Web server on different machine to CAS server - SOLVED

Mike Crawford mike.crawford at gmail.com
Thu Mar 8 00:35:34 EST 2007 

Hi Volker,

I don't know much about types of certificates.  I'm going to purchase certs
from a trusted CA soon, but in the meantime I generated my own like this:

On the CAS server:

*Gen private key inside a new keystore:
.../jre/lib/security$keytool -genkey -alias tomcat -keyalg RSA -keysize 1024
-dname "cn=<server_full_name>, ou=<foo>, o=<foo>, l=<foo>, st=<foo>,
c=<foo>" -keypass <foo_password> -keystore /<anywhere>/ssoserver.jks
-storepass <foo_password> -validity 365

*verify:
.../jre/lib/security$keytool -list -v -keystore /<anywhere>/ssoserver.jks
-storepass <foo_password>

*Generate cert:
$keytool -export -alias tomcat -keystore /<anywhere>/ssoserver.jks -keypass
<foo_password> -file ssoserver.crt


*Now move ssoserver.crt to the .../jre/lib/security folder on your client
server.

On the client/web server:

*Change default cacerts password
.../jre/lib/security$keytool -storepasswd -keystore cacerts -new
<foo_password> -storepass changeit


*Import the cert into cacerts, so that your webserver trusts your CAS server
.../jre/lib/security$keytool -import -file ssoserver.crt -alias tomcat
-keypass <foo_password> -keystore cacerts

Make sure you're importing into the correct java cacerts version that tomcat
points to and if your use-case requires it you can import the cert into the
CAS Server's cacerts as well.

Good luck,

Mike

On 3/7/07, Obel, Volker <Volker.Obel at partner.commerzbank.com> wrote:
>
>  Hello Mike, Hello all
>
>
>
> I monitor your mailings here the last days, because I'm dealing with the
> same problems.
>
> In fact, I have one question to your procedure described in your last
> mail. What kind of certificate (.crt) did you generate? Did you only export
> the certificate or did you generate a root certificate?
>
> Only exporting the certificate and installing it on the webserver or
> uPortal did NOT work in my environment.
>
> I get the error message "no trusted certificate found...."
>
> Some Administration colleges told me, to generate a CA certificate
> (normally generated by a trust center) and put it into the keystore of the
> client Server, in your case the webserver.
>
>
>
> By the way, its good, that you mailed your working solution. Very often,
> people don't do this...
>
>
>
> Regards
>
>
>
> Volker Obel
>
>
>
>
>  ------------------------------
>
> *Von:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *Im
> Auftrag von *Scott Battaglia
> *Gesendet:* Dienstag, 6. März 2007 21:47
> *An:* Yale CAS mailing list
> *Betreff:* Re: Web server on different machine to CAS server - SOLVED
>
>
>
> Glad to hear it worked for you.
>
> -Scott
>
> On 3/5/07, *Mike Crawford* <mike.crawford at gmail.com> wrote:
>
> Thankyou for enduring with me... problem solved.  I had gotten myself into
> a tangle with too many certificates and CAS servers floating around.
>
> I'm sure this is trivial for most but for those as novice as me - to setup
> CAS on a server by itself:
>
> *Get the CAS application running using the yale website instructions... I
> used J2EE server .war version running in tomcat
>
> *On the same server generate a key with alias tomcat into a keystore...
> the cn property being the name of your cas server
>
> *Generate a certificate (.crt) from the key you just created
>
> *On the same server in the SSL connector in server.xml of tomcat... point
> to the keystore.  (keystoreFile & keystorePass)
>
> *Copy the certificate you exported to your webserver or uPortal machine.
>
> *Import the cert into your java cacerts keystore on the webserver
>
> *Check that your webserver or uPortal application has the standard CAS
> filter within the web-app tag of web.xml, and the serverName property
> being the name of your web server, including the port 8080 if that's what
> you're running tomcat on.
>
> Cheers,
>
> Mike
>
>
>
> On 3/5/07, *Mike Crawford* < mike.crawford at gmail.com> wrote:
>
> I've added that and it gave no additional output.  I tested it by making
> an obvious mistake and it seems to work though.
>
> I think my problem comes down to a basic lack of understanding of the
> certificates and keystores.
>
> On the CAS server, I created a private key with the same name as the CAS
> server, then exported a cert and imported that into cacerts on the CAS
> server.  Then I copied the cert to the web server.  On the web server I set
> the serverName part of my filter to be the webserver name, and imported the
> cert into the JVM keystore.
>
> This didn't work for me.  I have tomcat running on both servers, the
> server.xml on the CAS server pointing to the private keystore.... and on
> the webserver I don't need to point to a private keystore?
>
> Do I have the basics right here?  Make private keystore on CAS Server,
> send the cert to the webserver and import it into cacerts??
>
> Thanks,
>
> Mike
>
>
>
>  On 3/1/07, *Marvin S. Addison* <serac at vt.edu> wrote:
>
> If you suspect a keystore/certificate issue of any kind, the Java SSL
> debug output is indispensable in diagnosing the problem.  Could you
> perform a SSL debug trace by adding
>
> -Djavax.net.debug=ssl
>
> to your JVM startup parameters.  This is easily done for Tomcat: create
> a $TOMCAT_HOME/bin/setenv.sh file and add the line
>
> CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl"
>
> This will generate _a lot_ of data in $TOMCAT_HOME/logs/catalina.out by
> default.  If you could post what you think are relevant bits of that
> output, we might be able to help further.
>
> Regards,
> Marvin Addison
> --
> Applications Programming Analyst
> Collaborative Technologies Unit
> Virginia Tech
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070308/9fe57aaa/attachment.html

More information about the cas mailing list