I have two machine: rnd1.allen.com and rnd2.allen.com
rnd1.allen.com runs cas server, and all ok!
rnd2.allen.com runs the cas client, also ok when validate user and ssl is
enabled at 8443 port.
But when I enable the proxy for cas, the follow error I found turns up in cas
server:
2008-05-20 17:40:17,493 DEBUG
[org.springframework.web.servlet.view.RedirectView] - <Rendering view with name
'null' with model {} and static attributes {}>
2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- <Extractor generated service for: http://rnd2.allen.com:7000/stest/>
2008-05-20 17:40:18,212 DEBUG
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
- <Attempting to resolve credentials for
https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,215 ERROR [org.jasig.cas.util.HttpClient] -
<javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
....
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 44 more
2008-05-20 17:40:18,217 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
failed to authenticate the user which provided the following credentials:
https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,217 ERROR [org.jasig.cas.web.ServiceValidateController] -
<TicketException generating ticket for:
https://rnd2.allen.com:8443/stest/proxyCallback>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:284)
....
at java.lang.Thread.run(Thread.java:595)
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113)
at
cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:256)
... 26 more
I know the error "javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target " means that cas server cannot
find the ca store, while I have already set the -Djavax.net.ssl.trustStore in
the tomcat startup.sh
JAVA_OPTS="-Djavax.net.ssl.trustStore=/export/home/ism/mycacerts $JAVA_OPTS"
export JAVA_OPTS
Why I do that? Because that if I don't point out the javax.net.ssl.trustStore
in startup.sh, there is no way to get into the service management of cas server.
And I had also import the certificates from server.crt of rnd2.allen.com into
the ca certs "mycacerts" with another alias like "rnd2".
So I don't know why the cas cannot find the cerficates.
Any tips? Thank you ahead.
Allen Chen
2008-05-20
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
