Fatal编程技术网
  • tomcat/
  • 我的CAS/Tomcat/SSL配置有什么问题:PKIX路径构建失败

我的CAS/Tomcat/SSL配置有什么问题:PKIX路径构建失败

tomcat single-sign-on

我的CAS/Tomcat/SSL配置有什么问题:PKIX路径构建失败,tomcat,ssl-certificate,single-sign-on,cas,Tomcat,Ssl Certificate,Single Sign On,Cas,我们使用CAS作为单一登录提供商。目前,我已经在本地部署了它,以及将参与Single On的应用程序。事情按预期进行。对于本地环境,我使用自签名证书 我们已将应用程序集群部署到新服务器(DEVSERVER-01)上,以方便测试。对于此测试环境,我们使用自签名证书。我们得到以下错误: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:

我们使用CAS作为单一登录提供商。目前,我已经在本地部署了它,以及将参与Single On的应用程序。事情按预期进行。对于本地环境,我使用自签名证书

我们已将应用程序集群部署到新服务器(DEVSERVER-01)上,以方便测试。对于此测试环境,我们使用自签名证书。我们得到以下错误:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
    org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
    org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
    org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
注意

  • 有三个应用程序部署到同一个Tomcat实例:CAS+两个成员
  • 访问CAS URL时,我可以正确地看到登录页面:
  • 当访问任一成员应用程序的URL时,我可以正确地看到登录页面
  • 我只有在登录后CAS重定向回成员时才会出现上述错误
    • 下面是一个日志(
    -Djavax.net.debug=ssl
    ),显示Tomcat实例正在使用的
    cacert
    文件:

    2014-01-08 12:11:20 Commons Daemon procrun stdout initialized
trustStore is: C:\Program Files\Java\jre7\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
...
adding as trusted cert:
  Subject: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
  Issuer:  CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
  Algorithm: RSA; Serial number: 0x2aed8ad2
  Valid from Wed Jan 08 12:06:08 EST 2014 until Sun Oct 23 13:06:08 EDT 2287
...
    注意

    通常,我会说只需要导入自签名证书。然而:

    C:\XXXX\XXXX>keytool -list -v -alias tomcat -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
Enter keystore password:
Alias name: tomcat
Creation date: Jan 8, 2014
Entry type: trustedCertEntry

Owner: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Issuer: CN=DEVSERVER-01.XXX.XXX.XXX, OU=Test, O=Test, L=Test, ST=Test, C=Test
Serial number: 2aed8ad2
Valid from: Wed Jan 08 12:06:08 EST 2014 until: Sun Oct 23 13:06:08 EDT 2287
Certificate fingerprints:
         MD5:  B4:51:27:29:9A:5C:43:02:79:05:5F:B9:2E:D8:38:31
         SHA1: B2:A6:BB:02:D1:E2:89:62:FF:54:E2:1F:84:69:36:C9:8B:9D:2C:42
         SHA256: 31:2B:4C:DD:E2:31:CB:89:50:4B:37:D4:4D:D9:28:CC:AF:89:B4:BE:7B:
B5:11:B2:BD:0C:A2:2B:86:24:5F:2A
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 61 FF C1 97 80 78 4D 81   54 D2 BD CE AD D0 B4 14  a....xM.T.......
0010: DC DB 52 EE                                        ..R.
]
]
    那么…有什么想法吗?

    您是否检查过任何重定向是否有未导入的证书?