Announcement Announcement Module
No announcement yet.
Issue deploying CAS sample to Tomcat Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue deploying CAS sample to Tomcat

    Hi There,

    I tried deploying the CAS sample war to Tomcat, and followed the instructions in the reference guide to add the SSL connector using the server.jks supplied with the sample. However i get the following error on the browser when navigating to the secure page:

    An error occurred during a connection to localhost:8443.

    SSL peer was not expecting a handshake message it received.

    (Error code: ssl_error_handshake_unexpected_alert)

    Any ideas?



  • #2
    Debug your ssl connection using a tool like openssl ("openssl s_client").


    • #3
      Hi Luke,

      openSSL s_client returns the same information for localhost 9443 and 8443. So I guess this shows the CAS server and Tomcat instance are using the same certificates.

      If I run the sample using the jetty configuration then everything is OK. It is only when I deploy the sample to Tomcat that there is a problem.

      Is there anything else I can try to get to the bottom of this?




      • #4
        Need help understanding latest problem with CAS SSL and Tomcat


        cas-sample (client) deployed to Tomcat.

        This is the configuration for my Tomcat SSL:

        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        keystoreType="JKS" keystorePass="password"
        truststoreType="JKS" truststorePass="password"

        I found the following debug in my Tomcat logs:

        [DEBUG,FilterChainProxy,http-8443-1] /j_spring_cas_security_check?ticket=ST-9-FY
        v0eRN2e36Y5mHOfkgd-cas at position 4 of 10 in additional filter chain; firing Filter: ' [email protected]'
        [DEBUG,CasAuthenticationFilter,http-8443-1] Request is to process authentication

        [DEBUG,CasAuthenticationFilter,http-8443-1] Request is to process authentication

        [DEBUG,ProviderManager,http-8443-1] Authentication attempt using org.springframe Provider
        keyStore is :
        keyStore type is : jks
        keyStore provider is :
        init keystore
        init keymanager of type SunX509
        trustStore is: C:\Program Files\Java\jdk1.6.0_17\jre\lib\security\cacerts
        trustStore type is : jks
        trustStore provider is :
        init truststore

        Unsurprisingly I get the error:

        http-8443-1, handling exception: sun.securi
        ty.validator.ValidatorException: PKIX path building failed:
        r.certpath.SunCertPathBuilderException: unable to find valid certification path
        to requested target

        What I cannot understand is why the Tomcat configuration is being ignored. Do I need to configure something in one of the spring beans to point at the keystore? If so which one?




        • #5
          The tomcat connector is for incoming connections to tomcat. The error is coming from the outward connection from the CAS client to the CAS server, which uses the JDK CA certificates to validate the CAS server. Add the CA certificate that was used to sign the CAS server certificate to the cacerts file and it should be OK.


          • #6
            Ah! Thanks!

            Alternately, you can add the following to the JAVA_OPTS environment variable:

  "%CATALINA_HOME%\conf\se rver.jks"

            I should have spotted this, it ties in with the POM for the maven-jetty-plugin.

            Might be worth adding to the documentation?

            Thanks again,