Wednesday, September 26, 2012

Liferay CAS Issues and Solutions


1)      PKIX problem
2)      SSL handshaking problem
3)      No name matching your domain  and (www.localhost.com) found


Click following link you can get cas-web and its related files
Download


Steps to configure CAS in Life ray 6.0.6
1)      Build cas-web war file from CAS server source code with your data base credentials and your liferay  algorithm(QueryDatabaseAuthenticationSHA1Base64.java)

2)      Copy the cas-web.war or cas-web  web application to tomcat webapps directory.


3)      Create SSL certificate using key tool.

4)      Change the tomcat server.xml file to enable SSL port or htts protocol.


5)      Make sure key store file location. (Ex: localhost.kestore) is available in your java bin folder.

6)      Modify the CASFilter.java and CASAutologinFilter.java files according to your requirement.


7)      Deploy portal

8)      Run tomcat server and test.
Problems Solutions:
1)      PKIX problem

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


1)      This problem occurred, because of trusted certificate not available in JRE. Means whatever we created SSL certificate not available in jre/lib/security folder.

2)      Generally when we create SSL certificate from the key tool after that we will export this SSL certificate to JRE. I.e. we will import into cascerts file (this is default file to import SSL certificates in JRE) this file is available in jre/lib/security folder.


Solution:

1)      Make sure created SSL certificate exported into cacerts file or not.

Procedure to know this:

Step: 1

Go to jre/lib/security

Compile InstallCert.java file by using following command.

Javac InsertCert.jva   

After successfully compile run java class by using following command.

Java InstallCert localhost:8443

We need pass domain name and secure port number that’s your https port.
If you get following output then SSL hand shaking is filed i.e. your certificate is not imported properly into cacerts file means that is not trusted certificate.

Loading KeyStore \jre6\lib\security\cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Step: 2

When you get PKIX problem means SSL hand shaking is failed for your certificate. Then do the following thing.

When you get above step enter 1 and press enter. Then you will get the following output.



Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

  Version: V3
  Subject: CN=localhost, OU=vidyayug, O=vyug, L= hyd, ST=ap, C=In
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187
923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444
59364523220747231216704221781747262219695262340353839314222273672957748320603247
  public exponent: 65537
  Validity: [From: Tue Dec 14 15:13:51 SGT 2010,
               To: Mon Mar 14 15:13:51 SGT 2011]
  Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  SerialNumber: [    4d07192f]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 38 E4 F4 D9 51 B1 5F C1   01 13 32 79 DE 97 26 58  8...Q._...2y..&X
0010: 13 08 F1 A0 33 DB B9 90   AF EE 9E AE B9 9B 68 7D  ....3.........h.
0020: DF E8 7D 79 9D 92 24 4A   76 C9 4C 28 DA 68 B0 62  ...y..$Jv.L(.h.b
0030: FF AB 27 03 5C DD 1F C8   77 A2 25 18 DF 0C DC FD  ..'.\...w.%.....
0040: D3 39 5D 18 B4 BA 4B 36   8C FD C5 80 FF F2 E3 4D  .9]...K6.......M
0050: 0A 28 57 B9 04 D8 25 F6   FB CA DA 13 0C 36 FB 02  .(W...%......6..
0060: 9A B3 B1 28 46 D1 8E C7   D9 1A 5B CE BB A6 6F FD  ...(F.....[...o.
0070: 6D F2 35 D9 95 43 6E 38   2A 56 E7 31 21 D9 F0 90  m.5..Cn8*V.1!...

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

If you get above output then your certificate trusted. Here we need identify one thing. Generally when we export SSL certificate by using key tool by default it will insert into cacert file. But here if you observe the above screen you can find jssecacers file. It will automatically create when we run above program.
 Enter q to quit this process.
Step: 3
Run again InstallCerts.java program to pass inputs domain and SSL port
Java InstallCert localhost:8443
If you get following output then SSL hand shaking is successful and your certificate added to jaascaserts file and it is trusted certificate. Here you will get message certificate is already trusted.












Here we need identify the CN=localhost   this is very important. whatever the CN name you need give in CAS settings. Otherwise you will get No Name matching to the URL .

20:42:38,109 ERROR [CommonUtils:294] java.security.cert.CertificateException: No name matching www.localhost.com found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching www.localhost.com found


Note: So whatever the CN name that is only your CAS settings.

Assume if your CN name is local host then the following are the your CAS settings


So we have the solutions for
1)      PKIX
2)      No Name matching to your domain name
Still you are getting PKIX problem?
Make sure which jre your application server is using means JVM used by your server. here we need consider location of jre and version of jre.
Whatever the JRE your server is using in that make sure trusted certificate is available or not means run above whole process from this JRE location (jre/lib/security)
How to know which jre our server is using?
From Eclipse(Windows Environment):
Generally Eclipse will create JRE in  the following location:
C:/Program Files/Java
If you create server from Eclipse it will use eclipse generated default JRE until you mention new jre. i.e.
C:/Program Files/Java/jre
So that you need to export SSL certificate into this jre by using key tool or you can run above whole process from this location.
In Eclipse you can find which jre your server is using
Go to Windows>>Preferense>>Java>>Installed JRE’s

By Using Cygwin:
If you are running portal without Eclipse then you can find JRE that is used by your Server (Tomcat)
Run which java command in cygwin prompt.
The following screen will specify the location of java.
Go to That location and make sure SSL had shaking is successful for your domain.


If you run server from cygwin  prompt also you can know the JRE is used by your Server(Tomcat)
Run the following command form your server bin directory.
Use   ./startup.sh
The following screen shot wil tells you which jre is using. In this location you need to have trusted certificates.
Pure windows Environment
In windows environment serve generally use the JRE that is mentioned in JAVA_HOME environment variable.
That JRE server is using. In this JRE we have trusted certificates.

Note:
ü     Identify the JRE and make sure SSL hand shaking is successful in this location for yor domain. jre/lib/security  from this folder we will have InsertCert.java run this program and give the appropriate domain name and SSL  port number.


ü   Make sure where ever the CN name that should be your CAS settings.

Ex:  CN=localhost
Your CAS setting should use localhost only.





Popular Posts

Recent Posts

Recent Posts Widget