CAS, Apache, Tomcat and mod_jk
Scott Battaglia
scott.battaglia at gmail.com
Thu Nov 2 09:01:01 EST 2006
The way HttpsUrlConnection in Java works is that it not only does the SSL
handshake but it also compares the host name on the certificate to the host
name requested. If they don't match it fails. In newer versions of CAS
Server and CAS client you can disable the strict name checking because we
use HttpClient (however we don't recommend it in production).
-Scott
On 11/1/06, Ryan Shelley <rshelley at csun.edu> wrote:
>
> So after getting everything working with CAS on Tomcat, I'm now looking
> into proxying CAS through Apache using mod_jk. Apache and mod_jk are setup
> properly, however, I'm having some certificate issues and not exactly
> certain how Apache and mod_jk should be configured in regards to their SSL
> definitions. What is the proper organization of certificates in a CAS
> scenario where Server 1 is running Apache2, Tomcat 5.5 and mod_jk serving
> CAS, and Server 2 is also running Apache2, Tomcat 5.5 and mod_jk serving
> my application? Who should be managing what certs?
> The reason I ask is because we're seeing an error that only occurs when we
> route traffic through Apache instead of going between Tomcat instances:
>
> javax.servlet.ServletException: Validation threw exception:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target,
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> Now, Apache2 on Server 1 does have SSL enabled, however, the instance of
> Apache2 on Server 1 is running several VirtualHosts and has several cnames.
> The SSL cert for Apache2 on Server 1 is only signed for one domain (which is
> different from the cname CAS is running under, ex: cert is for
> server1.csun.edu, however, the cname for CAS is cas-dev.csun.edu) since
> there is only one IP address on the server. Also, the cert on Server 1 is
> an openssl PEM cert as opposed to the keytool-generated certs of Tomcat.
> Tomcat on Server 1 is also configured for SSL with separate certs for
> cas-dev.csun.edu but is linked to Apache via mod_jk, so these certs do not
> come into play when handling requests originating from Apache. Apache2 and
> Tomcat on Server 2 are configured similarly for the servlet having been
> developed.
>
> When I take Apache2 out of the mix on both sides and go from Tomcat to
> Tomcat, everything works fine, except that there are other hosts on the
> servers that require that Tomcat run on odd SSL ports (7443 as opposed to
> 443, for example). This requires the port be in every request between the
> Tomcat instances (hence, the proxying through Apache2 and mod_jk).
> Obviously, we'd like to avoid that. One option, being the most obvious, is
> to get an additional IP address for the servers dedicated to that cname...
> I'm looking into that. In lieu of that, are there any configuration options
> that would enable this setup to function properly?
>
> Ryan Shelley
> Lead Developer
> ITR Web Development/Middleware
> California State University, Northridge
>
> 818.677.4258
> rshelley at csun.edu
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061102/485b1ee8/attachment-0001.html
More information about the cas
mailing list