I have already imported the server's certificate:
keytool -import -alias tcmsso2 -file C:/jre1.5.0_07/lib/security/tcmsso2.crt
-keystore C:/jre1.5.0_07/lib/security/cacerts -storepass changeit
this is the jre used by tomcat. after that I user the command:
keytool -list -keystore C:/jre1.5.0_07/lib/security/cacerts -storepass
changeit
and find the name tcmsso2 which indicate the certificate has imported into
the jvm. and it still throw the exception.
I appologize for that I don't know how to reply the mail so that it could be
listed under the same thread. I repose the former message below.
Hi,
I deploy cas server and cas client on two machines,and when I visit the
HelloWorldExample ,it redirect to the login page,
after I enter the name/password.it return to the HelloworldExample page with
ticket ,but throw a exception.
exception
javax.servlet.ServletException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
filters.ExampleFilter.doFilter(ExampleFilter.java:102)
root cause
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
the situation is:
cas server is on machine1(computer name:qing),cas server is under
tomcat5/webapps
I make certifacte like this:
keytool -genkey -keyalg RSA -alias tcmsso2 -dname "cn=qing" -keystore
tcmserver2.keystore -storepass changeit
keytool -export -alias tcmsso2 -keystore tcmserver2.keystore -file
C:/jre1.5.0_07/lib/security/tcmsso2.crt -storepass changeit
keytool -import -alias tcmsso2 -file C:/jre1.5.0_07/lib/security/tcmsso2.crt
-keystore C:/jre1.5.0_07/lib/security/cacerts -storepass changeit
I config machine1's tomcat like this:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/tcmserver2.keystore" keystorePass="changeit"
truststoreFile="C:/jre1.5.0_07/lib/security/cacerts" keyAlias="tcmsso2"
clientAuth="false" sslProtocol="TLS"/>
cas client is on machine2(computer name:wjj),cas client is under
tomcat5/webapps
I put cas-client.jar under webapps/servlets-examples/WEB-INF/lib,
config the web.xml as such:
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://qing:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://qing:8443/cas/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>wjj:8888</param-value>
</init-param>
</filter>
and import the server's certificate.
keytool -import -alias tcmsso2 -file C:/jre1.5.0_07/lib/security/tcmsso2.crt
-keystore C:/jre1.5.0_07/lib/security/cacerts -storepass changeit
both machines are run windows XP ,for cas does not support ip;
I add 10.214.33.211 qing to the C:\WINDOWS\system32\drivers\etc\hosts on
machine1
and add 10.214.33.211 qing 10.214.33.156 wjj to the
C:\WINDOWS\system32\drivers\etc\hosts on machine2
strangely,if the cas server and cas client are on the same machine ,they
works well.
Is there something wrong?
Thanks for your help,
qingzhao
---------------------------------
雅虎邮箱,您的终生邮箱!_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
