > > worker.cas.type=ajp13 > > > > > > > > > > > > > > tomcat server.xml: > > <!-- Define an AJP 1.3 Connector on port 8009 --> > > <Connector port="8009" address="192.168.10.40 " > > enableLookups="false" redirectPort="443" > > protocol="AJP/1.3" /> <!-- 443 is apache SSL port --> > > <!-- HTTP and HTTPS connectors are disabled --> > > <Engine name="Catalina" defaultHost="localhost" > jvmRoute="cas" > > > > > > > > > > > Am I forgetting something? > > > > > > > > > > -- > > Claudio Tassini > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > -- > Claudio Tassini > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
