Matthew, I am not a keystore / keytrust expert, but if you continue having problems with it, you can always use the Apache Portable Runtime to handle SSL for Tomcat instead.
http://www.nabble.com/RE%3A--cas-dev--keytool-needed---to17103709.html#a1710 3709 It works just like mod_ssl, which is simplier IMHO; it is what I use. HTH, A- On 8/12/08 10:53 AM, "Matthew Jones" <[EMAIL PROTECTED]> wrote: > O.K. So this is really a Tomcat issue but I can't find an answer to the > problem I'm encountering and I've been following the SSL how-to on the > CAS pages. I have a Tomcat5.5 set-up that functions correctly with CAS > when I use a self-signed certificate. So, I'm using the right keystore > at least. > > I now have a server certificate that is signed by my organisation's own > CA and our root CA certificate is self-signed. So I have imported the CA > certificate using keytool thus (having moved the keystore file with the > self-signed one in): > > keytool -import -alias root -file {path-to-CA-cert} -keystore > /usr/share/tomcat5.5/.keystore -trustcacerts > > and then imported the signed server certificate thus: > > keytool -import -alias tomcat -file {path-to-CA-signed-server-cert} > -keystore /usr/share/tomcat5.5/.keystore -trustcacerts > > I then read that the CA certificate should really go in the JVM's > cacerts file thus: > > keytool -import -alias root -file {path-to-CA-cert} -keystore > /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -trustcacerts > > and that is the right Java version being used. > > However, regardless of where the CA cert is I get the following error: > > SEVERE: Endpoint [SSL: > ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored > exception: java.net.SocketException: SSL handshake > errorjavax.net.ssl.SSLException: No available certificate or key > corresponds to the SSL cipher suites which are enabled. > java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: > No available certificate or key corresponds to the SSL cipher suites > which are enabled. > at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFacto > ry.java:114) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:4 > 08) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWork > erThread.java:71) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: > 689) > at java.lang.Thread.run(Thread.java:619) > > Which is repeated loads of times until it runs out of file descriptors. > Please can anyone see the error in what I've done with my certificates? > > Thanks -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
