O.K. So this is really a Tomcat issue but I can't find an answer to the problem I'm encountering and I've been following the SSL how-to on the CAS pages. I have a Tomcat5.5 set-up that functions correctly with CAS when I use a self-signed certificate. So, I'm using the right keystore at least.

I now have a server certificate that is signed by my organisation's own CA and our root CA certificate is self-signed. So I have imported the CA certificate using keytool thus (having moved the keystore file with the self-signed one in):

keytool -import -alias root -file {path-to-CA-cert} -keystore /usr/share/tomcat5.5/.keystore -trustcacerts

and then imported the signed server certificate thus:

keytool -import -alias tomcat -file {path-to-CA-signed-server-cert} -keystore /usr/share/tomcat5.5/.keystore -trustcacerts

I then read that the CA certificate should really go in the JVM's cacerts file thus:

keytool -import -alias root -file {path-to-CA-cert} -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -trustcacerts

and that is the right Java version being used.

However, regardless of where the CA cert is I get the following error:

SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:114) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:408) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:71) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:619)

Which is repeated loads of times until it runs out of file descriptors. Please can anyone see the error in what I've done with my certificates?

Thanks

--
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
[EMAIL PROTECTED]
http://www.interactivedata-ms.com/694133

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to