1)
PKIX problem
2)
SSL handshaking
problem
3)
No
name matching your domain and (www.localhost.com)
found
Steps to
configure CAS in Life ray 6.0.6
1)
Build
cas-web war file from CAS server
source code with your data base
credentials and your liferay algorithm(QueryDatabaseAuthenticationSHA1Base64.java)
2)
Copy
the cas-web.war or cas-web
web application to tomcat webapps
directory.
3)
Create
SSL certificate using key tool.
4)
Change
the tomcat server.xml file to enable SSL port or htts protocol.
5)
Make
sure key store file location. (Ex:
localhost.kestore) is available in your java bin folder.
6)
Modify
the CASFilter.java and CASAutologinFilter.java files according
to your requirement.
7)
Deploy
portal
8)
Run
tomcat server and test.
Problems
Solutions:
1)
PKIX
problem
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
|
1)
This
problem occurred, because of trusted certificate not available in JRE. Means whatever we created SSL
certificate not available in jre/lib/security
folder.
2)
Generally
when we create SSL certificate from the key tool after that we will export this
SSL certificate to JRE. I.e. we will
import into cascerts
file (this is default file to import SSL certificates in JRE) this file is available
in jre/lib/security folder.
Solution:
1)
Make
sure created SSL certificate exported into cacerts file or not.
Procedure
to know this:
Step: 1
Go
to jre/lib/security
Compile
InstallCert.java file by using
following command.
Javac InsertCert.jva
After
successfully compile run java class by using following command.
Java InstallCert
localhost:8443
We
need pass domain name and secure port number that’s your https port.
If
you get following output then SSL hand shaking is filed i.e. your certificate is
not imported properly into cacerts file means that is not trusted
certificate.
Loading KeyStore
\jre6\lib\security\cacerts...
Opening
connection to localhost:8443...
Starting SSL
handshake...
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.
provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
|
Step: 2
When you get PKIX problem means SSL hand shaking is
failed for your certificate. Then do the following thing.
When you get above step enter 1 and press enter. Then you
will get the following output.
Enter certificate to add to trusted keystore or 'q' to quit: [1]
1
Version: V3
Subject: CN=localhost, OU=vidyayug, O=vyug, L= hyd, ST=ap, C=In
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187
923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444
59364523220747231216704221781747262219695262340353839314222273672957748320603247
public exponent: 65537
Validity: [From: Tue Dec 14 15:13:51 SGT 2010,
To: Mon Mar 14 15:13:51 SGT 2011]
Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
SerialNumber: [ 4d07192f]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 38 E4 F4 D9 51 B1 5F C1 01 13 32 79 DE 97 26 58 8...Q._...2y..&X
0010: 13 08 F1 A0 33 DB B9 90 AF EE 9E AE B9 9B 68 7D ....3.........h.
0020: DF E8 7D 79 9D 92 24 4A 76 C9 4C 28 DA 68 B0 62 ...y..$Jv.L(.h.b
0030: FF AB 27 03 5C DD 1F C8 77 A2 25 18 DF 0C DC FD ..'.\...w.%.....
0040: D3 39 5D 18 B4 BA 4B 36 8C FD C5 80 FF F2 E3 4D .9]...K6.......M
0050: 0A 28 57 B9 04 D8 25 F6 FB CA DA 13 0C 36 FB 02 .(W...%......6..
0060: 9A B3 B1 28 46 D1 8E C7 D9 1A 5B CE BB A6 6F FD ...(F.....[...o.
0070: 6D F2 35 D9 95 43 6E 38 2A 56 E7 31 21 D9 F0 90 m.5..Cn8*V.1!...
]
Added certificate to keystore 'jssecacerts' using alias 'localhost-1'
If
you get above output then your certificate trusted. Here we need identify one
thing. Generally when we export SSL
certificate by using key tool by default it will insert into cacert file. But here if you
observe the above screen you can find jssecacers file. It will automatically create when
we run above program.
Enter q to quit this process.
Step: 3
Run
again InstallCerts.java
program to pass inputs domain
and SSL port
Java
InstallCert localhost:8443
If
you get following output then SSL hand shaking is successful and your
certificate added to jaascaserts file and it is trusted certificate. Here
you will get message certificate is already trusted.
Here
we need identify the CN=localhost
this is very important. whatever the CN name you need give in CAS settings.
Otherwise you will get No Name matching to the URL .
20:42:38,109
ERROR [CommonUtils:294] java.security.cert.CertificateException: No name matching www.localhost.com found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching www.localhost.com found
|
Note: So whatever the CN
name that is only your CAS settings.
Assume
if your CN name is local host
then the following are the your CAS settings
So we
have the solutions for
1)
PKIX
2)
No Name matching
to your domain name
Still you are
getting PKIX problem?
Make
sure which jre your application
server is using means JVM used by your server. here we need consider location of jre and version of jre.
Whatever
the JRE your server is using in that make sure trusted certificate is available
or not means run above whole process from this JRE location (jre/lib/security)
How to
know which jre our server is using?
From Eclipse(Windows
Environment):
Generally
Eclipse will create JRE in the following
location:
C:/Program
Files/Java
If
you create server from Eclipse it will use eclipse generated default JRE until
you mention new jre. i.e.
C:/Program
Files/Java/jre
So
that you need to export SSL certificate into this jre by using key tool or you
can run above whole process from this location.
In Eclipse you
can find which jre your server is using
Go
to Windows>>Preferense>>Java>>Installed
JRE’s
By Using Cygwin:
If
you are running portal without Eclipse then you can find JRE that is used by
your Server (Tomcat)
Run
which java command in cygwin prompt.
The
following screen will specify the location of java.
Go to
That location and make sure SSL had shaking is successful for your domain.
If you run
server from cygwin prompt also you can
know the JRE is used by your Server(Tomcat)
Run
the following command form your server bin directory.
Use ./startup.sh
The
following screen shot wil tells you which jre is using. In this location you need to have trusted
certificates.
Pure windows
Environment
In
windows environment serve generally use the JRE that is mentioned in JAVA_HOME
environment variable.
That JRE server
is using. In this JRE we have trusted certificates.
Note:
ü Identify the JRE and make sure SSL hand shaking is
successful in this location for yor domain. jre/lib/security from this
folder we will have InsertCert.java
run this program and give the appropriate domain name and SSL port number.
ü Make sure where ever the CN name that should be
your CAS settings.
Ex: CN=localhost
Your CAS
setting should use localhost only.
|
0 comments :
Post a Comment