Web server on different machine to CAS server - SOLVED

Mike Crawford mike.crawford at gmail.com
Mon Mar 5 23:11:36 EST 2007 

Thankyou for enduring with me... problem solved.  I had gotten myself into a
tangle with too many certificates and CAS servers floating around.

I'm sure this is trivial for most but for those as novice as me - to setup
CAS on a server by itself:

*Get the CAS application running using the yale website instructions... I
used J2EE server .war version running in tomcat

*On the same server generate a key with alias tomcat into a keystore... the
cn property being the name of your cas server

*Generate a certificate (.crt) from the key you just created

*On the same server in the SSL connector in server.xml of tomcat... point to
the keystore.  (keystoreFile & keystorePass)

*Copy the certificate you exported to your webserver or uPortal machine.

*Import the cert into your java cacerts keystore on the webserver

*Check that your webserver or uPortal application has the standard CAS
filter within the web-app tag of web.xml, and the serverName property being
the name of your web server, including the port 8080 if that's what you're
running tomcat on.

Cheers,

Mike




On 3/5/07, Mike Crawford <mike.crawford at gmail.com> wrote:
>
> I've added that and it gave no additional output.  I tested it by making
> an obvious mistake and it seems to work though.
>
> I think my problem comes down to a basic lack of understanding of the
> certificates and keystores.
>
> On the CAS server, I created a private key with the same name as the CAS
> server, then exported a cert and imported that into cacerts on the CAS
> server.  Then I copied the cert to the web server.  On the web server I set
> the serverName part of my filter to be the webserver name, and imported the
> cert into the JVM keystore.
>
> This didn't work for me.  I have tomcat running on both servers, the
> server.xml on the CAS server pointing to the private keystore.... and on
> the webserver I don't need to point to a private keystore?
>
> Do I have the basics right here?  Make private keystore on CAS Server,
> send the cert to the webserver and import it into cacerts??
>
> Thanks,
>
> Mike
>
>
> On 3/1/07, Marvin S. Addison <serac at vt.edu> wrote:
> >
> > If you suspect a keystore/certificate issue of any kind, the Java SSL
> > debug output is indispensable in diagnosing the problem.  Could you
> > perform a SSL debug trace by adding
> >
> > -Djavax.net.debug=ssl
> >
> > to your JVM startup parameters.  This is easily done for Tomcat: create
> > a $TOMCAT_HOME/bin/setenv.sh file and add the line
> >
> > CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl"
> >
> > This will generate _a lot_ of data in $TOMCAT_HOME/logs/catalina.out by
> > default.  If you could post what you think are relevant bits of that
> > output, we might be able to help further.
> >
> > Regards,
> > Marvin Addison
> > --
> > Applications Programming Analyst
> > Collaborative Technologies Unit
> > Virginia Tech
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070305/8daf77bf/attachment.html

More information about the cas mailing list