我的CAS/Tomcat/SSL配置有什么问题:PKIX路径构建失败
我们使用CAS作为单一登录提供商。目前,我已经在本地部署了它,以及将参与Single On的应用程序。事情按预期进行。对于本地环境,我使用自签名证书 我们已将应用程序集群部署到新服务器(DEVSERVER-01)上,以方便测试。对于此测试环境,我们使用自签名证书。我们得到以下错误:我的CAS/Tomcat/SSL配置有什么问题:PKIX路径构建失败,tomcat,ssl-certificate,single-sign-on,cas,Tomcat,Ssl Certificate,Single Sign On,Cas,我们使用CAS作为单一登录提供商。目前,我已经在本地部署了它,以及将参与Single On的应用程序。事情按预期进行。对于本地环境,我使用自签名证书 我们已将应用程序集群部署到新服务器(DEVSERVER-01)上,以方便测试。对于此测试环境,我们使用自签名证书。我们得到以下错误: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
注意
-Djavax.net.debug=ssl
),显示Tomcat实例正在使用的cacert
文件:
2014-01-08 12:11:20 Commons Daemon procrun stdout initialized
trustStore is: C:\Program Files\Java\jre7\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
...
adding as trusted cert:
Subject: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Issuer: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Algorithm: RSA; Serial number: 0x2aed8ad2
Valid from Wed Jan 08 12:06:08 EST 2014 until Sun Oct 23 13:06:08 EDT 2287
...
注意 通常,我会说只需要导入自签名证书。然而:
C:\XXXX\XXXX>keytool -list -v -alias tomcat -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
Enter keystore password:
Alias name: tomcat
Creation date: Jan 8, 2014
Entry type: trustedCertEntry
Owner: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Issuer: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Serial number: 2aed8ad2
Valid from: Wed Jan 08 12:06:08 EST 2014 until: Sun Oct 23 13:06:08 EDT 2287
Certificate fingerprints:
MD5: B4:51:27:29:9A:5C:43:02:79:05:5F:B9:2E:D8:38:31
SHA1: B2:A6:BB:02:D1:E2:89:62:FF:54:E2:1F:84:69:36:C9:8B:9D:2C:42
SHA256: 31:2B:4C:DD:E2:31:CB:89:50:4B:37:D4:4D:D9:28:CC:AF:89:B4:BE:7B:
B5:11:B2:BD:0C:A2:2B:86:24:5F:2A
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 61 FF C1 97 80 78 4D 81 54 D2 BD CE AD D0 B4 14 a....xM.T.......
0010: DC DB 52 EE ..R.
]
]
那么…有什么想法吗?您是否检查过任何重定向是否有未导入的证书?