cas cannot find the certificates for proxy
Allen Chen
chqh at scut.edu.cn
Tue May 20 06:30:42 EDT 2008
I have two machine: rnd1.allen.com and rnd2.allen.com
rnd1.allen.com runs cas server, and all ok!
rnd2.allen.com runs the cas client, also ok when validate user and ssl is enabled at 8443 port.
But when I enable the proxy for cas, the follow error I found turns up in cas server:
2008-05-20 17:40:17,493 DEBUG [org.springframework.web.servlet.view.RedirectView] - <Rendering view with name 'null' with model {} and static attributes {}>
2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://rnd2.allen.com:7000/stest/>
2008-05-20 17:40:18,212 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentials for https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,215 ERROR [org.jasig.cas.util.HttpClient] - <javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
....
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 44 more
2008-05-20 17:40:18,217 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: https://rnd2.allen.com:8443/stest/proxyCallback>
2008-05-20 17:40:18,217 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://rnd2.allen.com:8443/stest/proxyCallback>
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad
at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:284)
....
at java.lang.Thread.run(Thread.java:595)
Caused by: error.authentication.credentials.bad
at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113)
at cn.scut.edu.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:256)
... 26 more
I know the error "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target " means that cas server cannot find the ca store, while I have already set the -Djavax.net.ssl.trustStore in the tomcat startup.sh
JAVA_OPTS="-Djavax.net.ssl.trustStore=/export/home/ism/mycacerts $JAVA_OPTS"
export JAVA_OPTS
Why I do that? Because that if I don't point out the javax.net.ssl.trustStore in startup.sh, there is no way to get into the service management of cas server.
And I had also import the certificates from server.crt of rnd2.allen.com into the ca certs "mycacerts" with another alias like "rnd2".
So I don't know why the cas cannot find the cerficates.
Any tips? Thank you ahead.
Allen Chen
2008-05-20
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080520/065956db/attachment.html
More information about the cas
mailing list