I normally see this error because the client filter is making it's separate request (within the CAS client application JVM) inside of the CAS client java code and it's getting sent the Apache certificate because it's HTTPS as well. When the server (Apache) sends the certificate, it must be in the CAS client machine's trusted certs. This would in the JVM at jre/lib/security/cacerts.
Import your certificate in cacerts on the CAS client machine and this should go away. David On 12/16/08, Yitzchak Schaffer <[email protected]> wrote: > > Hello all: > > Trying to get CAS working with Apache proxying to Tomcat via AJP. I did > the demo [1] successfully with Tomcat standing alone, but I don't > understand Tomcat+CAS well enough to know how to get my self-signed dev > (cas.jim.com) setup going. When I browse > https://cas.jim.com/cas/services/ for example, I get: > > You are not authorized to use this application for the following reason: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target. > > This had worked with standalone Tomcat. For Apache, I used: > openssl req -new -x509 -nodes -out cas.crt -keyout cas.key > to create my certificate and key, which are working with Apache alone. > > I then did: > sudo keytool -import -file cas.crt -keypass changeit > to get them into keystore. > > What did I miss in this relationship? > > Thank you! > > [1] http://www.ja-sig.org/wiki/display/CASUM/Demo > > -- > Yitzchak Schaffer > Systems Librarian > Touro College Libraries > 33 West 23rd Street > New York, NY 10010 > Tel (212) 463-0400 x5230 > Fax (212) 627-3197 > [email protected] > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
