Matthew: The CAS server using Tomcat requires the keystore in the Tomcat area. The business server or application server (using CAS client) requires an imported cert into cacerts for the trust when the CAS server is called from the CAS client code.
If I'm repeating what you already know, bear with me. This is tricky stuff sometimes. What you didn't tell us is if you used the keytool executable to list the contents of the stores 1) in the Tomcat area (8443 port) and 2) cacerts at $JAVA_HOME/jre/lib/security on the CAS client server. You may very well think that you are doing things correctly but the listing may prove otherwise. Also, the keytool program will sometimes behave as if it were successful when nothing actually happened. Try the listing and understand what's in the stores and when they are actually called or used for validation. David On 8/12/08, Andrew Ralph Feller, afelle1 <[EMAIL PROTECTED]> wrote: > Matthew, > > I am not a keystore / keytrust expert, but if you continue having problems > with it, you can always use the Apache Portable Runtime to handle SSL for > Tomcat instead. > > http://www.nabble.com/RE%3A--cas-dev--keytool-needed---to17103709.html#a1710 > 3709 > > It works just like mod_ssl, which is simplier IMHO; it is what I use. > > HTH, > A- > > > On 8/12/08 10:53 AM, "Matthew Jones" <[EMAIL PROTECTED]> > wrote: > > > O.K. So this is really a Tomcat issue but I can't find an answer to the > > problem I'm encountering and I've been following the SSL how-to on the > > CAS pages. I have a Tomcat5.5 set-up that functions correctly with CAS > > when I use a self-signed certificate. So, I'm using the right keystore > > at least. > > > > I now have a server certificate that is signed by my organisation's own > > CA and our root CA certificate is self-signed. So I have imported the CA > > certificate using keytool thus (having moved the keystore file with the > > self-signed one in): > > > > keytool -import -alias root -file {path-to-CA-cert} -keystore > > /usr/share/tomcat5.5/.keystore -trustcacerts > > > > and then imported the signed server certificate thus: > > > > keytool -import -alias tomcat -file {path-to-CA-signed-server-cert} > > -keystore /usr/share/tomcat5.5/.keystore -trustcacerts > > > > I then read that the CA certificate should really go in the JVM's > > cacerts file thus: > > > > keytool -import -alias root -file {path-to-CA-cert} -keystore > > /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -trustcacerts > > > > and that is the right Java version being used. > > > > However, regardless of where the CA cert is I get the following error: > > > > SEVERE: Endpoint [SSL: > > ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored > > exception: java.net.SocketException: SSL handshake > > errorjavax.net.ssl.SSLException: No available certificate or key > > corresponds to the SSL cipher suites which are enabled. > > java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: > > No available certificate or key corresponds to the SSL cipher suites > > which are enabled. > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFacto > > ry.java:114) > > at > > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:4 > > 08) > > at > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWork > > erThread.java:71) > > at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: > > 689) > > at java.lang.Thread.run(Thread.java:619) > > > > Which is repeated loads of times until it runs out of file descriptors. > > Please can anyone see the error in what I've done with my certificates? > > > > Thanks > > -- > Andrew R. Feller, Analyst > Information Technology Services > 200 Fred Frey Building > Louisiana State University > Baton Rouge, LA 70803 > (225) 578-3737 (Office) > (225) 578-6400 (Fax) > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
