Hello Cas Users, The problem was resolved as described the below: https://wiki.alfresco.com/wiki/Alfresco_cas_with_jasig_cas_client
I added setenv.bat under %CATALINA_HOME%\bin to point my cas.keystore as below: set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=C:\armadasoft\SSO\cas4-overlay\cas.keystore -Djavax.net.ssl.trustStorePassword=changeit Thanks, From: Song, Doe-Hyun Sent: Tuesday, September 15, 2015 8:34 PM To: cas-user@lists.jasig.org Subject: RE:[cas-user] Cas SSL error Hello Cas Users, I changed the key set with CN=localhost as below. keytool -genkey -alias cas-server -keyalg RSA -validity 3650 -keypass changeit -storepass changeit -keystore cas.keystore -dname "CN=localhost, OU=IT, O=Armada, L=Pittsburgh, ST=PA, C=US" Now, I have different error message as below and it looks the error is because my cas.keystore is not trusted. https://localhost:8443/cas-sample-java-webapp/?ticket=ST-1-BRjhDdEAcVRdejze7Gxs-cas-server HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target type Exception report message javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target description The server encountered an internal error that prevented it from fulfilling this request. exception java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) root cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) sun.security.ssl.Handshaker.process_record(Handshaker.java:804) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) root cause sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) sun.security.validator.Validator.validate(Validator.java:260) sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) sun.security.ssl.Handshaker.process_record(Handshaker.java:804) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) root cause sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) sun.security.validator.Validator.validate(Validator.java:260) sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) sun.security.ssl.Handshaker.process_record(Handshaker.java:804) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) note The full stack trace of the root cause is available in the Apache Tomcat/8.0.26 logs. ________________________________ Apache Tomcat/8.0.26 The solution seems like below to identify my cas.keystore trusted as below. Problem is the keystore is referenced from tomcat. Do you have any idea how to make my tomcat trust my cas.keystore? https://wiki.alfresco.com/wiki/Alfresco_cas_with_jasig_cas_client This can be fixed telling the JVM to trust our keystore: -Djavax.net.ssl.trustStore=/etc/keys/keystore1 -Djavax.net.ssl.trustStorePassword=mypass Thanks, Doe From: Song, Doe-Hyun Sent: Tuesday, September 15, 2015 5:38 PM To: cas-user@lists.jasig.org Subject: [cas-user] Cas SSL error Hello Cas users, After logging in with running sample client, it redirects to the with ST ticket. My web page shows SSL error as below with the following URL https://localhost:8443/cas-sample-java-webapp/?ticket=ST-1-4QLDV0DAywo37UaBbKNs-cas-server The following web site shows how to troubleshoot. https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide#SSLTroubleshootingandReferenceGuide-ImportTrustedCertificate Unfortunately, I already imported self signed certificate to my ca keystore as below: keytool -import -alias cas-server -file cas-server.cer -keypass changeit -storepass changeit -keystore %JAVA_HOME%\jre\lib\security\cacerts And the following is my tomcat server.xml configuration <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:/armadasoft/SSO/cas4-overlay/cas.keystore" keystorePass="changeit" truststoreFile="C:/jdk1.7.0_55/jre/lib/security/cacerts" /> I downloaded sample client from the following link: https://github.com/UniconLabs/cas-sample-java-webapp And, modified to use web.xml like <filter-name>CAS Authentication Filter</filter-name> <!-- <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> --> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <filter-name>CAS Validation Filter</filter-name> <!-- <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> --> <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class> <!-- <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> --> Error message: HTTP Status 500 - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found type Exception report message javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found description The server encountered an internal error that prevented it from fulfilling this request. exception java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) root cause javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) sun.security.ssl.Handshaker.process_record(Handshaker.java:804) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) root cause java.security.cert.CertificateException: No name matching localhost found sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208) sun.security.util.HostnameChecker.match(HostnameChecker.java:93) sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) sun.security.ssl.Handshaker.process_record(Handshaker.java:804) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) note The full stack trace of the root cause is available in the Apache Tomcat/8.0.26 logs. ________________________________ Apache Tomcat/8.0.26 Thanks, Doe -- You are currently subscribed to cas-user@lists.jasig.org as: ds...@armada.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- You are currently subscribed to cas-user@lists.jasig.org as: ds...@armada.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. The information contained in this e-mail and any attachments is confidential and intended only for the recipient. If you are not the intended recipient, the information contained in this message may not be used, copied, or forwarded to third parties or otherwise distributed for any other purpose. Please notify the sender if you received this e-mail in error and delete the e-mail and its attachments promptly. Nothing in this e-mail may be used or deemed to form the basis of a contractual or any other legally binding obligation unless separately confirmed in writing by an authorized representative of ARMADA. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user