[cas-dev] help

Velpi velpi at industria.be
Sun Sep 3 08:17:13 EDT 2006 

> javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)   edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)  
> 
> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target   com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)   com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)  
>  com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)   com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)   com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)   com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)   com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)   com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)   com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)   com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)   com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)   sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)   sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)  
>  sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)   sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)   edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)   edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)   edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)   edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)  

This error informs you that there's a component that does not trust one of the 
certificates.

You should check which part is causing this error, but I assume that the error 
is being produced by your CASyfied webapplication. The error is thrown when the 
CAS-client tries to connect to the CAS-server to validate the service ticket 
with the server. Upon connect the client sees an untrusted certificate offered 
by the server and throws an error.
The solution is to make the CAS client trust the certificate offered by the CAS 
server. This is done by importing the CAS-server certificate (or in a better 
case: the certificate of the CA that issued CAS-server's certificate) into the 
JVM's truststore, the JVM that's running the CAS-client that is.

you can use this command at the CAS-client:
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt 
-keystore $JAVA_HOME/lib/security/cacerts



If this explanation isn't clear then feel free to ask for more details.
Good luck!


-- Velpi

More information about the cas-dev mailing list