CAS with signed certificate

Matthew Jones matthew.jones at interactivedata.com
Tue Aug 12 11:53:41 EDT 2008 

O.K. So this is really a Tomcat issue but I can't find an answer to the 
problem I'm encountering and I've been following the SSL how-to on the 
CAS pages. I have a Tomcat5.5 set-up that functions correctly with CAS 
when I use a self-signed certificate. So, I'm using the right keystore 
at least.

I now have a server certificate that is signed by my organisation's own 
CA and our root CA certificate is self-signed. So I have imported the CA 
certificate using keytool thus (having moved the keystore file with the 
self-signed one in):

keytool -import -alias root -file {path-to-CA-cert} -keystore 
/usr/share/tomcat5.5/.keystore -trustcacerts

and then imported the signed server certificate thus:

keytool -import -alias tomcat -file {path-to-CA-signed-server-cert} 
-keystore /usr/share/tomcat5.5/.keystore -trustcacerts

I then read that the CA certificate should really go in the JVM's 
cacerts file thus:

keytool -import -alias root -file {path-to-CA-cert} -keystore 
/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -trustcacerts

and that is the right Java version being used.

However, regardless of where the CA cert is I get the following error:

SEVERE: Endpoint [SSL: 
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored 
exception: java.net.SocketException: SSL handshake 
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: 
No available certificate or key corresponds to the SSL cipher suites 
which are enabled.
         at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:114)
         at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:408)
         at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:71)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)

Which is repeated loads of times until it runs out of file descriptors. 
Please can anyone see the error in what I've done with my certificates?

Thanks

-- 
Matthew Jones
Interactive Data Managed Solutions Ltd
-----------------------------------------------------------------------
Registered in England Company Number 3691868
Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL
Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109
matthew.jones at interactivedata.com
http://www.interactivedata-ms.com/694133
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2690 bytes
Desc: S/MIME Cryptographic Signature
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080812/0a560400/attachment.bin

More information about the cas mailing list