CAS, Apache, Tomcat and mod_jk

Ryan Shelley rshelley at csun.edu
Thu Nov 2 13:52:12 EST 2006 

Right.. well, this is only a development server.  I don't see any  
documentation online or within either of the configuration files that  
mention disabling the strict name checking.  Is it a separate bean  
that needs to be used instead of  
HttpBasedServiceCredentialsToPrincipalResolver?

Ryan Shelley
Lead Developer
ITR Web Development/Middleware
California State University, Northridge

818.677.4258
rshelley at csun.edu



On Nov 2, 2006, at 6:01 AM, Scott Battaglia wrote:

> The way HttpsUrlConnection in Java works is that it not only does  
> the SSL handshake but it also compares the host name on the  
> certificate to the host name requested.  If they don't match it  
> fails. In newer versions of CAS Server and CAS client you can  
> disable the strict name checking because we use HttpClient (however  
> we don't recommend it in production).
>
> -Scott
>
> On 11/1/06, Ryan Shelley <rshelley at csun.edu> wrote:
> So after getting everything working with CAS on Tomcat, I'm now  
> looking into proxying CAS through Apache using mod_jk.  Apache and  
> mod_jk are setup properly, however, I'm having some certificate  
> issues and not exactly certain how Apache and mod_jk should be  
> configured in regards to their SSL definitions.  What is the proper  
> organization of certificates in a CAS scenario where Server 1 is  
> running Apache2, Tomcat 5.5 and mod_jk serving CAS, and Server 2 is  
> also running Apache2, Tomcat 5.5 and mod_jk serving my  
> application?  Who should be managing what certs?
>
> The reason I ask is because we're seeing an error that only occurs  
> when we route traffic through Apache instead of going between  
> Tomcat instances:
>
> javax.servlet.ServletException: Validation threw exception:  
> javax.net.ssl.SSLHandshakeException:  
> sun.security.validator.ValidatorException: PKIX path building  
> failed:  
> sun.security.provider.certpath.SunCertPathBuilderException : unable  
> to find valid certification path to requested target,  
> sun.security.validator.ValidatorException: PKIX path building  
> failed: sun.security.provider.certpath.SunCertPathBuilderException:  
> unable to find valid certification path to requested target
>
> Now, Apache2 on Server 1 does have SSL enabled, however, the  
> instance of Apache2 on Server 1 is running several VirtualHosts and  
> has several cnames.  The SSL cert for Apache2 on Server 1 is only  
> signed for one domain (which is different from the cname CAS is  
> running under, ex: cert is for server1.csun.edu, however, the cname  
> for CAS is cas-dev.csun.edu) since there is only one IP address on  
> the server.  Also, the cert on Server 1 is an openssl PEM cert as  
> opposed to the keytool-generated certs of Tomcat.  Tomcat on Server  
> 1 is also configured for SSL with separate certs for cas- 
> dev.csun.edu but is linked to Apache via mod_jk, so these certs do  
> not come into play when handling requests originating from Apache.   
> Apache2 and Tomcat on Server 2 are configured similarly for the  
> servlet having been developed.
>
> When I take Apache2 out of the mix on both sides and go from Tomcat  
> to Tomcat, everything works fine, except that there are other hosts  
> on the servers that require that Tomcat run on odd SSL ports (7443  
> as opposed to 443, for example).  This requires the port be in  
> every request between the Tomcat instances (hence, the proxying  
> through Apache2 and mod_jk).  Obviously, we'd like to avoid that.   
> One option, being the most obvious, is to get an additional IP  
> address for the servers dedicated to that cname... I'm looking into  
> that.  In lieu of that, are there any configuration options that  
> would enable this setup to function properly?
>
> Ryan Shelley
> Lead Developer
> ITR Web Development/Middleware
> California State University, Northridge
>
> 818.677.4258
> rshelley at csun.edu
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061102/22dbe93b/attachment.html

More information about the cas mailing list