I am unable to get APR connector working. I have build Apr, configured the conenctor, generated certificates, updated the environment (LD_LIBRARY_PATH) and it cannot find the certificates when an authentication is required.
I have supplied all the relevant details below. I would appreciate any insights into why its unable to find the certificates. Environment: # openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 # # # java version "1.6.0_01" Java(TM) SE Runtime Environment (build 1.6.0_01-b06) Java HotSpot(TM) Server VM (build 1.6.0_01-b06, mixed mode) # # # uname -srvompi Linux 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 i386 GNU/Linux # Tomcat version: 6.0.14 #APR version (built from source on RHEL5): 1.3.8 Configuration: * APR is build and installed in /usr/local/apr: # ls -l /usr/local/apr/lib total 3212 -rwxr-xr-x 1 root root 8130 Nov 2 09:48 apr.exp -rwxr-xr-x 1 root root 806678 Nov 2 09:48 libapr-1.a -rwxr-xr-x 1 root root 838 Nov 2 09:48 libapr-1.la lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so -> libapr-1.so.0.3.8 lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so.0 -> libapr-1.so.0.3.8 -rwxr-xr-x 1 root root 549998 Nov 2 09:48 libapr-1.so.0.3.8 -rwxr-xr-x 1 root root 1113618 Nov 2 10:52 libtcnative-1.a -rwxr-xr-x 1 root root 921 Nov 2 10:52 libtcnative-1.la lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so -> libtcnative-1.so.0.1.16 lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so.0 -> libtcnative-1.so.0.1.16 -rwxr-xr-x 1 root root 777409 Nov 2 10:52 libtcnative-1.so.0.1.16 drwxr-xr-x 2 root root 4096 Nov 2 10:52 pkgconfig * Standalone Tomcat with an HTTP and an APR connector. * Relevant excerpts from ${catalina.home}/conf/server.xml: <!--APR library loader. Documentation at /docs/apr.html --> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> //... <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLCertificateFile="${catalina.home}/conf/server.cert" SSLCertificateKeyFile="${catalina.home}/conf/server.key" /> //... * LD_LIBRARY_PATH is set in ${catalina.home}/bin/setenv.sh as follows: export LD_LIBRARY_PATH=/usr/local/apr/lib:${LD_LIBRARY_PATH} Key/Certificate Generation: # export CATALINA_HOME=/usr/local/apache-tomcat # export CATALINA_CONF=${CATALINA_HOME}/conf # rm -fr ${CATALINA_CONF}/server.cert # rm -fr ${CATALINA_CONF}/server.key # openssl genrsa -out $CATALINA_CONF/server.key 2048 openssl req -new -x509 -days 1095 -key $CATALINA_CONF/server.key -out $CATALINA_CONF/server.cert < $CATALINA_CONF/cert.input where $CATALINA_CONF/cert.input contains: US CA MyCity MyCompany Inc My Dept. myhost.mycompany.com nob...@mycompany.com Logs: APR connector is initialized (seemingly) correctly: Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded Apache Tomcat Native library 1.1.16. Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 10, 2009 1:54:22 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Nov 10, 2009 1:54:22 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1440 ms Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.14 //... ... but it fails to find the certificate when an authentication is required: 2009-11-10 16:18:59,622 INFO [http-8443-1] cas.CentralAuthenticationServiceImpl:229 - Granted service ticket [ST-1-QnrXKg6DAe4RTxUsSexs-cas] for service [http://myhost.mycompany.com:8080/myapp] for user [johndoe] 2009-11-10 16:18:59,720 ERROR [http-8443-1] validation.Cas20ProxyTicketValidator:49 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1056) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1040) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:852) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:584) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508) at java.lang.Thread.run(Thread.java:619) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954) ... 34 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280) ... 40 more Thanx! /U -- View this message in context: http://old.nabble.com/AprHttp11-Connector---unable-to-locate-certificates-tp26311889p26311889.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org