[cas-dev] help

Mon Sep 4 10:39:06 EDT 2006

We also maintain a SSL Help here that may help:
http://www.ja-sig.org/products/cas/server/ssl/index.html


On 9/3/06, Velpi <velpi at industria.be> wrote:
>
> > javax.servlet.ServletException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:254)   edu.yale.its.tp.cas.client.filter.CASFilter.doFilter
> (CASFilter.java:184)
> >
> > javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
> >  com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.java:847)
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(
> ClientHandshaker.java:106)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.java:1025)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1038)
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> AbstractDelegateHttpsURLConnection.java:170)
> >  sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:913)
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
> HttpsURLConnectionImpl.java:234)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> ServiceTicketValidator.java:212)
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(
> CASFilter.java:219)   edu.yale.its.tp.cas.client.filter.CASFilter.doFilter
> (CASFilter.java:184)
>
> This error informs you that there's a component that does not trust one of
> the
> certificates.
>
> You should check which part is causing this error, but I assume that the
> error
> is being produced by your CASyfied webapplication. The error is thrown
> when the
> CAS-client tries to connect to the CAS-server to validate the service
> ticket
> with the server. Upon connect the client sees an untrusted certificate
> offered
> by the server and throws an error.
> The solution is to make the CAS client trust the certificate offered by
> the CAS
> server. This is done by importing the CAS-server certificate (or in a
> better
> case: the certificate of the CA that issued CAS-server's certificate) into
> the
> JVM's truststore, the JVM that's running the CAS-client that is.
>
> you can use this command at the CAS-client:
> keytool -import -trustcacerts -alias "sensible-name-for-ca" -file
> CAcert.crt
> -keystore $JAVA_HOME/lib/security/cacerts
>
>
>
> If this explanation isn't clear then feel free to ask for more details.
> Good luck!
>
>
> -- Velpi
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060904/fe0879d6/attachment.html