SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled
Scott Battaglia
scott.battaglia at gmail.com
Fri Apr 27 08:00:16 EDT 2007
In general (from what I've seen) your Tomcat keystore is generally not your
JVM's keystore. We generally recommend following these steps:
http://www.ja-sig.org/products/cas/server/ssl/index.html
-Scott
On 4/27/07, Rodriguez, Unai <Unai.Rodriguez at behringer.com> wrote:
>
> Hello,
>
> I have the following tools/systems set up:
>
> 1) CAS 3.0.5 integrated with LDAP
> 2) Atlassian Confluence 2.3.3
> 3) Atlassian Jira Enterprise 3.7.4
>
> I am trying to implement Single-Sign-On via the CAS server.
>
> I am able to go to Confluence or Jira URL and then get redirected to
> CAS. I input valid username/password and then get the "Unable to
> validate ProxyTicketValidator" error. Let's not go deep into that
> because I believe the problem I am having is generating valid Tomcat
> security certificates.
>
> I generate the certificate following these steps:
>
> 1) /usr/lib/java/bin/keytool -delete -alias tomcat -keypass changeit
>
> 2) /usr/lib/java/bin/keytool -genkey -alias tomcat -keypass changeit
> -keyalg RSA -validity 365
> Enter keystore password: changeit
> What is your first and last name?
> [Unknown]: idmanager.intranet.behringer
> What is the name of your organizational unit?
> [Unknown]: idmanager.intranet.behringer
> What is the name of your organization?
> [Unknown]: idmanager.intranet.behringer
> What is the name of your City or Locality?
> [Unknown]: City
> What is the name of your State or Province?
> [Unknown]: Manila
> What is the two-letter country code for this unit?
> [Unknown]: PH
>
> 3) /usr/lib/java/bin/keytool -export -alias tomcat -keypass changeit
> -file server.crt
>
> 4) /usr/lib/java/bin/keytool -import -file server.crt -keypass changeit
> -keystore /usr/lib/java/jre/lib/security/cacerts
>
> I set up the tomcat SSL config (server.xml) like this (I added:
> "keystoreFile" attribute):
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> keystoreFile="/usr/lib/java/jre/lib/security/cacerts"
> clientAuth="false" sslProtocol="TLS" />
>
> When I start tomcat, I get this error:
>
> Apr 27, 2007 5:59:58 PM org.apache.tomcat.util.net.PoolTcpEndpoint
> acceptSocket
> SEVERE: Endpoint [SSL:
> ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored
> exception: java.net.SocketException: SSL handshake
> errorjavax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
> java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
> No available certificate or key corresponds to the SSL cipher suites
> which are enabled.
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocke
> tFactory.java:114)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.
> java:408)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
> erWorkerThread.java:71)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:685)
> at java.lang.Thread.run(Thread.java:595)
>
> Did anyone find this problem? Any comments? Are my certification
> generating steps wrong?
>
> Thank you so much!
>
> Kind Regards,
>
> RODRIGUEZ, Unai
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070427/696336ba/attachment.html
More information about the cas
mailing list