Ok, I've just imported the same .crt file used by apache in the java CA keystore that Tomcat uses with keytool and it seems to work fine. Thank you!
2007/8/23, Mike Kennedy <[EMAIL PROTECTED]>: > > Yes, that's correct. When the cas client does the ticket verification it > requires that the SSL certificate for the HTTPS server (whether its > tomcat directly or apache) to be present in its keystore. > > Mike > > On Thu, 2007-08-23 at 01:32 +0200, Claudio Tassini wrote: > > You mean I must configure Apache to use the same certificate that was > > used by Tomcat? > > > > 2007/8/23, Mike Kennedy <[EMAIL PROTECTED]>: > > Claudio, > > > > It looks like when you put Apache/mod_jk in front of your cas > > server you > > used a different SSL certificate than what was originally used > > for > > standalone tomcat installation running on 8443. > > > > Either you need to use the same certificate or add the new > > certificate > > to the keystore that the cas client uses. > > > > Mike > > > > On Thu, 2007-08-23 at 00:32 +0200, Claudio Tassini wrote: > > > Hi all, > > > > > > > > > I have a Tomcat 5.5 serving the cas 3.0.7 context , and I > > would like > > > to use it through an Apache 2 server with mod_jk . All works > > fine if I > > > configure the cas client to do the validation directly to > > tomcat on > > > SSL port 8443, but if I configure mod_jk to serve that > > content through > > > AJP13 I get this exception: > > > > > > > > > > > > javax.net.ssl.SSLHandshakeException: > > > sun.security.validator.ValidatorException: PKIX path > > building failed: > > > sun.security.provider.certpath .SunCertPathBuilderException: > > unable to > > > find valid certification path to requested target > > > > > > > > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java > :174) > > > > > > > > com.sun.net.ssl.internal.ssl .SSLSocketImpl.fatal( > SSLSocketImpl.java:1591) > > > > > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java > :187) > > > > > > > > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java > :181) > > > > > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate( > ClientHandshaker.java:975) > > > > > > > > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage( > ClientHandshaker.java:123) > > > > > > > > com.sun.net.ssl.internal.ssl .Handshaker.processLoop( > Handshaker.java:516) > > > > > > > > com.sun.net.ssl.internal.ssl.Handshaker.process_record( > Handshaker.java:454) > > > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord( > SSLSocketImpl.java :884) > > > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialH > andshake(SSLSocketImpl.java:1096) > > > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1123) > > > > > > > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake( > SSLSocketImpl.java:1107) > > > > > > > > sun.net.www.protocol.https.HttpsClient.afterConnect( > HttpsClient.java:405) > > > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConne > > ction.connect(AbstractDelegateHttpsURLConnection.java :166) > > > > > > > > sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:977) > > > > > > > > sun.net.www.protocol.https.HttpsURLConnectionImpl > .getInputStream(HttpsURLConnectionImpl.java :234) > > > > > > > > edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) > > > > > > > > edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > ServiceTicketValidator.java :212) > > > > > > > > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java > :50) > > > > > > > > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthentic > atedUser(CASFilter.java:455) > > > > > > > > edu.yale.its.tp.cas.client .filter.CASFilter.doFilter( > CASFilter.java:378) > > > > > > > > > > > > > > > > > > It seems that there is some dotted IP address reference to > > the cas > > > server, but I didn't find that... Do I have to configure > > something > > > else? mod_jk is working well for the other contexts... > > > > > > > > > This is my mod_jk configuration: > > > > > > > > > httpd.conf: > > > JkExtractSSL On > > > <VirtualHost *:443> > > > ServerName portale.inca.it > > > SSLEngine on > > > > > SSLCertificateFile /usr/local/apache2/conf/server.crt > > > > > SSLCertificateKeyFile /usr/local/apache2/conf/server .key > > > JkMount /status status > > > JkMount /cas cas > > > JkMount /cas/* cas > > > </VirtualHost> > > > > > > > > > > > > > > > workers.properties: > > > # Define list of workers that will be used > > > # for mapping requests > > > # The configuration directives are valid > > > # for the mod_jk version 1.2.18 and later > > > # > > > worker.list=cas,portal,status > > > > > > > > > # Define cas > > > worker.cas.port=8009 > > > worker.cas.host=cas # cas is referenced > > > in /etc/hosts as 192.168.10.40 > > > worker.cas.type=ajp13 > > > > > > > > > > > > > > > > > > > > > tomcat server.xml: > > > <!-- Define an AJP 1.3 Connector on port 8009 --> > > > <Connector port="8009" address="192.168.10.40 " > > > enableLookups="false" redirectPort="443" > > > protocol="AJP/1.3" /> <!-- 443 is apache SSL port --> > > > <!-- HTTP and HTTPS connectors are disabled --> > > > <Engine name="Catalina" defaultHost="localhost" > > jvmRoute="cas" > > > > > > > > > > > > > > > > Am I forgetting something? > > > > > > > > > > > > > > > -- > > > Claudio Tassini > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > -- > > Claudio Tassini > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Claudio Tassini
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
