[cas-dev] keytool error: java.lang.Exception: Input not anX.509 certificate while trying to import alias tomcat intocacerts getting

Uday Kari ukari at pdc.org
Thu Apr 12 22:05:53 EDT 2007 

Scott:  Indeed.  Thanks!!

Just to clarify, I executed the following in sequence.

%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file server.crt
%JAVA_HOME%\bin\keytool -import -alias tomcat -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

However the original problem of Got "Unable to validate ProxyTicketValidator" error PERSISTS.  

I'll open another thread for convenience.  

________________________________________
From: cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
Sent: Thursday, April 12, 2007 2:33 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] keytool error: java.lang.Exception: Input not anX.509 certificate while trying to import alias tomcat intocacerts getting

You can't import the keystore file to the cacerts file.  You need to export your certificate from the keystore and then import it.

Our handy how to may help:
http://www.ja-sig.org/products/cas/server/ssl/index.html

-Scott
On 4/12/07, Uday Kari <ukari at pdc.org> wrote: 
Summary:
--------
Unable to import file generated per tomcat SSL "how-to" into JVM 
cecerts.

C:\jdk1.5.0_06\bin>keytool -import -alias tomcat -keystore
..\jre\lib\security\cacerts -storepass changeit -file .keystore

keytool error: java.lang.Exception: Input not an X.509 certificate 


Why I am doing this:
--------------------

Got "Unable to validate ProxyTicketValidator" error.  Determined from
the following
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html that I
need to import the keystore generated for Tomcat into the JVM cacerts.


More details:
-------------

Using
-- JDK 1.5.0_06 
-- CAS Server 3.0.7 RC2 (latest)
-- Windows XP platform
-- Tomcat 5.5.20 (SSL configured )

Steps:

1) Configured tomcat per:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html 

a) %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
b) server.xml entry uncommented.

<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="c:/Documents and Settings/ukari/.keystore"
/>

2) Created simple "helloworld.jsp" and configured web.xml per the
following
http://www.ja-sig.org/wiki/display/CASC/Using+CASFilter

web.xml looks like this:

<web-app xmlns=" http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation=" http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
         version=" 2.4">
  <filter>
    <filter-name>CAS Filter</filter-name>

<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
    <init-param>

<param-name> edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://localhost:8443/cas/login</param-value>
    </init-param>
    <init-param> 

<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

<param-value>https://localhost:8443/cas/proxyValidate</param-value> 
    </init-param>
    <init-param>

<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
      <param-value>localhost:8443</param-value>
    </init-param> 
  </filter>

  <filter-mapping>
    <filter-name>CAS Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

</web-app>

3) Dropped casclient.jar into the WEB-INF/lib of the helloworld context.
4) Started tomcat
4) Deployed CAS from C:\cas-server-3.0.7-rc2\target\cas.war
5) Tried to access https://localhost:8443/helloworld 
6) Leads to CAS just fine.
7) Login as admin/admin (or any user=password)...
8) But when we return to hello world I see the following in logs

Apr 12, 2007 10:25:46 AM org.apache.catalina.core.StandardWrapperValve 
invoke
SEVERE: Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-OUpGZhtBFUvNhLRfihSQXJdgT5scus7fcXO-20] 
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
        at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
        at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser (CASFilt
er.java:455)
        at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java :202)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:204) 
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
        at
org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:1
48)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
9)
        at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection( Http11BaseProtocol.java:664)
        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)
        at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow 
erWorkerThread.java:80)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:684)
        at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException :
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException (Unknown
Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE (Unknown
Source)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
        at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (Unknown
Source)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unkno
wn Source)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
        at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Un
known Source)
        at
sun.net.www.protocol.http.HttpURLConnection.getInputStream (Unknown
Source)
        at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
        at
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
        at
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate (ServiceTicket
Validator.java:212)
        at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
        ... 16 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted (Unk
nown Source)
        at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unk
nown Source)
        ... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException :
unable to find valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source) 
        ... 35 more





_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia

More information about the cas-dev mailing list