CAS Server requires SSL. Newcomers to deploying secure web applications (and even old hands) sometimes have difficulty configuring the SSL certificates. This page is intended to provide links and help with troubleshooting SSL in the context of deploying an instance of the Central Authentication Service server.
Generating a certificate
I am guessing that you have a certificate that is either not properly generated or is not installed in your jks keystore.
I am assuming you are using 1.4.x, otherwise you'd have to install JSSE separately.
To generate the certificate you could do this (substitute argument values as it suits your system).
Expiration Date of Certificate
If you want the certificate to be valid for longer than the default amount of time, you can provide an option parameter in the following format:
which allows you specify the number of days a certificate is valid for. So in the above example you would use the following command to create the certificate and have it valid for 365 days:
World-readability
K.C. Baltz reminded the List that the public cert files must be world-readable, as noted in the README.
Some good threads
How do I configure Tomcat to use SSL?
Try these instructions.
How do I use a self-signed certificate?
A: Trusting the Self-Signed Certificate
DummyTrustManager for development
Joakim Recht suggested on the CAS list that in development you can avoid the need to install your self-signed CAS server certificate on your CAS clients (and your CAS client certificate on your CAS server when the clients need to be securely accessed for CAS to give them Proxy Tickets) by using the DummyTrustManager from here .
This accepts all certificates, including self-signed.
This would be neither secure nor appropriate in production, but it may be just the thing to get off the ground in development.
To use the DummyTrustManager, put the files DummySSLSocketFactory.java and DummyTrustManager.java into src/edu/yale/its/tp/cas/util and add
((HttpsURLConnection)uc).setSSLSocketFactory(new DummySSLSocketFactory());
to SecureURL.java just after
URLConnection uc = u.openConnection();
Where can I learn more about the keytool?
At the keytool page.
Thanks to Joakim Rect for originally suggesting DummyTrustManager on the CAS list.
A readme
You could try the readme included in this zip, which accompanies this article about CAS.
When all else fails
More than one CAS deployer has suggested: When all else fails, start over again with a clean Tomcat and JDK.
if if replace localhost by my computer full name ( for example java.minhviet.com) in LAN, then i test https://java.minhviet.com:8443
it doesn't work ???
Regards
In order to use java.minhviet.com as the host name, you need to have the certificate that Tomcat uses recognize that name. So when you generate your "tomcat" certificate the first and last name field must equal "java.minhviet.com" and then follow the other steps as usual.
At least this has worked for me.
Thanks !
I use Windows2000 advanced server , j2sdk1.4.2 , tomcat4-1-24 .
This is my process in creating a self signed :
%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file server.crt
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%\jre\lib\security\cacerts
NOTE:
(cn=java.minhviet.com)
+++I have created a https connector with keystoreFile="D:\j2sdk1.4.2_02\jre\lib\security\cacerts" . As the result , when i test https://java.minhviet.com:8443 it still not work ???
+++If i change keystore by importing reply from VeriSign , it had worked
I donn't know why it is ?
Thank you for you reply !
Regards
These kinds of questions might get better support on the cas@tp.its.yale.edu email list. I don't have a problem with them being posted here as comments – comments are cheap – but it does seem a little strange and the email list might be a better place for them.
Sorry about this !
Now i know , ssl not worked because of the relation between jdk and tomcat . I have resolved this problem
Regards
In my case:
%JAVA_HOME%\bin\keytool -import -alias tomcat -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
The article should have this link http://www.javaworld.com/javatips/jw-javatip115.html
attached to DummyManagerExample.
Why is it desirable to take this wiki page and smoosh it into Hypercontent on this page:
http://www.ja-sig.org/products/cas/server/ssl/index.html
In the wiki, it's easy to edit, available as a PDF, Word doc, and in printer friendly format, watchable, commentable, shows up on the dashboard when changed, and has a publicly viewable history.
In Hypercontent, it's harder to edit, harder to find in printer friendly formats, unavailable as a Word doc, hard to watch, not welcoming of comment, and has no publicly viewable history.
I totally get it that CAS needs a marketable public face that looks attractive and has a cute mascot.
I don't get it that actual technical content, especially technical content that has proven to be "hot" and in need of frequent editing, belongs in Hypercontent rather than our wiki.
Am I missing something? Or can we re-steer this ship and leave this kind of content in the wiki and make the attractive public website link to it?