Announcement Announcement Module
Collapse
No announcement yet.
Issue deploying CAS sample to Tomcat Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • jeremy
    started a topic Issue deploying CAS sample to Tomcat

    Issue deploying CAS sample to Tomcat

    Hi There,

    I tried deploying the CAS sample war to Tomcat, and followed the instructions in the reference guide to add the SSL connector using the server.jks supplied with the sample. However i get the following error on the browser when navigating to the secure page:

    An error occurred during a connection to localhost:8443.

    SSL peer was not expecting a handshake message it received.

    (Error code: ssl_error_handshake_unexpected_alert)


    Any ideas?

    Regards,

    Jeremy.

  • jeremy
    replied
    Ah! Thanks!

    Alternately, you can add the following to the JAVA_OPTS environment variable:

    -Djavax.net.ssl.trustStore="%CATALINA_HOME%\conf\se rver.jks" -Djavax.net.ssl.trustStorePassword=password

    I should have spotted this, it ties in with the POM for the maven-jetty-plugin.

    Might be worth adding to the documentation?

    Thanks again,

    Jeremy.

    Leave a comment:


  • Luke Taylor
    replied
    The tomcat connector is for incoming connections to tomcat. The error is coming from the outward connection from the CAS client to the CAS server, which uses the JDK CA certificates to validate the CAS server. Add the CA certificate that was used to sign the CAS server certificate to the cacerts file and it should be OK.

    Leave a comment:


  • jeremy
    replied
    Need help understanding latest problem with CAS SSL and Tomcat

    Hi,

    cas-sample (client) deployed to Tomcat.

    This is the configuration for my Tomcat SSL:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${catalina.home}/conf/server.jks"
    keystoreType="JKS" keystorePass="password"
    truststoreFile="${catalina.home}/conf/server.jks"
    truststoreType="JKS" truststorePass="password"
    />


    I found the following debug in my Tomcat logs:

    [DEBUG,FilterChainProxy,http-8443-1] /j_spring_cas_security_check?ticket=ST-9-FY
    v0eRN2e36Y5mHOfkgd-cas at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.cas.web.CasAuthentic [email protected]'
    [DEBUG,CasAuthenticationFilter,http-8443-1] Request is to process authentication

    [DEBUG,CasAuthenticationFilter,http-8443-1] Request is to process authentication

    [DEBUG,ProviderManager,http-8443-1] Authentication attempt using org.springframe
    work.security.cas.authentication.CasAuthentication Provider
    keyStore is :
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: C:\Program Files\Java\jdk1.6.0_17\jre\lib\security\cacerts
    trustStore type is : jks
    trustStore provider is :
    init truststore

    Unsurprisingly I get the error:

    http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.securi
    ty.validator.ValidatorException: PKIX path building failed: sun.security.provide
    r.certpath.SunCertPathBuilderException: unable to find valid certification path
    to requested target

    What I cannot understand is why the Tomcat configuration is being ignored. Do I need to configure something in one of the spring beans to point at the keystore? If so which one?

    Regards,

    Jeremy.

    Leave a comment:


  • jeremy
    replied
    Hi Luke,

    openSSL s_client returns the same information for localhost 9443 and 8443. So I guess this shows the CAS server and Tomcat instance are using the same certificates.

    If I run the sample using the jetty configuration then everything is OK. It is only when I deploy the sample to Tomcat that there is a problem.

    Is there anything else I can try to get to the bottom of this?

    Regards,

    Jeremy.

    Leave a comment:


  • Luke Taylor
    replied
    Debug your ssl connection using a tool like openssl ("openssl s_client").

    Leave a comment:

Working...
X