Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
CAS+;SSLHandshakeException+;验证器异常+;PKIX路径生成失败+;找不到请求目标的有效证书路径_Ssl_Spring Security_Ssl Certificate_Single Sign On_Cas - Fatal编程技术网
Fatal编程技术网
  • ssl/
  • CAS+;SSLHandshakeException+;验证器异常+;PKIX路径生成失败+;找不到请求目标的有效证书路径

CAS+;SSLHandshakeException+;验证器异常+;PKIX路径生成失败+;找不到请求目标的有效证书路径

ssl spring-security single-sign-on

CAS+;SSLHandshakeException+;验证器异常+;PKIX路径生成失败+;找不到请求目标的有效证书路径,ssl,spring-security,ssl-certificate,single-sign-on,cas,Ssl,Spring Security,Ssl Certificate,Single Sign On,Cas,我正在开发中央认证系统(jasig.org),以实现单点登录功能 用于我的intranet web应用程序。我有两个tomcat实例在同一台机器(windows)上运行。 两个tomcat实例都配置为使用SSL,并使用了自签名sertificate(使用JavaKeyTool创建) Tomcat1 Cas服务器 server.xml 复制上述异常的步骤: 1) 我尝试使用 2) 它被重定向到cas服务器,即在提供用户名/密码后 在这里,一旦myWebApp再次向cas服务器发送请求以验证生成的令

我正在开发中央认证系统(jasig.org),以实现单点登录功能 用于我的intranet web应用程序。我有两个tomcat实例在同一台机器(windows)上运行。 两个tomcat实例都配置为使用SSL,并使用了自签名sertificate(使用JavaKeyTool创建)

Tomcat1 Cas服务器

server.xml 复制上述异常的步骤: 1) 我尝试使用 2) 它被重定向到cas服务器,即在提供用户名/密码后 在这里,一旦myWebApp再次向cas服务器发送请求以验证生成的令牌,就会捕获异常

非常感谢您的任何建议/帮助。

您的Spring CAS配置看起来不错

出现SSLHandshakeException的唯一原因是SSL密钥不正确地导入到创建的密钥库或JVM密钥库中

在密钥创建过程中,您是否遵循了以下步骤 注意:作为CN的别名(这里是cas)应该与计算机的主机名同名

要查找计算机的主机名,请在控制台或命令提示符中键入不带引号的“hostname”

在名为app的根目录下创建一个目录

[root@localhostapp]#keytool-genkey-alias cas-keyalg RSA-keystore .cas-storepass caspasswd

你的名字和姓氏是什么?[未知]:cas名称是什么 你的组织单位?[未知]:我的公司名称是什么 你的组织?[未知]:我的公司你的公司叫什么名字 城市还是地方?[未知]:班加罗尔你的名字是什么 州还是省?[未知]:卡纳塔克邦这两个字母是什么 这个单位的国家代码?[未知]:IN是CN=cas,OU=MYCOMPANY, O=迈科公司,L=班加罗尔,ST=卡纳塔克邦,C=正确吗?[否]:是的

输入密钥密码(提供上述密码,即 caspasswd(本例中为caspasswd) (如果与密钥库密码相同,则返回):重新输入新密码:

[root@localhostapp]#keytool-exportcert-alias cas-file cas.crt -cas输入密钥库密码:存储在文件中的证书

[root@localhostapp]#ls cas.crt softwares test.class test.java tomcat7027CAS

[root@localhostapp]#keytool-导入-别名cas-文件cas.crt -keystore/app/softwares/jdk1.6.0_27/jre/lib/security/cacerts输入keystore密码:所有者:CN=cas,OU=MYCOMPANY,O=MYCOMPANY, L=班加罗尔,ST=卡纳塔克邦,C=IN发行人:CN=cas,OU=MYCOMPANY, O=MYCOMPANY,L=班加罗尔,ST=卡纳塔克邦,C=序列号:510A63 有效期:2013年1月31日星期四18:28:11至:5月1日星期三18:28:11 IST 2013证书指纹: MD5:52:8E:2E:74:C6:57:CD:B3:B0:B6:6C:17:D9:0D:77:F3 SHA1:1F:AA:4C:22:B9:16:DC:AA:D4:87:07:CF:DD:B2:11:A6:AE:36:9A:DB 签名算法名称:SHA1 WithRSA 版本:3信任此证书吗?[否]:是证书已添加到密钥库

[root@localhostapp]#keytool-列表-密钥库 /app/softwares/jdk1.6.0_27/jre/lib/security/cacerts-alias-cas-Enter 密钥库密码:cas,2013年1月31日,trustedCertEntry,证书 指纹(MD5):52:8E:2E:74:C6:57:CD:B3:B0:B6:6C:17:D9:0D:77:F3

[root@localhost应用程序]#

在tomcat server.xml中,您还使用https连接器,如下所示

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/app/.cas" keystorePass="mykeypassword" 
    secure="true" connectionTimeout="240000" 
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8069" protocol="AJP/1.3" redirectPort="8443" />
以上密钥用于CAS服务器。 您可以为应用程序创建自己的单独密钥

但是这两个密钥都应该导入到JVM cacerts密钥库中(如何:如下所述)

现在最重要的部分是: 假设您的CAS服务器别名为CAS

您的应用程序服务器别名为myapp

将密钥cas.crt和myapp.crt保留在两台服务器中,以便导入JVM

在两台服务器中都执行以下操作:

1) keytool-import-alias cas-file/app/cas.crt-keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts

2) keytool-import-alias myapp-file/app/cas.crt-keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts

要验证,请使用以下命令--

1) keytool-list-v-keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts-alias-cas

2) keytool-list-v-keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts-别名myapp

如果使用多个版本的Java,请确保Java--JRE--LIB--SECURITY--CACERTS文件

这将删除您的错误

注:

如果在提供正确的用户凭证后,浏览器显示空白白页, 修改系统的主机文件(linux中的/etc/hosts和windows中的c:\windows\system32\driver\etc\hosts)

在那里添加cas服务器ip

例如

162.25.250.60 myapp 162.25.250.81 cas

任何疑问都可以澄清

您可以参考以下内容:

解释得很好。谢谢。谢谢,虽然这个问题最近得到了回答,但我认为这可能会帮助其他人寻求同样的答案。嗨,亲爱的,我在jboss上也面临着同样的问题,我尝试了很多东西,但都没有用。请参见[1]:请在此方面帮助我…请检查新证书是否真的添加到了cacert。要检查的命令:C:\keytool-list-keystore“C:\Program Files\Java\jdk1.7.0\u 02\jre\lib\security\cacerts”-别名YourCertificateAlias如果出现此错误,请单击此处msg keytool error:Java.lang.Exception:别名不存在,这意味着证书未添加到cacert中。同时双击证书文件并转到第三个选项卡“证书路径”。如果看到一个红十字标记,并且证书状态显示“此CA根证书不受信任,因为它不在受信任的根证书颁发机构存储中”,则转到generel选项卡并在下安装证书 
<Connector port="8663" maxHttpHeaderSize="8192" SSLEnabled="true"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
    xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <!--
        Enable security, let the casAuthenticationEntryPoint handle all intercepted urls.
        The CAS_FILTER needs to be in the right position within the filter chain.
    -->
    <security:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true">
        <security:intercept-url pattern="/protected/**" access="IS_AUTHENTICATED_FULLY" />
    </security:http>

    <!--
        Required for the casProcessingFilter, so define it explicitly set and
        specify an Id Even though the authenticationManager is created by
        default when namespace based config is used.
    -->
    <security:authentication-manager alias="authenticationManager" />

    <!--
        This section is used to configure CAS. The service is the
        actual redirect Client URL that will be triggered after the CAS login sequence.
    -->
    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://obll1973.abc.com:8663/myWebApp/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <!-- 
        The customUserDetailsService provides ROLE & other Details and 
        create an object of UserDetail for this application.
    -->
    <bean id="customUserDetailsService"
        class="edu.sandip.cas.client.authentication.CustomUserDetailsService">
    </bean>

    <!-- 
        The CasProcessingFilter has very similar properties to the 
        AuthenticationProcessingFilter (used for form-based logins).

        The CAS Processing filter handles the redirect from the CAS server 
        and starts the ticket validation.
    -->
    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <security:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
        <property name="defaultTargetUrl" value="/"/>
    </bean>

    <!--
        The entryPoint intercepts all the CAS authentication requests.
        It redirects to the CAS loginUrl for the CAS login page.
    -->
    <bean id="casProcessingFilterEntryPoint" 
        class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://obll1973.abc.com:8443/cas/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <!-- 
        Handles the CAS ticket processing.
    -->
    <bean id="casAuthenticationProvider" 
        class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <security:custom-authentication-provider />
        <property name="userDetailsService" ref="customUserDetailsService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://obll1973.abc.com:8443/cas" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>    
    </bean>

    <!-- 
        To access request.getRemoteUser() from client application  
    -->
    <bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />
</beans>

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
    org.springframework.security.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:145)
    org.springframework.security.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:131)
    org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
    org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
    org.springframework.security.ui.cas.CasProcessingFilter.attemptAuthentication(CasProcessingFilter.java:94)
    org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/app/.cas" keystorePass="mykeypassword" 
    secure="true" connectionTimeout="240000" 
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8069" protocol="AJP/1.3" redirectPort="8443" />