Hi Kim, I installed the CA certificate in every keystore I could find on my computer. In my case, I was running CAS on top of Tomcat/Windows, but it should be similar. I chose to configure Tomcat's SSL listener with JSSE (in Server.xml). If you went with OpenSSL, you'll need to install the root certificate in the OpenSSL keystore using openssl commands. Otherwise, the <Connector /> element has a keyStoreFile property. Make sure you install the CA cert there using keytool. Also, Tomcat is being executed by some Java runtime version. I would install the CA cert in that keystore also.
If this is regarding the clearpass/IIS config msg from yesterday, you should also make sure that the certificate is trusted by Windows/IIS on the web server. On the IIS side, you'll need to also install the certificate into the Windows certificate manager if it isn't already installed. Click Start, Run, MMC. File, Add/Remove Snap-in. Certificates, Add, Computer Account, Next, Local Computer, OK. Add it to the 'Console Root/Certificates (Local Computer)/Trusted Root Certificate Authorities/Certificates'. Search for my 2 msgs from a month or so ago for details on how I did this: 3/24/2010 // RE: [cas-user] Exception when getting Proxy Granting Ticket 4/5/2010 // RE: [cas-user] SSL Error -ScottH > -----Original Message----- > From: Cary, Kim [mailto:[email protected]] > Sent: Friday, May 07, 2010 4:06 PM > To: [email protected] > Subject: [cas-dev] Challenges Importing Root CAs to Keystore (on Macs) > > As part of our debug hunt, yesterday, I had the occasion to try to get > our internal Root CA into the CAS server keystore, so it could call > back proxy apps over SSL. However, no matter where I stashed that Root > CA cert, my tests kept coming up with ssl handshake/pkix errors. > > I may have a clue about how I messed this up, but are there any helpful > hints for the general case? > > On May 7, 2010, at 7:52 AM, Marvin Addison wrote: > > >> Despite having a root CA for the target nodes installed in the > keychain, the central Java keystore in > /Library/Java/Home/lib/security/cacerts and the keystore explicitly > named in the tomcat server.xml > > > > Spin this off to a separate thread. I have some helpful hints. > > > > M > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
