[cas-dev] keytool error: java.lang.Exception: Input not an X.509 certificate while trying to import alias tomcat into cacerts getting

Scott Battaglia scott.battaglia at gmail.com
Thu Apr 12 20:33:27 EDT 2007 

You can't import the keystore file to the cacerts file.  You need to export
your certificate from the keystore and then import it.

Our handy how to may help:
http://www.ja-sig.org/products/cas/server/ssl/index.html

-Scott

On 4/12/07, Uday Kari <ukari at pdc.org> wrote:
>
> Summary:
> --------
> Unable to import file generated per tomcat SSL "how-to" into JVM
> cecerts.
>
> C:\jdk1.5.0_06\bin>keytool -import -alias tomcat -keystore
> ..\jre\lib\security\cacerts -storepass changeit -file .keystore
>
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
>
> Why I am doing this:
> --------------------
>
> Got "Unable to validate ProxyTicketValidator" error.  Determined from
> the following
> http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html that I
> need to import the keystore generated for Tomcat into the JVM cacerts.
>
>
> More details:
> -------------
>
> Using
> -- JDK 1.5.0_06
> -- CAS Server 3.0.7 RC2 (latest)
> -- Windows XP platform
> -- Tomcat 5.5.20 (SSL configured )
>
> Steps:
>
> 1) Configured tomcat per:
>
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
>
> a) %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
> b) server.xml entry uncommented.
>
> <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="c:/Documents and Settings/ukari/.keystore"
> />
>
> 2) Created simple "helloworld.jsp" and configured web.xml per the
> following
> http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter
>
> web.xml looks like this:
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
>          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>          xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
>          version="2.4">
>   <filter>
>     <filter-name>CAS Filter</filter-name>
>
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>     <init-param>
>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>       <param-value>https://localhost:8443/cas/login</param-value>
>     </init-param>
>     <init-param>
>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>
> <param-value>https://localhost:8443/cas/proxyValidate</param-value>
>     </init-param>
>     <init-param>
>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>       <param-value>localhost:8443</param-value>
>     </init-param>
>   </filter>
>
>   <filter-mapping>
>     <filter-name>CAS Filter</filter-name>
>     <url-pattern>/*</url-pattern>
>   </filter-mapping>
>
> </web-app>
>
> 3) Dropped casclient.jar into the WEB-INF/lib of the helloworld context.
> 4) Started tomcat
> 4) Deployed CAS from C:\cas-server-3.0.7-rc2\target\cas.war
> 5) Tried to access https://localhost:8443/helloworld
> 6) Leads to CAS just fine.
> 7) Login as admin/admin (or any user=password)...
> 8) But when we return to hello world I see the following in logs
>
> Apr 12, 2007 10:25:46 AM org.apache.catalina.core.StandardWrapperValve
> invoke
> SEVERE: Servlet.service() for servlet jsp threw exception
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[https://localhost:8443/cas/proxyValidate]
> ticket=[ST-2-OUpGZhtBFUvNhLRfihSQXJdgT5scus7fcXO-20]
> service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
>         at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>         at
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
> er.java:455)
>         at
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:202)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:173)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
> e.java:204)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
> e.java:178)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :126)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :105)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:107)
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
> 48)
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
> 9)
>         at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
> essConnection(Http11BaseProtocol.java:664)
>         at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
> .java:527)
>         at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
> erWorkerThread.java:80)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:684)
>         at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
> Source)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
> Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> Source)
>         at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>         at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
> Source)
>         at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>         at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unkno
> wn Source)
>         at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
>         at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
> Source)
>         at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un
> known Source)
>         at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
>         at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
>         at
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>         at
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicket
> Validator.java:212)
>         at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>         ... 16 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>         at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>         at sun.security.validator.PKIXValidator.engineValidate(Unknown
> Source)
>         at sun.security.validator.Validator.validate(Unknown Source)
>         at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unk
> nown Source)
>         at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unk
> nown Source)
>         ... 30 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>         at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
>         at java.security.cert.CertPathBuilder.build(Unknown Source)
>         ... 35 more
>
>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070412/69ca0036/attachment-0001.html

More information about the cas-dev mailing list