Issues over PKCS12 keystore and SSL cert

Scott Battaglia scott.battaglia at gmail.com
Sun Feb 18 22:01:37 EST 2007 

We have a general "Solving SSL Issues" section here that may help:
http://www.ja-sig.org/products/cas/server/ssl/index.html

Also, if you have multiple JVMs on the machine, please make sure the
certificate is installed in the correct cacerts file (I've seen people
install it in the wrong one before, including myself).

-Scott

On 2/15/07, Andrew R Feller <afelle1 at lsu.edu> wrote:
>
>  Hello everyone,
>
>
>
> I am trying to use Yale's Java CAS client for CAS-fying a simple Hello
> World app against CAS.  After configuring Apache, Tomcat, and the CAS
> client, I receive the following trace stack after I log into CAS.  When I
> was setting up SSL on Tomcat, I created a PKCS12 keystore, which works
> fine.  Confused by the FAQ's note accusing the server's cert was IP-based
> rather than hostname-based, I attempted to create a JKS keystore based on
> the SSL cert (with the output below), however all subsequent requests came
> back as unable to connect whenever I changed the keystore to use the JKS
> keystore.
>
>
>
> Can anyone set me straight as to what is going on because the original
> cert was issued against a hostname and the JKS keytool is not solving the
> problem.
>
>
>
> Regards,
>
> Andrew
>
>
>
> *Sun SSL Exception thrown after CAS authentication screen*
>
>
>
> javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
>         edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
>
>         edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)
>
>
>
> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
>         com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>
>
>
>
>
> *Creating JKS under tomcat directory from Apache SSL certificate*
>
>
>
> [root at localhost tomcat]# keytool -import -file
> /etc/httpd/conf/ssl.crt/server.crt -keystore keystore.jks -alias tomcat
>
> Enter keystore password:  *******
>
> Owner: EMAILADDRESS=afelle1 at lsu.edu, CN=uisshibboleth.lsu.edu,
> OU=Information Technology Services, O=Louisiana State University, L=Baton
> Rouge, ST=Louisiana, C=US
>
> Issuer: EMAILADDRESS=afelle1 at lsu.edu, CN=uisshibboleth.lsu.edu CA,
> OU=Information Technology Services CA, O=Louisiana State University CA,
> L=Baton Rouge, ST=Louisiana, C=US
>
> Serial number: 1
>
> Valid from: Thu Nov 30 13:27:39 CST 2006 until: Fri Nov 30 13:27:39 CST
> 2007
>
> Certificate fingerprints:
>
>          MD5:  65:18:44:65:98:D7:84:05:00:51:46:81:C4:54:12:DE
>
>          SHA1: 64:29:1E:72:F0:8F:6A:09:37:CE:B2:93:13:73:D1:03:34:8B:A7:75
>
> Trust this certificate? [no]:  yes
>
> Certificate was added to keystore
>
> [root at localhost tomcat]#
>
>
>
>
>
> *Connector entities from tomcat's conf/server.xml*
>
>
>
>     # PKCS12 Connector
>
>         <Connector port="8443" maxHttpHeaderSize="8192"
>
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>
>                enableLookups="false" disableUploadTimeout="true"
>
>                acceptCount="100" scheme="https" secure="true"
>
>                clientAuth="false" sslProtocol="TLS"
>
>                keystoreType="PKCS12" keystorePass="changeit"
>
>                keystoreFile="/usr/local/tomcat/keystore.p12" />
>
>
>
>     # JKS Connector
>
>     <Connector port="8443" maxHttpHeaderSize="8192"
>
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>
>                enableLookups="false" disableUploadTimeout="true"
>
>                acceptCount="100" scheme="https" secure="true"
>
>                clientAuth="false" sslProtocol="TLS"
>
>                keystoreType="JKS" keystorePass="*******"
>
>                keystoreFile="/usr/local/tomcat/keystore.jks" />
>
>
>
> Andrew R Feller, Analyst
>
> University Information Systems
>
> Louisiana State University
>
> afelle1 at lsu.edu
>
> (office) 225.578.3737
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070218/43759717/attachment.html

More information about the cas mailing list