Hi Volker, I don't know much about types of certificates. I'm going to purchase certs from a trusted CA soon, but in the meantime I generated my own like this:
On the CAS server: *Gen private key inside a new keystore: .../jre/lib/security$keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -dname "cn=<server_full_name>, ou=<foo>, o=<foo>, l=<foo>, st=<foo>, c=<foo>" -keypass <foo_password> -keystore /<anywhere>/ssoserver.jks -storepass <foo_password> -validity 365 *verify: .../jre/lib/security$keytool -list -v -keystore /<anywhere>/ssoserver.jks -storepass <foo_password> *Generate cert: $keytool -export -alias tomcat -keystore /<anywhere>/ssoserver.jks -keypass <foo_password> -file ssoserver.crt *Now move ssoserver.crt to the .../jre/lib/security folder on your client server. On the client/web server: *Change default cacerts password .../jre/lib/security$keytool -storepasswd -keystore cacerts -new <foo_password> -storepass changeit *Import the cert into cacerts, so that your webserver trusts your CAS server .../jre/lib/security$keytool -import -file ssoserver.crt -alias tomcat -keypass <foo_password> -keystore cacerts Make sure you're importing into the correct java cacerts version that tomcat points to and if your use-case requires it you can import the cert into the CAS Server's cacerts as well. Good luck, Mike On 3/7/07, Obel, Volker <[EMAIL PROTECTED]> wrote:
Hello Mike, Hello all I monitor your mailings here the last days, because I'm dealing with the same problems. In fact, I have one question to your procedure described in your last mail. What kind of certificate (.crt) did you generate? Did you only export the certificate or did you generate a root certificate? Only exporting the certificate and installing it on the webserver or uPortal did NOT work in my environment. I get the error message "no trusted certificate found...." Some Administration colleges told me, to generate a CA certificate (normally generated by a trust center) and put it into the keystore of the client Server, in your case the webserver. By the way, its good, that you mailed your working solution. Very often, people don't do this... Regards Volker Obel ------------------------------ *Von:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Im Auftrag von *Scott Battaglia *Gesendet:* Dienstag, 6. März 2007 21:47 *An:* Yale CAS mailing list *Betreff:* Re: Web server on different machine to CAS server - SOLVED Glad to hear it worked for you. -Scott On 3/5/07, *Mike Crawford* <[EMAIL PROTECTED]> wrote: Thankyou for enduring with me... problem solved. I had gotten myself into a tangle with too many certificates and CAS servers floating around. I'm sure this is trivial for most but for those as novice as me - to setup CAS on a server by itself: *Get the CAS application running using the yale website instructions... I used J2EE server .war version running in tomcat *On the same server generate a key with alias tomcat into a keystore... the cn property being the name of your cas server *Generate a certificate (.crt) from the key you just created *On the same server in the SSL connector in server.xml of tomcat... point to the keystore. (keystoreFile & keystorePass) *Copy the certificate you exported to your webserver or uPortal machine. *Import the cert into your java cacerts keystore on the webserver *Check that your webserver or uPortal application has the standard CAS filter within the web-app tag of web.xml, and the serverName property being the name of your web server, including the port 8080 if that's what you're running tomcat on. Cheers, Mike On 3/5/07, *Mike Crawford* < [EMAIL PROTECTED]> wrote: I've added that and it gave no additional output. I tested it by making an obvious mistake and it seems to work though. I think my problem comes down to a basic lack of understanding of the certificates and keystores. On the CAS server, I created a private key with the same name as the CAS server, then exported a cert and imported that into cacerts on the CAS server. Then I copied the cert to the web server. On the web server I set the serverName part of my filter to be the webserver name, and imported the cert into the JVM keystore. This didn't work for me. I have tomcat running on both servers, the server.xml on the CAS server pointing to the private keystore.... and on the webserver I don't need to point to a private keystore? Do I have the basics right here? Make private keystore on CAS Server, send the cert to the webserver and import it into cacerts?? Thanks, Mike On 3/1/07, *Marvin S. Addison* <[EMAIL PROTECTED]> wrote: If you suspect a keystore/certificate issue of any kind, the Java SSL debug output is indispensable in diagnosing the problem. Could you perform a SSL debug trace by adding -Djavax.net.debug=ssl to your JVM startup parameters. This is easily done for Tomcat: create a $TOMCAT_HOME/bin/setenv.sh file and add the line CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.debug=ssl" This will generate _a lot_ of data in $TOMCAT_HOME/logs/catalina.out by default. If you could post what you think are relevant bits of that output, we might be able to help further. Regards, Marvin Addison -- Applications Programming Analyst Collaborative Technologies Unit Virginia Tech _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
