Hi
all,
Hoping
someone can help me out with this problem. I successfully got CAS up and
running in my development environment, and now I'm trying to push it forward
into production. However, I'm having a new cert problem, and I'm not quite sure
what to do. In my development environment, I have only have a tomcat instance,
and tomcat handles the SSL connection.. However, in production, we have an
HTTPD server in front of 2 (two) tomcat instances. Our HTTPD server manages and
negotiates the SSL connection with the outside world. It then connects to the 2
tomcat servers over a non-ssl connection.
To
setup CAS, the login and service urls require https addresses. Now, I've got
everything set up as I would have thought it needs to be, but I'm getting the
following error:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
: unable to find valid certification path to requested target
According to the JA-SIG documentation, this is probably caused by the SSL callback specified in terms of an IP address rather than a host name. Well, in all of my config files for CAS (web.xmls included) I am specifying the host name of my server, (eg no ips in my config) for serviceUrl, loginUrl, and serverName.
Could this have anything to do with tomcat not actually dealing with the ssl itself? We have no ssl connections set up on either tomcat server, only in the httpd connection. (we do have MOD_SSL installed on httpd, and a successful connection from httpd and tomcat). How does the cert issue come into play when tomcat does not manage the ssl connection, while httpd does? Any help available?
Perry Minchew
Systems Integrator
SPAWAR
Systems Charleston
Office :
(843) 218.7031
Cell :
(843) 822.1555
