Yes, I have already resolve the problem. The web server where the cas client deploy must be configured to enable https. And you have also to add the client certificate to the cas server's truststore, so that the cas server trust the proxy client and send the pgt back to the proxy. The way I mentioned above can solve the " PKIX path building failed" exception.
<javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) For further infomation you can refer to the following url, it would tell you how to import the certs. http://blogs.sun.com/andreas/entry/no_more_unable_to_find If the problem other than the "PKIX path building failed" or "bad credentials" turns up, there may be something wrong with the cas itself. Hope that it can help. Good luck! Allen Chen 2008-07-09 发件人: Faris Ahmed 发送时间: 2008-07-09 00:10:33 收件人: [EMAIL PROTECTED] 抄送: 主题: FW: cas cannot find the certificates for proxy Dear Allan, I am wondering if you solved the SSL problem? I am working with CAS and have a similar problem. My CAS server does not the proxy callback URL, although the PGT URL is on the same CAS server! Any ideas? Mit freundlichen Grüßen / Kind regards Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Allen Chen Sent: Tuesday, May 20, 2008 12:31 PM To: cas Subject: cas cannot find the certificates for proxy I have two machine: rnd1.allen.com and rnd2.allen.com rnd1.allen.com runs cas server, and all ok! rnd2.allen.com runs the cas client, also ok when validate user and ssl is enabled at 8443 port. But when I enable the proxy for cas, the follow error I found turns up in cas server: 2008-05-20 17:40:17,493 DEBUG [org.springframework.web.servlet.view.RedirectView] - <Rendering view with name 'null' with model {} and static attributes {}> 2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://rnd2.allen.com:7000/stest/> 2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for https://rnd2.allen.com:8443/stest/proxyCallback> 2008-05-20 17:40:18,215 ERROR [org.jasig.cas.util.HttpClient] - <javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) .... at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) ... 44 more 2008-05-20 17:40:18,217 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: https://rnd2.allen.com:8443/stest/proxyCallback> 2008-05-20 17:40:18,217 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://rnd2.allen.com:8443/stest/proxyCallback> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:284) .... at java.lang.Thread.run(Thread.java:595) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113) at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:256) ... 26 more I know the error "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target " means that cas server cannot find the ca store, while I have already set the -Djavax.net.ssl.trustStore in the tomcat startup.sh JAVA_OPTS="-Djavax.net.ssl.trustStore=/export/home/ism/mycacerts $JAVA_OPTS" export JAVA_OPTS Why I do that? Because that if I don't point out the javax.net.ssl.trustStore in startup.sh, there is no way to get into the service management of cas server. And I had also import the certificates from server.crt of rnd2.allen.com into the ca certs "mycacerts" with another alias like "rnd2". So I don't know why the cas cannot find the cerficates. Any tips? Thank you ahead. Allen Chen 2008-05-20
<<14.gif>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
