Solving SSL Issues

CAS Server requires SSL. Newcomers to deploying secure web applications (and even old hands) sometimes have difficulty configuring the SSL certificates. This page is intended to provide links and help with troubleshooting SSL in the context of deploying an instance of the Central Authentication Service server.

Generating a certificate

I am guessing that you have a certificate that is either not properly generated or is not installed in your jks keystore.

I am assuming you are using 1.4.x or later, otherwise you'd have to install JSSE separately.

To generate the certificate you could do this (substitute argument values as it suits your system). Further documentation about the JDK keytool is available on Sun's website.

%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file %FILE_NAME%
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit

Expiration Date of Certificate

If you want the certificate to be valid for longer than the default amount of time, you can provide an option parameter in the following format: 

-validity numberOfDays

which allows you specify the number of days a certificate is valid for. So in the above example you would use the following command to create the certificate and have it valid for 365 days: 

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -validity 365

World-readability

K.C. Baltz reminded the List that the public cert files must be world-readable, as noted in the README.

How do I configure Tomcat to use SSL?

Try there instructions.

Where can I learn more about the keytool?

At the keyool page.

Certificates for IP addresses will not work

Quite simply, issuing and using certificates that authenticate IP addresses rather than host names will not work. Don't do it. For anything larger than a trivial installation, your CAS server and its clients nead real hostnames and certificates that authenticate those hostnames (for proxy ticket functionality). In particular, if you get an error like this in the CAS server log, it means that the SSL callback was specified in terms of an IP address rather than a hostname.

2006-03-13 15:34:21,011 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-99-FbOVOK6wBfqgUEowijew1mqpdKGQdhr9qkj-20] for service [https://134.106.68.83:8443/CASeMailServlet/servlet/TANServlet] for user [8427890]>
2006-03-13 15:34:21,054 ERROR [org.jasig.cas.util.UrlUtils] -
<javax.net.ssl.SSLHandshakeException:


sun.security.validator.ValidatorException: PKIX path building failed:


sun.security.provider.certpath.SunCertPathBuilderException: unable to


find valid certification path to requested target>




javax.net.ssl.SSLHandshakeException:


sun.security.validator.ValidatorException: PKIX path building failed:


sun.security.provider.certpath.SunCertPathBuilderException: unable to


find valid certification path to requested target




       at


com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)




       ...




Caused by: sun.security.validator.ValidatorException: PKIX path building


failed: sun.security.provider.certpath.SunCertPathBuilderException:


unable to find valid certification path to requested target




        at


sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)




        ...




Caused by: sun.security.provider.certpath.SunCertPathBuilderException:


unable to find valid certification path to requested target




        at



sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)





      ...





2006-03-13 15:34:21,057 INFO



[org.jasig.cas.authentication.AuthenticationManagerImpl] -



<AuthenticationHandler:



org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler



failed to authenticate the user.>





2006-03-13 15:34:21,057 ERROR



[org.jasig.cas.web.ServiceValidateController] - <TicketException



generating ticket for:



https://134.106.68.83:8443/CASeMailServlet/CasProxyServlet>





org.jasig.cas.ticket.TicketCreationException:



error.authentication.credentials.bad





        at



org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:216)





        ...





Caused by: error.authentication.credentials.bad


        at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)