[cas-dev] keytool error: java.lang.Exception: Input not an X.509 certificate while trying to import alias tomcat into cacerts getting
Uday Kari
ukari at pdc.org
Thu Apr 12 17:31:56 EDT 2007
Summary:
--------
Unable to import file generated per tomcat SSL "how-to" into JVM
cecerts.
C:\jdk1.5.0_06\bin>keytool -import -alias tomcat -keystore
..\jre\lib\security\cacerts -storepass changeit -file .keystore
keytool error: java.lang.Exception: Input not an X.509 certificate
Why I am doing this:
--------------------
Got "Unable to validate ProxyTicketValidator" error. Determined from
the following
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html that I
need to import the keystore generated for Tomcat into the JVM cacerts.
More details:
-------------
Using
-- JDK 1.5.0_06
-- CAS Server 3.0.7 RC2 (latest)
-- Windows XP platform
-- Tomcat 5.5.20 (SSL configured )
Steps:
1) Configured tomcat per:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
a) %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
b) server.xml entry uncommented.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:/Documents and Settings/ukari/.keystore"
/>
2) Created simple "helloworld.jsp" and configured web.xml per the
following
http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter
web.xml looks like this:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8443</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
3) Dropped casclient.jar into the WEB-INF/lib of the helloworld context.
4) Started tomcat
4) Deployed CAS from C:\cas-server-3.0.7-rc2\target\cas.war
5) Tried to access https://localhost:8443/helloworld
6) Leads to CAS just fine.
7) Login as admin/admin (or any user=password)...
8) But when we return to hello world I see the following in logs
Apr 12, 2007 10:25:46 AM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-OUpGZhtBFUvNhLRfihSQXJdgT5scus7fcXO-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:204)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
9)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:684)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unkno
wn Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un
known Source)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
at
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicket
Validator.java:212)
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
... 16 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unk
nown Source)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unk
nown Source)
... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 35 more
More information about the cas-dev
mailing list